Email security

--0-1996312715-1247571997=:38673
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hello,

I've implemented a contact form on my website that would email me the conte=
nts of the form and also add it to the database. Its working perfectly but =
I'm not too sure about the security part. I don't know much about the secur=
ity issues concerned with email forms and the measures to check it. Please =
help.

Thanks,
Tiji
=0A See the Web's breaking stories, chosen by people like yo=
u. Check out Yahoo! Buzz. http://in.buzz.yahoo.com/
--0-1996312715-1247571997=:38673--

Re: Email security

On Tue, Jul 14, 2009 at 7:46 AM, Tiji varghese wrote:
> Hello,
>
> I've implemented a contact form on my website that would email me the con=
tents of the form and also add it to the database. Its working perfectly bu=
t I'm not too sure about the security part. I don't know much about the sec=
urity issues concerned with email forms and the measures to check it. Pleas=
e help.
>
> Thanks,
> Tiji
>
>
>
>      See the Web's breaking stories, chosen by people like=
you. Check out Yahoo! Buzz. http://in.buzz.yahoo.com/


The main thing to be aware of would be 'email header injection.' Do
not allow returns/newlines in any of the mail header fields you
populate from user input. Also require a valid email address and
verify that it has a valid domain name.

Next up would just be the annoyance of a client receiving tons of spam
messages. There are a lot of automated programs crawling the web just
filling out every form it finds looking for vulns to exploit. Even if
your form has no holes in it, the client will still get all of this
unwanted junk from the automated tests. You can try to come up with
some clever ways of stopping that.

--=20
http://www.ericbutera.us/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: Email security

> -----Original Message-----
> From: Tiji varghese [mailto:tiji_1@yahoo.co.in]
> Sent: Tuesday, July 14, 2009 7:47 AM
> To: PHP General
> Subject: [PHP] Email security
>
> Hello,
>
> I've implemented a contact form on my website that would email me the
> contents of the form and also add it to the database. Its working
> perfectly but I'm not too sure about the security part. I don't know
> much about the security issues concerned with email forms and the
> measures to check it. Please help.
>
> Thanks,
> Tiji

[Dewey Williams]

There are a number of easy to use sanitizing scripts available for
processing forms for email and database use - find and use one! Forms
are notoriously easy to compromise for sending spam and corrupting web
sites.

A program I have used in the past is FormMail by
http://www.tectite.com. There are many other FormMail programs
available by the same name - this one is well documented and easy to set
up. It doesn't provide as much database security as you may want, but
it does a good job of hiding email and preventing cross-site scripting
attacks.

Dewey Williams


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php