0

Im working on building my first contact form.

I have a page similar to this with a lot of fields... http://www.missingpeople.org.uk/component/option,com_rsform/Itemid,144/lang,en/view,rsform/

The form, when submitted then redirects to my process page that contains...

<?php

foreach ($_POST as $key => $value)
$message .= "Field ".htmlspecialchars($key)." is ".htmlspecialchars($value)."\r\n";

mail('[email protected]', 'sghting', $message); 

?>

From what I've been reading on the process though this seems vulnerable to injections? sorry if this sounds naive im new to the process. What Im asking is where do i start in reading up on sanitizing this code?

Improve this question

2 Answers 2

Reset to default
1

It might be vulnerable - just not to sql injections. mail is a pretty raw interface, that just passes stuff on to the mail delivery system. It is trivial to inject mail headers into the message, if you don't escape properly. This way, an attacker could use your mail form for spam or for spoofing the sender and possibly other things that you wouldn't want to happen.

Instead of trying to do this yourself, I would strongly advise you to use a library such as Swift mailer, which takes care of all this for you.

http://swiftmailer.org/

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

It would be dangerous if it was a SQL query as you could easily insert some single quotes and semicolons to run your own code, but this isn't as much the case with sending a mail. If you later saved that email to the database, then it could be vulnerable to a SQL injection.

You could run this value through htmlentities() to HTML encode the content, which should be fine for email and would remove most of the special characters.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.