Newbie PHP Form processing + Security questions.

by PsiCat
6 replies
Hi Everyone,

I am trying to create the code that works behind the submit button on my squeeze page.

I need it to:
1) Send me an email with all the user enter data from the form
2) Redirect the user to my "Thank You" page
3) Populate my newly created MySql database with the appropriate info.

I'm VERY new to php, but I've actually created a php file that seems to be doing all this, but it has my email, my DB Username and password in it, and that feels dangerous.

I don't know anything about how security works, so I just tossed the file in the same directory that I have my all my other html pages.

First off, can someone please take a quick look and tell me if there are any pitfalls with this code that I should be aware of (like it won't work in some browsers, or something):

<?php
// Define data fields:
$email = $_POST['email'];
$name = $_POST['name'];
$to = "myEmail@mydomain.com";
...
//
//Email and then redirect to thanks page
mail($to, $subject, $body, $from);
header('Location:http://mydomain.com/Thanks.html');
//
//Store data in a database:
mysql_connect("localhost", "userid", "password") or die(mysql_error());
mysql_select_db("dbname") or die(mysql_error());
mysql_query("INSERT INTO `tablename` VALUES ('$email', '$name', '$PictureVote', '$ProdReviewer', '$NotifywhenReady')");
?>

Second, can anyone explain to me in agonizing detail what I should be doing so that bad people can't somehow get their paws on this code to spam my email and/or hack my db?

(I've made this particular userid/password with limited privelege of insert only which should help, but I still don't want anyone to see anything.)

I imagine that as it stands right now, someone clever could simply view the source data right now to find the name of the file "processform.php" and then do nasty things to me.

I'm using hostgator, by the way, in case that means anything to anyone as far as including specifics in your answers.

Thanks in advance for helping out!

- PsiCat!
#form #newbie #php #processing #questions #security
  • Profile picture of the author Adi E
    Just some Quick pointers:

    You may want to perform strip_tags, stripslashes on the posted data to stop the user from modifying your MySQL query.

    You may also want to check their referring page to ensure their coming from the correct page on you website and not a direct link

    You might want to clean and validate your data - not for security but to ensure that the correct information has been entered.

    You could also add a simple captcha? Therefore stopping any bots from submitting the form


    Hope this helps,
    Adi
    {{ DiscussionBoard.errors[970528].message }}
  • Profile picture of the author hiphil
    You could hide your email by breaking it up, and replacing the "@" with chr(64):

    E.g.
    $to = "myE" . "ma" . "il" . chr(64) . "myd" . "om" . "ain" . ".c " . "om";
    Signature

    Create your first website by 3:45 this afternoon - using Free software. (Free Download).
    www.hiphil.net

    {{ DiscussionBoard.errors[970643].message }}
  • Profile picture of the author HomeBizNizz
    PHP-code will always be processed before it is sent to the browser.
    If the file has the right ending, like .php
    I don't think you will see none of that, just the output in text/HTML.
    {{ DiscussionBoard.errors[970787].message }}
    • Profile picture of the author Adi E
      HomeBizzNizz is right, theres no way for someone to find your database details when they access the page via a web browser, but if they somehow gain FTP access to your site then this would allow them to download the file and see your details,

      Adi
      {{ DiscussionBoard.errors[970970].message }}
  • Profile picture of the author awesometbn
    Couple of considerations . . .

    - sanitize your input fields to make sure only data is being submitted, instead of database commands or scripting variables, there are plenty of free Javascript and PHP codes that you can simply copy and paste on your form page, the fields are checked before form submission

    - make your job easier by using cforms II, search google for Delicious Days to download the latest cforms version, there are a lot of built-in features, and it's all free

    - be aware of SQL injection techniques, scan your database for vulnerabilities and patch it correctly before you rely on it for a business production environment

    - either check your web server logs manually each day, or setup an automated pattern matching search in your logs to immediately alert you when a serious error or problem shows up, you want to respond as quickly as possible to prevent damage and limit data corruption

    - make regular backups of your data, and create a schedule to regularly change your passwords

    - use SSL certificates (HTTPS) on form pages to encrypt the data that is being submitted on your web server, otherwise everything can be intercepted and read as cleartext

    - use SSH (jailed root, secure shell) to access your web hosting account instead of FTP or telnet, otherwise everything you are doing can be intercepted and read as cleartext

    There's more but this is a good start. The main idea is that you are aware and alert.
    {{ DiscussionBoard.errors[971205].message }}
  • Profile picture of the author PsiCat
    Wow!

    Thanks for the great replys everyone.

    Being very new to this, I've had to do some reading to figure out what you were all talking about, but it is very much appreciated.

    I now know what a captcha and strip_tags is, I've got validation on all fields except email, and I'm looking into that, I've butchered my email address in spite of the fact that it sounds like people will not be able to look inside my php code, and I am horrified to learn that "sql injection" exists and am now studying up on what that means to me, and how to avoid it.

    What a great bunch of info! Thanks to everyone who wized me up. Clearly I came to the right place!

    - PsiCat
    {{ DiscussionBoard.errors[973108].message }}

Trending Topics