Programming - Ultra safe contact form for my web site in PHP ...

Ultra safe contact form for my web site in PHP

I've read that some contact forms on web sites let hackers in.

If I just want a name, email address and comment input into a form by a visitor and then emailed to me then what's the absolutely bulletproof way of doing it ? Cheers.

Asked by:

ecololly

128 points

Report Abuse

Share Page - Category: Programming - Tags: Ultra safe contact form for my web site in PHP

Responses in reverse (2)

Thank you. I have heard of the escape_string command but not escapeshellcmd.

Is it absolutely necessary to use both would you say ?

Response by:

ecololly

128 points

It's not so much that they let hackers in than they can get spammed through. It dates back about a decade to an infamous script called formmail.pl, when html forms would post their data to this script, unfortunately a hidden field was used to specify the receipient of the message and people rarely configure the script to limit the addresses it could send to.

However you do it just use the form to request the information you want, then in the receiving page hardcode the recipient email address, or save to a database and notify someone to look at it.

If you find you start getting spam comments and it becomes a problem look at integrating something like reCaptcha to remove automated comments.

The big important thing however is to never trust input from users, and sanitise the input before you attempt to use it, php's mysql_real_escape_string and escapeshellcmd/arg etc.

Response by:

_SteveWilson ...

4290 points

Related Questions

Best free PHP Framework for commercial web application Best license model

Facebook Application on Google App Engine

Sending SMS in the UK from a server

Securing phpmyadmin so only I can use it

Help with a simple script please