Forums

The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Other Can someone recommend a customizable contact form, please? Reply To: Can someone recommend a customizable contact form, please?

May 4, 2014 at 11:07 am #169189
__
Participant

Would this contact us form stop hackers* from sending message like <script > alert(); </ script>

Not necessarily. But that’s not a problem: we’re planning on sending plain text emails. If there comes a time when you want html emails, or anytime you want to print something to the webpage, you need to sanitize the user input—but not before then.

edit:
* also, “hacking” is not bad. hacking is awesome, and can be a very positive, productive thing. attacking is bad. : )

validating the name ,email and message to only allow letters, numbers and ! @ – in php. Would this help?

Help with what?

You can have any string you like in PHP. It only becomes a problem if you use it somewhere (e.g., echo, eval, or in an SQL query) that changes its meaning into something unexpected.

The problem with trying to come up with a list of “unsafe” characters, and then assuming that you’re “safe” if you don’t have them, is that it’s a false sense of security. This is why PHP’s “magic quotes” are a horrible non-solution, just like the dozens of “make_safe_string” functions that amateur programmers come up with to shove into their contact form scripts. “Unsafe” characters in HTML are different than “unsafe” characters in PHP or SQL (or even different SQL brands/engines).

The only way to really solve this problem is to “read up” so you know what to do, when and where, to keep yourself safe. Most programming languages, PHP included, believe it or not, have existing functions to use in each of these cases (e.g., you can see we’re using htmlspecialchars on text data that we print, even with text that didn’t necessarily come from the user).

As to those specific characters:

  • what about names that have apostrophes? or forms like this one, where we ask for the full name in only one field (we need spaces)?
  • what about common punctuation (,.?'”:/&%$()) in messages?
  • as for emails, the best way to validate it is by using PHP’s filter_var. It’s a much better check than you can build yourself, and (as a native function) much faster, too. In addition, by validating the email field as a single address, you can stop header injection attacks (where multiple addresses or other email headers are added to the field).

Hope that helps. Please ask if you have any other questions!