[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

[LUG]Re: submit-message form on website

To: list@xxxxxxxxxxxxx
Subject: [LUG]Re: submit-message form on website
From: rds_met <dcglug@xxxxxxxxxxxxxxx>
Date: Thu, 6 Jul 2023 13:54:29 +0100
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dcglug.org.uk; s=1681290362; h=Content-Transfer-Encoding:Content-Type: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Help:List-Id: Subject:Reply-To:Message-Id:In-Reply-To:To:References:Date:Mime-Version:From: Sender:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Archive; bh=hVNDmTiSP96qH0W8srNOWO0oM6z6ZYRn+xTPpxicuh4=; b=duqfSAuYMo4B4k3oPJp/+doc5w Ru5h8e/L7/wSTeGBv63tfzX+h+k4CjW0P4LGLDqNg7sm91CSBYr1XXxpYH+MmVEfEqzayJpkxegAr jvqeyxICZC8oKK0XD0aMPgks/x5gAYixLOhGsx8DOBe1RWXlH1j9GDsNFZOOf4zaZ9yg=;

Hello Simon, all

Thanks for your message.
After many hours of studying, I have written this PHP code.
Significantly of my own doing on the basis of web-searching.

As you will see;
I've written in code which checks what's submitted from the "forms".
Also put size limits to prevent "denial of service" attacks filling up
my webhosting quota.

vvvvvvvv mail_handler.php vvvvvvvv

<?php 
if(isset($_POST['submit'])){
    $to = "ME@xxxxxxxxxxx"; // this is your Email address
    // handle supplied email...
    $sf_from = filter_var(trim($_POST['email']), FILTER_SANITIZE_EMAIL);
    if(strlen($sf_from) > 64){
       echo "Use a briefer email addr";
       exit(0);
    }
    if (!filter_var($sf_from, FILTER_VALIDATE_EMAIL)) {
       echo("$sf_from is not a valid email address.  You might be able to 
Browser-back, correct and re-submit");
       exit(0);
    }
    // handle supplied name...
    $sf_name = filter_var(trim($_POST['submitter_name']), FILTER_SANITIZE_STRING);
    if(strlen($sf_name) > 64){
       echo "Use a briefer name";
       exit(0);
    }
    // handle the submitted message...
    $sf_message = filter_var(trim($_POST['message']), FILTER_SANITIZE_STRING);
    if(strlen($sf_message) > 2000){
       exit("Submit a briefer message");
    }
    // DEBUG // echo $to . " " . $sf_from . " " . $sf_name . " " . $sf_message;
    // this is assembling what's passed to mail()...
    $subject = "Form submission";
    $message = $sf_name . " at " . $sf_from . "\n\n" . " wrote the following:" . 
"\n\n" . $sf_message;
    $headers = "From:" . $sf_from;
    mail($to,$subject,$message,$headers);
    // echo "Mail Sent. Thank you " . $sf_name . ", I will contact you shortly.";
    header('Location: thanks_fsub.html');
    // You cannot use header and echo together. It's one or the other.
    }
?>

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

I have done the best I can (not any professional's grade) to crash it.
So far so good.
As nothing is going into a database (SQL, "injection" and all that),
this is not a particularly "hazardous" application of "forms" and PHP?

Insignificant/no changes elsewhere.

To be seen at
http://weldsmith.co.uk/contactform/contact.html

How am I doing now?

Regards,
Rich Smith




> On 5 Jul 2023, at 21:28, Simon Avery <digdilem@xxxxxxxxx> wrote:
> 
> Hi Rich, 
> 
> PHP web to email forms have a long and murky history - not helped by one of the 
> most popular early ones being very easy to manipulate - and it was! I've no doubt 
> it's still out there in many places and acting as an open relay for thousands of 
> badly intentioned people. I certainly see bots searching for it on my web servers.
> 
> The technical side of writing a web form is really very easy, php has email 
> built-in after all, or you can use a local or remote smtp server to send it. 
> 
> Follow a few basic rules, and ensure you read up on php and web security first 
> (there's lots of good guides out there so I won't repeat them badly here)
> 
> DO: Sanitise input. 
> DO: Hardcode the "To" address, always, to stop it being used as an open gateway.
> 
> It will be abused, of course, and almost instantly. Bots are crawling html 
> constantly for any form elements and will try to send spam through them. Why not, 
> it costs them nothing?
> 
> But generally - as with all things security - you can never be totally secure. If 
> you have doubts, don't do it, or use one of the many freely available webforms,  
> even if they're commercially operated.
> 
> (The first example on your link is horrible - even if just because it doesn't 
> hardcode the from. The first replier has fixed that.)
> 
> On Sun, 2 Jul 2023 at 00:27, rds_met <dcglug@xxxxxxxxxxxxxxx> wrote:
> Hello all
> 
> I found suggested code here:
> https://stackoverflow.com/questions/18379238/send-email-with-php-from-html-form-on-submit-with-the-same-script
> 
> I copied the coupled html-forms code and PHP code into the two
> respective files.
> With due edits for my individual details.
> 
> It seems to work perfectly.
> 
> Anyone comment how
> * secure
> * etc.
> this is?
> 
> Best wishes,
> Rich Smith
> 
> --
> The Mailing List for the Devon & Cornwall LUG
> FAQ: https://www.dcglug.org.uk/faq/
> --
> The Mailing List for the Devon & Cornwall LUG
> FAQ: https://www.dcglug.org.uk/faq/

--
The Mailing List for the Devon & Cornwall LUG
FAQ: https://www.dcglug.org.uk/faq/

Follow-up: [LUG]Re: submit-message form on website
- From: Simon Avery

References:
- [LUG]submit-message form on website
  - From: rds_met
- [LUG]Re: submit-message form on website
  - From: rds_met
- [LUG]Re: submit-message form on website
  - From: Simon Avery

Prev by Date: [LUG]Re: submit-message form on website
Next by Date: [LUG]Re: submit-message form on website
Previous by thread: [LUG]Re: submit-message form on website
Next by thread: [LUG]Re: submit-message form on website
Index(es):
- Date
- Thread