Hi! I am developing a PHP script for emailing the results of a form using the PHP mail () function. It has been suggested that I add code to secure/sanitize attemps to misuse the form. Would you please point me in the right direction. Thank you. Dr. T.
Simply Validate the inputs, for example check the name, etc to make sure its not too long or contains any characters other than alphabetic characters, or validate the phone or comment fields to be safe for mysql insertion (if you do that) using functions like mysql_real_escape_string() on the inputs (which may nee stripslash later for output view). Make sure to check any file or attachments for the appropriate extensions/size etc. And in general don't let the PHP generate errors on the screen but rather make it only goto a log file, that way you don't have people breaking your form in hope of getting some information such as the host user name, or file paths. You can also use reCaptcha to help prevent bots and such from automatically sending your form without using the form page (thus by passing client side validations and such). I'm sure you seen it before a lot, the idea is that the reCapcha server shows a image from a remote server, when you enter the code shown, on the PHP side of things you contact the recaptcha server to match that string to the one shown to the visitor, obviously if it doesnt' match then submission shouldn't be accepted. http://recaptcha.net/ Edit: Whatever you do , do not simply rely on just client-side validation (javascript, etc) to check just the field values. Since bots and such can easily bypass those.
this is a good idea "And in general don't let the PHP generate errors on the screen but rather make it only goto a log file, that way you don't have people breaking your form in hope of getting some information such as the host user name, or file paths."
w3schools has a tut on secure email http://w3schools.com/php/php_secure_mail.asp and also use a captcha with the form