PHP secure form
Question
I have an contact mail form on my website and i want to make this form secure enough. Which is the best way to to this job, is there any way to hide php variables that i sent with post to another page.
Any sample or link or idea ?
Secure - i mean my data to be safe, since users will be inserting their personal data, like passport number, ssn ect, and want those data to be safe in some way. I have read somewhere that with some injections there are peoples who can take those data sent by form. I think i am clear now ?
5 answers
solution1
7 2010-07-13 18:28:39
Why hasn't anyone mentioned HTTPS ?
Just make your form gets submitted using the HTTPS protocol, and all of the data is transparently encrypted (this means you don't need to do anything to decrypt it in PHP, it just works)
solution2
3 2010-07-13 18:13:33
Use HTML Purifier or OWASP .
HTML Purifier
HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited,
secure yet permissive whitelist
OWASP
The Open Web Application Security Project (OWASP) is the name for all the activities of the OWASP Foundation.
solution3
0 2010-07-13 18:15:55
If by secure, you mean relatively protected from spammers, one good thing to do among many others is to have an email input field for the end user to put their reply-to that actually enforces valid MX entires.
function isValidEmail($email){
$pattern = '/^([a-z0-9])(([-a-z0-9._])*([a-z0-9]))*
\@([a-z0-9])*(\.([a-z0-9])([-a-z0-9_-])([a-z0-9])+)*$/i';
if(!preg_match ($pattern, $email)){return false;}
list($user_name, $mail_domain) = explode("@",$email); // Split email address into username and domain name
if (checkdnsrr($mail_domain, "MX")) return true;
return false; // Invalid email address
}
Certainly not a comprehensive solution, but it does help a great deal to cut out automated submissions.
solution4
0 2010-07-13 18:21:27
You should:
- Require your users to apply a captcha (or sign in), to make it harder for bots to use your mail form.
- Sent mail to predefined adresses only (if possible).
- Accept POST only (no GET), to prevent CSRF.
- Disallow HTML in your Mails.
solution5
0 2010-07-13 18:47:46
HTTPS protocol is the best solution. For Spamer protection you can use captcha. If you are passing variable from one server to another you can make it more protected using encryption.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.