What are the consequences of not validating a simple email form on the server.
Keep in mind that:
- javascript validation is being carried out
- there is no database in question, this is a simple email form
The PHP code I would like to use is this:
<?php
$post_data = filter_input_array( INPUT_POST, FILTER_SANITIZE_SPECIAL_CHARS );
$full_name = $post_data["full_name"];
$email_address = $post_data["email_address"];
$gender = $post_data["gender"];
$message = $post_data["message"];
$formcontent = "Full Name: $full_name \nEmail Address: $email_address \nGender: $gender \nMessage: $message \n";
$formcontent = wordwrap($formcontent, 70, "\n", true);
$recipient = "myemail@address.com"; $subject = "Contact Form"; $mailheader = "From: $email_address \r\n";
mail($recipient, $subject, $formcontent, $mailheader);
echo 'Thank You! - <a href="#"> Return Home</a>';
?>
Would a simple captcha solve the issue of security?
UPDATE:
A few questions I would really like answered:
If I am not worried about invalid data being sent, what is the absolute minimum I can do to improve security. Basically avoid disasters.
I should probably mention that this code is being generated in a form generator and I would like to avoid my users getting attacked. Spamming might be sorted by adding Captcha.
UPDATE:
What is the worst case scenario?
UPDATE:
Really appreciate all the answers!
A couple of things I plan to do:
-
add this as Alex mentioned:
filter_var(“$post_data[’email_address’]”, FILTER_VALIDATE_EMAIL); -
add simple captcha
If I did add simple server side validation, what should I validate for? Cant the user still send invalid data even if I am validating it?
Also, will the above stop spam?
In general if you are just playing around and don’t care, you don’t need validation at all.
Having client-side validation is pointless and you will just be wasting your time. The client-side only approach will get you in trouble. You can’t trust your users that much.
If you plan to actually release this or really use it on a live environment, you must have a server side validation. It is well worth the time since this is a simple form now, but it may grow to be much more than that. In addition, if you take care of your validation now, you can reuse it later with other components of your application/site. If you try thinking if terms of reusability you will save your self countless of hours of development.
There are also obvious issues such as injections and javaScript issues, as mentioned by other users.
In addition, a simple CAPTCHA does not cut it anymore. There are some nice resource regarding CAPTCHA.
Take a look at those.
Coding Horror
Decapther
So the simple answer of your questions is that you are certainly vulnerable in your current situation. I know that more development takes more time, but if you follow good development practices such as reusability and orthogonal/modular design you can save yourself a lot of time and still produce robust applications.
Good luck!
UPDATE:
You can add FILTER_VALIDATE_EMAIL to take care of the email validation and you can read more about the email injection and how to take care of it here: damonkohler.
As for the CAPTCHA, it could solve the problem, but it really depends on how valuable of a target your form/site is. I would recommend using non-linear transforms or something that is widely used and proven. If you are writing your own you may get yourself in trouble.
Summary:
UPDATE:
@kht Did you get your questions answered? Let us know if something was unclear.
Good Luck!
UPDATE:
OK, I think we have made you a bit confused here with this whole client-side/server-side fiasco. I will try to break it down now so it makes more sense. The first part explains some basic concepts, and the second answers your questions.
First, PHP is a server-side language. It runs on the server and when a page request is sent, the server will “run” the PHP script, make any changes to the requested page, and then send it to the user who is requesting the page. The user has no access/control over that PHP script. On the contrary, as discussed earlier, the client-side scripts, such as JavaScript can be manipulated. However, just because you have some PHP script running and checking something on a form, that does not mean that the form is secure. It only means that you are doing some server-side processing of the form. Having it there, and making it secure are two different things as I am sure you have already figured out.
Now when we say that you need server-side validation we mean that you need a good one. Also, in this hectic Q&A format nobody really mentioned that there is a difference between validating data and sanitizing data.
sanitizing – making the data meet some criteria
validating – checking if the data meets a criteria
Take a look at phpnightly for a better explanation and examples.
There are also some nice simple tutorials describing how to create basic validation of a form.
nettuts
Very basic, but you should get the idea.
So how do you approach your current problem?
To begin with, you should keep what you have in terms or client-side validation and add the CAPTCHA as you mentioned(check my post or you can research some good ones).
What should you validate?
a. you should validate the data: all fields such as email, name, subject…
b. you could sanitize the data as well
Can the users still send invalid data?
Also, will the above stop spam?
If you make sure the form is not vulnerable to email injections, you have client-side validation, CAPTCHA, and server-side validation of some form(it does not have to be super complex) it will stop spam.(keep in my that today’s great solution is not so great tomorrow)
Why the hell do I need that server-side bull* when my client-side validation works just fine?*
Think of it as having a safety net. If a spammer goes around the client-side security, the server-side security will still be there.
This validation thing sounds like a lot of work, but it is actually pretty simple. Take a look at the tutorial I included and I am sure the code will make things click. If you make sure no unwanted information is being sent through the form, and the clients cannot manipulate the form to send to more than one email, then you are pretty much safe.
I just wrote this one out the top of my head, so if it is confusing just put some more questions or shoot me a message.
Good Luck!