[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Hi Simon
Your considered comment so very much appreciated. I read your caveats and I’ve
already factored that into how the evaluation is held.
I do most of my coding in Lisp. Use emac’s own Lisp so runs “natively” inside my
text-editor.
Nothing else for years. Reason I had quite a ramp-up to do the elementary
programming in PHP.
I will look at “switch” htmlspecialchars.
Name didn’t draw my attention to it.
Thanks again,
Rich Smith
> On 6 Jul 2023, at 16:03, Simon Avery <digdilem@xxxxxxxxx> wrote:
>
> Hi Rich,
>
> Only have time for a cursory read, but it... looks okay? (Disclaimer: Not a php
> coder, I just script with it and a few other languages. Perl is more my thing.)
>
> You're right that you don't need to worry about sql injection if you're not using
> sql. As you're not passing any user strings through to the shell, that shouldn't
> be an issue either.
>
> Using php's internal email handling and functions seems best for security and
> speed.
>
> Only observation I've got is that FILTER_SANITIZE_STRING is flagged as
> 'deprecated' and to use htmlspecialchars instead - so that means it won't keep
> working forever as php gets upgraded.
>
> Reference: https://www.php.net/manual/en/filter.filters.sanitize.php
>
> On Thu, 6 Jul 2023 at 13:55, rds_met <dcglug@xxxxxxxxxxxxxxx> wrote:
> Hello Simon, all
>
> Thanks for your message.
> After many hours of studying, I have written this PHP code.
> Significantly of my own doing on the basis of web-searching.
>
> As you will see;
> I've written in code which checks what's submitted from the "forms".
> Also put size limits to prevent "denial of service" attacks filling up
> my webhosting quota.
>
> vvvvvvvv mail_handler.php vvvvvvvv
>
> <?php
> if(isset($_POST['submit'])){
> $to = "ME@xxxxxxxxxxx"; // this is your Email address
> // handle supplied email...
> $sf_from = filter_var(trim($_POST['email']), FILTER_SANITIZE_EMAIL);
> if(strlen($sf_from) > 64){
> echo "Use a briefer email addr";
> exit(0);
> }
> if (!filter_var($sf_from, FILTER_VALIDATE_EMAIL)) {
> echo("$sf_from is not a valid email address. You might be able to
> Browser-back, correct and re-submit");
> exit(0);
> }
> // handle supplied name...
> $sf_name = filter_var(trim($_POST['submitter_name']), FILTER_SANITIZE_STRING);
> if(strlen($sf_name) > 64){
> echo "Use a briefer name";
> exit(0);
> }
> // handle the submitted message...
> $sf_message = filter_var(trim($_POST['message']), FILTER_SANITIZE_STRING);
> if(strlen($sf_message) > 2000){
> exit("Submit a briefer message");
> }
> // DEBUG // echo $to . " " . $sf_from . " " . $sf_name . " " . $sf_message;
> // this is assembling what's passed to mail()...
> $subject = "Form submission";
> $message = $sf_name . " at " . $sf_from . "\n\n" . " wrote the following:" .
> "\n\n" . $sf_message;
> $headers = "From:" . $sf_from;
> mail($to,$subject,$message,$headers);
> // echo "Mail Sent. Thank you " . $sf_name . ", I will contact you shortly.";
> header('Location: thanks_fsub.html');
> // You cannot use header and echo together. It's one or the other.
> }
> ?>
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> I have done the best I can (not any professional's grade) to crash it.
> So far so good.
> As nothing is going into a database (SQL, "injection" and all that),
> this is not a particularly "hazardous" application of "forms" and PHP?
>
> Insignificant/no changes elsewhere.
>
> To be seen at
> http://weldsmith.co.uk/contactform/contact.html
>
> How am I doing now?
>
> Regards,
> Rich Smith
>
>
>
>
> > On 5 Jul 2023, at 21:28, Simon Avery <digdilem@xxxxxxxxx> wrote:
> >
> > Hi Rich,
> >
> > PHP web to email forms have a long and murky history - not helped by one of the
> > most popular early ones being very easy to manipulate - and it was! I've no
> > doubt it's still out there in many places and acting as an open relay for
> > thousands of badly intentioned people. I certainly see bots searching for it on
> > my web servers.
> >
> > The technical side of writing a web form is really very easy, php has email
> > built-in after all, or you can use a local or remote smtp server to send it.
> >
> > Follow a few basic rules, and ensure you read up on php and web security first
> > (there's lots of good guides out there so I won't repeat them badly here)
> >
> > DO: Sanitise input.
> > DO: Hardcode the "To" address, always, to stop it being used as an open gateway.
> >
> > It will be abused, of course, and almost instantly. Bots are crawling html
> > constantly for any form elements and will try to send spam through them. Why
> > not, it costs them nothing?
> >
> > But generally - as with all things security - you can never be totally secure.
> > If you have doubts, don't do it, or use one of the many freely available
> > webforms, even if they're commercially operated.
> >
> > (The first example on your link is horrible - even if just because it doesn't
> > hardcode the from. The first replier has fixed that.)
> >
> > On Sun, 2 Jul 2023 at 00:27, rds_met <dcglug@xxxxxxxxxxxxxxx> wrote:
> > Hello all
> >
> > I found suggested code here:
> > https://stackoverflow.com/questions/18379238/send-email-with-php-from-html-form-on-submit-with-the-same-script
> >
> > I copied the coupled html-forms code and PHP code into the two
> > respective files.
> > With due edits for my individual details.
> >
> > It seems to work perfectly.
> >
> > Anyone comment how
> > * secure
> > * etc.
> > this is?
> >
> > Best wishes,
> > Rich Smith
> >
> > --
> > The Mailing List for the Devon & Cornwall LUG
> > FAQ: https://www.dcglug.org.uk/faq/
> > --
> > The Mailing List for the Devon & Cornwall LUG
> > FAQ: https://www.dcglug.org.uk/faq/
>
> --
> The Mailing List for the Devon & Cornwall LUG
> FAQ: https://www.dcglug.org.uk/faq/
> --
> The Mailing List for the Devon & Cornwall LUG
> FAQ: https://www.dcglug.org.uk/faq/
--
The Mailing List for the Devon & Cornwall LUG
FAQ: https://www.dcglug.org.uk/faq/