I have a question....
My PHP form processing script was being used for spam, so I pulled it. I've been studding all week about PHP data validation and security.
I have the nose bleeds from the steepness of the learning curve as proof.
I was told not to send out email from incoming form data, even if it is validated, because you can never block all the security holes.
But that's what I want the data for, I don't want it for a database, and I work for Christian non-profits that don't want people asking for prayer to have to use a captcha to submit their request!
So in this situation what is the 'Best Practice'? My coding is no where near the level of hackers, I cannot write code to cover every issue and although there are bits and pieces of code for this out there I still have to find it, customize it, and know how to use it - there isn't a complete secure answer for beginners out there. Beginner?s stuff is way to basic to keep hackers out, and advance stuff is to geek-speak to understand and use.
The classic technology catch-22 Oy! This is a tutorial that needs to be written!
I know:
1. I need to validate all incoming data, that goes double for data visitors are submitting. I have some simple examples of this, such as testing to see if the var is empty - simple. But how to I test for extra To: or Subject? Or test for CC, which I am not using, but a hacker could inject into my script?
2. I need to generate an unique code when the form submits and validate that first in my php (hidden version of captcha) or exit. How to do this was explained on an advanced php site - I only follow the gist and the site didn't give the step by step - Yikes! I know how to generate the code, but not how to test for it....
3. I don't know the best way to email that data.... when, how etc. I hate to rely on PHP alone. Back when my ISP had server/script problems I still had the data because I had it emailed to me first thing. How do I get around this issue?
Your help is very appreciated.
Login
Register
FAQ
Search
Members
