0

After reading a lot of tutorials I just want to be sure to be on the safe side.

I made a contact formular which looks like this

<form name="contakt" accept-charset="UTF-8" method="post" action="./mail.php">
<input type="text" name="name" />
<input type="text" name="email" />
<input type="text" name="tel" />
<input type="submit" value="Send" name="submit" />
<textarea name="message"></textarea>
</form>

I validate via jQuery if the name and message is not empty and not only full of spaces

and I check the email via jquery with the following script

function ismailornot(email) {
var regex = /^([a-zA-Z0-9_.+-])+\@(([a-zA-Z0-9-])+\.)+([a-zA-Z0-9]{2,4})+$/;
return regex.test(email);
}

Now when my variables get passed and I am on my mail.php is it more then enough to check on top my of script the $_SERVER['HTTP_REFERER'] and look if those variables came from my own script ? Or can you modify $_SERVER variables too ?

Or do I have basicly to check EVERY passed variable again to be on a safe side ?

For example : http://www.w3schools.com/php/php_secure_mail.asp is this script 1oo% safe from injections ?

Thanks for helping me out :)

Kris
  • 567
  • 3
  • 11
  • 25
  • You are checking nothing if you are checking with Javascript alone. Rely on Javascript to advise the user of an error before they submit the page, not for sanitization. – miken32 Jul 09 '14 at 19:43
  • Make mail() function save from SQL injections... Am i the only one net getting that sentence – Michal Jul 09 '14 at 19:44
  • Make a php-file including mail() function safe from gettin' abused with an header injection. Tried to shorten it somehow ... looks like I failed. @miken32 - I am just using JS for advise user of various errors - just added cause I was unsure if its important for my question or not. – Kris Jul 09 '14 at 19:47
  • "I validate via jQuery"..."I check the email via jquery"..."I am on my mail.php is it more then enough to check on top my of script the $_SERVER['HTTP_REFERER'] and look if those variables came from my own script" You are checking only with Javascript, and asking if you should be doing more checking. What I'm telling you, is you aren't doing any real checking at all so of course you should be doing more checking. – miken32 Jul 09 '14 at 19:57

2 Answers2

2

The way: Check EVERY passed variable again to be on a safe side

gpupo
  • 942
  • 9
  • 16
1

Try this after some mods to fit your needs its a piece from Larry Ullman book :

 function spam_scrubber($value) {

    // List of very bad values:
    $very_bad = array('to:', 'cc:', 'bcc:', 'content-type:', 'mime-version:','multipart-mixed:', 
    'content-transfer-encoding:', '<script>');

    // If any of the very bad strings are in 
    // the submitted value, return an empty string:
    foreach ($very_bad as $v) {
        if (stripos($value, $v) !== false){ return '';}
    }

    // Replace any newline characters with spaces:
    $value = str_replace(array( "\r", "\n", "%0a", "%0d"), ' ', $value);

    //remove html tags:
    $value = htmlentities($value,ENT_QUOTES);

    // Return the value:
    return trim($value);

} // End of spam_scrubber() function.

// Clean the form data:
$scrubbed = array_map('spam_scrubber', $_POST);

if(isset($from)) {
    $from = $scrubbed['from'];
}else{
    $from = '';
}

// Minimal form validation:
if (!empty($from) && !empty($scrubbed['comments']) ) {

    // Create the body:
    $body = "Name: {$from}\n\nComments: {$scrubbed['comments']}";
    $body = wordwrap($body, 70);

    // Send the email:
    mail('YOUR_EMAIL', 'Contact Form Submission', $body, "From: {$from}");
 }
bart
  • 198
  • 1
  • 8