This code processes the form for a Real Estate website. The URL variable "mem" is used to identify which email address to send the information to. I know this is wide open for all kinds of different attacks. Javascript is used for the first line of defense, but I need more security. Please help me decide what I should use. addslashes()? htmlenities()? strip_tags()? mysql_real_escape_string()? I eventually want to put the collected information in a database. Any other validation would be helpful let me know. Thank you very much! <?php ob_start(); ?> <?php //Check to see if there is an member if(isset($_POST['mem'])){ $mem = intval($_POST['mem']); switch($mem){ case 1: $SendEmail = "Email1@gmail.com"; //Email 1 break; case 2: $SendEmail = "Email2@gmail.com"; //Email 2 break; default: $SendEmail = "Email3@gmail.com"; //Email 3 } }else{ //if there is no mem, default to this email $SendEmail = "Email3@gmail.com"; //Email 3 } ?> <?php //Obtain information from the form. $TransactionType = $_POST['TransactionType']; $PurchasePrice = $_POST['PurchasePrice']; $LoanAmount = $_POST['LoanAmount']; $PropertyType = $_POST['PropertyType']; $Address = $_POST['Address']; $City = $_POST['City']; $State = $_POST['State']; $Zip = $_POST['Zip']; $FirstName = $_POST['FirstName']; $LastName = $_POST['LastName']; $Phone = $_POST['Phone']; $Email = $_POST['Email']; $Comments = $_POST['Comments']; ?> <?php //Send Email $to = $SendEmail; $subject = "Information for $FirstName $LastName"; $message = " <html> <head> <title>Information Request</title> </head> <body> <p><b>Information Request</b></p><br> <u>Transaction Details</u><br> <b>TransactionType:</b> $TransactionType<br> <b>PurchasePrice:</b> $PurchasePrice<br> <b>LoanAmount:</b> $LoanAmount<br><br> <u>Property Details</u><br> <b>PropertyType:</b> $PropertyType<br> <b>Address:</b> $Address<br> <b>City:</b> $City<br> <b>State:</b> $State<br> <b>Zip:</b> $Zip<br><br> <u>Contact Details</u><br> <b>FirstName:</b> $FirstName<br> <b>LastName:</b> $LastName<br> <b>Phone:</b> $Phone<br> <b>Email:</b> $Email<br><br> <b>Comments:</b> $Comments<br> </body> </html> "; // Always set content-type when sending HTML email $headers = "MIME-Version: 1.0" . "\r\n"; $headers .= "Content-type:text/html;charset=iso-8859-1" . "\r\n"; // More headers $headers .= 'From: <Email4@gmail.com>' . "\r\n"; $headers .= 'Bcc: <Email5@gmail.com>' . "\r\n"; mail($to,$subject,$message,$headers); ?> <?php Header ("Location: http://MySite.com/Thank-You.php"); ?> <?php //FOR TESTING ONLY - outputs mem and To: email address //echo $mem . " " . $SendEmail; ?> <?php ob_flush(); ?> PHP:
I am not real informed about this subject either but I am sure you want to striptags from the post variables before it even goes to email. To many nasty things can be sent and I don't just mean URLs. Adding slashes and mysql escape will be needed before you write it to a database. There are some pretty sharp php guys around here. Hopefully you will get another answer od two.
htmlentities() then strip_tags() and then addslashes() , apply them on by one. Since I cant see any mysql queey so no need of mysql_escape function.