Secure your Form-to-Mail scripts
Posted by - NA - on 13 January 2011 09:41 PM
Secure Your Forms|
Forms open up a wide hole to your server for hackers if you do not properly code them. Since these forms are usually submitted to some script on your server, sometimes with access to your database, a form which does not provide some protection can offer a hacker direct access to all kinds of things. Keep in mind...just because you have an address field and it says "Address" in front of it does not mean you can trust people to enter their address in that field. Imagine your form is not properly coded and the script it submits to is not either. What's to stop a hacker from entering an SQL query or scripting code into that address field? Or a spammer sending 1000's of emails which appear to come from you, using an insecure form-to-mail script. With that in mind, here are a few things to do and look for:
Use MaxLength. Input fields in form can use the maxlength attribute in the HTML to limit the length of input on forms. Use this to keep people from entering WAY too much data. This will stop most people. A hacker can bypass it, so you must protect against information overrun at the script level as well.
Hide Emails If using a form-to-mail script, do not include the email address into the form itself. It defeats the point and spam spiders can still find your email address. Also - do not include a "send a copy to yourself" option. Both these issues open up your form to spammers. Also make sure to put measures in place to remove the possibility of "email injection" - see http://securephp.damonkohler.com/index.php/Email_Injection for more information. Pay particular attention to the inclusion of extra "Bcc" entries into the form fields.
Hard-code the recipient email (usually yourself) inside the "mail command" of any form-to-mail script. Do not use a variable which is then passed to the command, as a spammer could simply fake this and send out email to anyone.
Use Form Validation. I won't get into a lesson on programming here, but any script which a form submits to should validate the input received. Ensure that the fields received are the fields expected. Check that the incoming data is of reasonable and expected length and of the proper format (in the case of emails, phones, zips, etc.).
Avoid SQL Injection. A full lesson on SQL injection can be reserved for another article, however the basics is that form input is allowed to be inserted directly into an SQL query without validation and, thus, giving a hacker the ability to execute SQL queries via your web form. To avoid this, always check the data type of incoming data (numbers, strings, etc.), run adequate form validation per above, and write queries in such a way that a hacker cannot insert anything into the form which would make the query do something other than you intend. Pay particular attention to the addition of a fake "Bcc" entry.
Lastly - please see the excellent suggestions at the following URLs for securing your form-to-mail scripts: