Is this safe?

Craig321 · 1 Mar 2006 at 20:33

Hi,

Just wondered if this is safe?:

index.php:
normal form, nothing special - just some nice css, submits to sendmail.php

sendmail.php:

Code:

<?
  $name = $_POST['name'];
  $domain = $_POST['domain'];
  $email = $_POST['email'];
  $space = $_POST['space'];
  $bandwidth = $_POST['bandwidth'];
  $dailyUnique = $_POST['dailyUnique'];
  $pageRank = $_POST['pageRank'];
  $description = $_POST['description'];
  
  //CONFIG
  include "config.php"
  
  if(empty($name)){
	echo 'Please make sure you entered your name';
  }
  
  elseif(empty($domain)){
	echo 'Please make sure you entered your domain name';
  }
  
  elseif(empty($email)){
	echo 'Please make sure you entered your email address';
  }
  
  elseif(empty($space)){
	echo 'Please make sure you entered the ammount of space your website requires';
  }
  
  elseif(empty($bandwidth)){
	echo 'Please make sure you entered the ammount of bandwidth your website users';
  }
  
  elseif(empty($dailyUnique)){
	echo 'Please make sure you entered the ammount of unique visitors you get daily';
  }
  
  elseif(empty($description)){
	echo 'Please go back and enter a website description';
  }
  
  else {
  $headers  = 'MIME-Version: 1.0' . "\r\n";
  $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";

  $headers .= "From: $name <$email>";
  
  foreach ($_REQUEST as $key => $val) {
	if ($key != "from_email" && $key != "from_name") {
		$body .= $key . " : " . $val . "\r\n";
	}
  }  
  
  if(mail($to, "Sponsor request", $message, $headers)){
	header("Location: ".$thxEmail);
  }
  }
?>

config.php:

Code:

<?

  $to = "[email protected]";
  $thxEmail = "thxEmail.php";
  $message = "<style>body{font-family:Verdana; font-size:10px;}</style>
		 <table border=\"1\" cellspacing=\"2\" cellpadding=\"2\">
			 <tr><td>Name:</td><td>$name</td></tr>
			 <tr><td>Domain name:</td><td> $domain</td></tr>
			 <tr><td>Email address:</td><td> $email</td></tr>
			 <tr><td>Space used:</td><td> $space</td></tr>
			 <tr><td>Bandwidth used:</td><td> $bandwidth</td></tr>
			 <tr><td>Daily uniques:</td><td> $dailyUnique</td></tr> 
			 <tr><td>Page rank:</td><td> $pageRank</td></tr>
			 <tr><td>Description:</td><td> $description</td></tr>
		 </table>";
	
?>

Thanks,
Craig.

NathanE · 1 Mar 2006 at 20:50

If the sendmail.php script is publically accessible then it's not safe. Anybody could, potentially, send e-mails from your mail server.

Beansprout · 1 Mar 2006 at 22:10

If I put that on a public webpage I can guarantee that within a week it will be a haven for spambots.

There is absolutely no validation

Craig321 · 1 Mar 2006 at 22:32

What can I do to make it safe please?

Thx
Craig.

NathanE · 1 Mar 2006 at 22:56

Don't make it public. If you don't want to redesign the software and have to make it public then don't name it "sendmail.php"

Craig321 · 1 Mar 2006 at 22:58

Even if I renamed it to diufheuifhweiufh.php people could still find it just by looking at source of the page with the form on

Is this safe?: http://www.safalra.com/programming/php/contactform/

If so then I'll take examples from that to make mine safe.

Thanks
Craig.

Beansprout · 1 Mar 2006 at 23:06

That script is better.

The reason yours is unsafe is because baaad content can be injected causing the mail server to send out a few hundred e-mails unbeknown to you.

It's not a matter of making the script public because so long as nothing else can be injected into the e-mail via the other variables you can guarantee that e-mails can only be sent to the address you specify. And that people can't inject Evil Spam Code to send out their spam

Craig321 · 1 Mar 2006 at 23:11

Ok,cool, so will the above script in the link I gave avoid all this?

Thanks
Craig.

toastyman · 1 Mar 2006 at 23:26

It should really have some kind of validation...whether image based or question based to deter scripts from submitting the form repeatedly and putting a load on the server.

Craig321 · 1 Mar 2006 at 23:37

OK, I'll look into making an image validation

Thanks
Craig.