1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Does contact us page requires protection?

Discussion in 'PHP & Perl' started by Mutikasa, Aug 17, 2015.

  1. Mutikasa

    Mutikasa Power Member

    Joined:
    May 23, 2011
    Messages:
    581
    Likes Received:
    207
    From inserting malicious code?
     
  2. MrBlue

    MrBlue Senior Member

    Joined:
    Dec 18, 2009
    Messages:
    971
    Likes Received:
    680
    Occupation:
    Web/Bot Developer
    Best practices suggest one should always sanitize input data. Including a captcha as well can help deter automated form submission.

    Sanitizing an input field in PHP using filters
    Code:
    <?php
    
    $filtered_string = filter_var(trim($_POST['input']), FILTER_SANITIZE_STRING);
    
    ?>
    
    More on sanitize filters here:
    Code:
    https://secure.php.net/manual/en/filter.filters.sanitize.php
    Escaping input prior to MySQL insert in PHP
    Code:
    <?php
    
    $db->mysqli->real_escape_string($filtered_string);
    
    ?>
    
     
    • Thanks Thanks x 1
    Last edited: Aug 18, 2015
  3. Sythix

    Sythix Senior Member

    Joined:
    Sep 29, 2014
    Messages:
    961
    Likes Received:
    680
    Location:
    127.0.0.1
    Home Page:
    I use the contact us form wordpress plugin, which is a light weight plugin and will protect you from basic sql injections etc..
     
    • Thanks Thanks x 1
  4. coitza

    coitza Jr. VIP Jr. VIP Premium Member

    Joined:
    Oct 26, 2007
    Messages:
    2,686
    Likes Received:
    696
    Occupation:
    freelancer
    Home Page:
    any input field needs that, depending on your needs you could go with already created contact us pages that took that into consideration.
     
    • Thanks Thanks x 1
  5. h123er2

    h123er2 Newbie

    Joined:
    Jun 23, 2011
    Messages:
    3
    Likes Received:
    0
    Not really well. The only thing that's really needed is prevention from injections : (
    And here's a good news. If you're already using PHP extension PDO to communicate with DB, then you're okay. Else, check this little tutorial out here. I explain how PDO works differently than PDO and precents injectoins.

    webdevtown c0 m Search for 'PDO'.
     
  6. jamie3000

    jamie3000 Supreme Member

    Joined:
    Jun 30, 2014
    Messages:
    1,311
    Likes Received:
    587
    Occupation:
    Finance coder looking for semi-retirement
    Location:
    uk
    Depends how secure you really want to be. Most of the time SQL injection and xss protection will do but email forms do have some other nasties to look out for...

    "Email injection is a type of injection attack that hits the PHP built-in mail function. It allows the malicious attacker to inject any of the mail header fields like, BCC , CC, Subject, etc., which allows the hacker to send out spam from their victims? mail server through their victims? contact form. For this reason, this attack is called Email Injection, or mail form spamming."
     
  7. mantic0re

    mantic0re Junior Member

    Joined:
    May 29, 2015
    Messages:
    118
    Likes Received:
    9
    Anything that connects to the database requires protection. Depending on how your mysql connections are made, you may already be safe from sql injections though. Additionally, it is critical to add a captcha to your contact form, because it is a key page for ddos attack. It consumes system resources so send a mail as well as the fact that a ddos attack could get your IP blacklisted on spamhaus if you are sending thousands upon thousands of spam mails.