Give help. Get help.

  • # December 6, 2012 at 12:32 pm

    I would like to start a discussion more then posting a question about a problem and an idea I have. Sorry for the long post!

    Its about securing a contact form when you must stick with html instead of creating a contact.php page which would be much easier though.

    It would be nice if someone can give some advice about the idea I have.
    I’m not a pro so hopefully the idea doesn’t sound too silly to you.

    So the problem is:

    **Probably spam prevention and securing the contact submit method itself.**

    My idea as following:

    First of all, all fields in the contact form are disabled to make sure nothing can be send if JavaScript isn’t available. The form action is empty too we are using ajax only! But there is a another button where users can download the same form as pdf to make sure users without Javascript enabled can still send the form from their email clients.

    We create two php files lets call the first one **generate.php** and the second **process.php**

    This file is used to generate a csrf token which will be send back as json.
    An jquery script receives that token and inserts it in a hidden form field.
    Maybe I could do this while the contact.html is loading ormaybe in document ready.

    I guess I need to make sure in generate.php if the request is an ajax request before returning the json which its containing token.

    When someone hits submit the same jquery script will:

    1. Change form fields and submit button to enabled.
    2. Check if all required fields aren’t empty.
    3. Validate user input.
    4. Send the user input + csrf token to **process.php**

    Again check if the request was an ajax request.
    Validate the csrf token.
    Escape everything we’ve got.
    Maybe validate a second time the user input.

    Send back notifications as json e.g. (an error occurred or your data has been send successfully…)
    Send out the mail.

    **The questions are:**
    How to validate the csrf token in process.php which is generated from generate.php?

    What about header injections which I’ve heard of is that a big problem too?

    Any other security risks you’ve in mind?

    Well but this is basically the idea I’ve had in mind.
    Maybe someone have a much better solution to that problem!

    Looking forward for your opinions

    kindest regards,

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.