galtech Posted February 22, 2012 Share Posted February 22, 2012 Hi, I have a HTML form that includes a captcha code which is generated using a PHP script. I have tested sending the form using the correct code and the incorrect code and I can confirm that the form only sends when I type the correct code. I still suspect there is a security hole somewhere in my script that I have not seen. I would be very grateful If anyone has any advice on how I can write more secure PHP scripts. The code is below and a test page is available here: http://demo.peterheylin.com/footfall/castle/contact.html <?phpsession_start();if ($_REQUEST["tt_pass"]){if ($_REQUEST["tt_pass"] == $_SESSION["tt_pass"]){$name = $_POST['name'];$email = $_POST['email'];$phone = $_POST['phone'];$msg = $_POST['msg'];$security = $_POST['tt_pass'];$castle_email = "";$test_email = "";$headers = "From: $name <$castle_email>";$subject = "Enquiry";$message = "Sender: " .$name. "\nEmail: " .$email. "\nPhone: " .$phone. "\nMessage: " .$msg; mail($test_email,$subject,$message,$headers); echo "message sent."; }else{ echo "<b>passphrase incorrect</b>. Your message has not been sent. <br />"; } }?> Thanks, galtech Link to comment Share on other sites More sharing options...
justsomeguy Posted February 22, 2012 Share Posted February 22, 2012 If you're using form data in any header, like the From header, then you need to validate that data. Make sure there are no linebreaks, semicolons, etc in that data. Look up email header injection to see what the problem is and what you can do about it. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.