01-08-2008, 12:26 PM
|
|
WebProWorld Pro
|
|
Join Date: Jan 2008
Posts: 297
|
|
Re: Send form data with PHP
Quote:
Originally Posted by kurt.santo
Thanks for the great input!
Yes, I meant I want to send an email from the form with all the user's inputs to my email address. Redirect to a thankYou page is great too!
Just two things:
How could some spammer use this to send spam (I do not know how he/she would do this) and how could I prevent this?
Then this "headers already sent" thing give me a headache  I kind of do not get my head around what it actually means. I have some php that would need to come before the script. The contact form for example is inserted as an include and there is a test for the language query string as the website has more than one language...
Kurt |
Kurt:
I think wige provided an excellent explanation regarding "headers already sent," but I'll expand on it briefly.
The header() function is used to send a raw HTTP header. To gain a greater understanding of HTTP headers take a look at RFC 2616 - Hypertext Transfer Procol - HTTP/1.1.
When using header() redirects, such as the one I gave in my example above:
$URL="thank_you.php";
header ("Location: $URL");
exit;
The header() function, in this case header ("Location: $URL"); must be called before any output is sent to the page. If your script sends any output to the page, whether HTML tags, blank lines, etc, your will receive an error Message warning you that headers cannot be modifed because headers have already been sent (paraphrase).
This error message is fairly common with new PHP programmers and can even happen to us old timers if we aren't paying attention. The problem is fairly simple to detect and prevent, A PHP programmer could also use output buffering to get prevent the problem as well.
Now, getting on to your more important question: "How could some spammer use this to send spam (I do not know how he/she would do this) and how could I prevent this?"
Hackers and agents of spam target web forms on sites and attempt to exploit certain vulnerabilities. For example, some site owners use insecure javascript in login forms to process usernames and passwords (never rely on javascript to process security related data). An easy exploit is to simply turn off javascript.
On SSI forms hackers will attempt to inject additional headers directly into your form fields. One of the most common exploits is the injection of additional email headers. For example, your form will usually include the send To: parameter included in the mail() function to send you a copy of the data sent through the form. Form spammers taking advantage of certain script vulnerabilities will inject additional mail headers or even a completely new set of headers to send mail through your form.
There are several ways to accomplish this exploit: the spammer will attempt to add cc: and bcc: into the header. They may even attempt to change mime-types. All the form fields are potentially at risk. I could write an entire thread discussing the many techniques used to hijack forms, but I'd rather concentrate on prevention.
Preventing these types of exploits, whether in PHP, ASP, AJAX or other languages comes down to a few simple rules:
1.) Never trust user input
2.) Always assume user input is malicious until proven otherwise,
3.) Validate and verify user input using a variety of scripting techniques such as regular expressions to validate data, functions to prevent the injection of tags where tags shouldn't be...don't rely on size & maxlength settings in your html forms. Use functions to prevent excess data...etc.,
4.) Examine the input for data you will accept and reject everything else.
5.) Be aware of input designed to get around certain security techniques such as the includion of ASCII characters.
6.) Log, log, log, log and log. In other words don't just rely on reviewing your server logs. Log additional data directly from your pages, get the IP address & the referrer (the referrer variable is unreliable but collect it if its available anyway). Log all the data input and review it for potential exploits.
I hope this gives you some assistance with your forms. If I get time I'll write some detailed articles about SQL injection and email injection.
Best of luck!
__________________
I use Country IP Blocks as added security for my networks and servers.
|