Jump to content

Security issue


DarkElf

Recommended Posts

I'm using a form on my website so users can send me emails. That part of it is fairly straight forward, the form details are passed to another php page that sends the email and forwards them on to a confirmation page assuming all works correctly. It's fairly textbook stuff.The problem with this is that it leaves me open to script injection. If the user puts php code in the form this gets executed by the server when it runs the scripts to send the email - obviously If the user has malicious intentions and knows what they are doing with php they can cause some pretty nasty problems.Is there any way of securing the form against script injection like this? I know that there are javascripts I could use to validate the form to remove php tags from it before it is sent, but the user (hacker) could get around this by simply disabling javascript on their browser. Any thoughts?

Link to comment
Share on other sites

Actually that's all rubbish. I was thinking of something I saw someone doing on hacker website a long time ago, but the way the php handles the form data means that it shouldn't be a problem. The page in question actually printed the input data on a subsequent page for the user to check and confirm, this meant that scirpts could be injected. The basic email form I am using doesn't actually do this though, so even if the user tried putting php tags in it they would never be parsed.For anyone interested in script injection and protecting themselves from it I did find this really interesting article on how people can inject script into the headers of emails generated this way to use your website as a base for anomymously launching spam. It suggests several effective solutions as well as explaining the problems in detail.http://securephp.damonkohler.com/index.php/Email_Injection

Link to comment
Share on other sites

I did a speech at a local Macromedia User Group about form security. It wasn't too detailed, but while on the subject, you can download my PowerPoint (in pdf format) here:http://www.iribbit.net/_files/presentation-webforms.pdf

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...