It is my undersatnding that there are fairly easy ways to 'hijack' a php form and use it to send spam, and that specific steps need to be taken to prevent that. Can you tell me if phpFormGenerator is vulnerable to those hacks?
Thanks!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
All forms are subject to attack. If someone is serious about using forms to send SPAM, they will find a way no matter how hard you try to protect your form. How often does this happen to the average web site? Not very often. What measures can you take? It depends on your level of paranoia, or your actual experience with form generated SPAM.
I have many forms in use and don't have any abuse going on. I leave some mostly unprotected. I have some with what I consider adequate security for my application.
What are your specific concerns? If you tell me what you would like to protect yourself from, I am sure I can provide some kind of answer/solution that you can implement.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for the quick reply. I wish I knew enough to tell you exactly what I need. Like some others I've seen on this forum, I provide web services, including dedicated server (which I lease) and rely on other professionals to do the technical stuff.
One of my servers got blacklisted and after some investigation it turned out to be because someone hijacked a php form. The developer did two things to secure it:
1) made a sendmail app separate from the form
2) looked for invalid entries. following is part of the code:
// -- Check for invalid input --
if (eregi("\r",$subject) || eregi("\n",$subject)) { die("Invalid Data :("); }
if (eregi("\r",$to) || eregi("\n",$to)) { die("Invalid Data :("); }
// -- End Of Check for invalid input --
Does this help?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Simple code to see if multiple entries (requiring a carriage return) are added to the "to" and "subject" variables used in the mail function. Sometimes the carriage return is interpreted as field separators and lines are taken out of order (substituted for other variables). Forms should really avoid any entry that allows a form user to input these fields to be used by the sendmail program. All of my forms only take data from a user to be used later by myself or by other programs I write. This way the form can never be automatically abused. The other programs I write take necessary precautions to avoid any abuse.
So now I have to ask again, what is it that you want or need to do to your phpGenerator forms?
Do you want to add the above mentioned code equivalent?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Simple code to see if multiple entries (requiring a carriage return) are added to the "to" and "subject" variables used in the mail function.
>>This was added for every field in the form, I just took a snippet
Sometimes the carriage return is interpreted as field separators and lines are taken out of order (substituted for other variables). Forms should really avoid any entry that allows a form user to input these fields to be used by the sendmail program.
>>>Does the phpformgenerator do this?
All of my forms only take data from a user to be used later by myself or by other programs I write. This way the form can never be automatically abused.
>>>Are you saying that the forms created by phpformgenerator cannot be automatically abused?
Do you want to add the above mentioned code equivalent?
>>>If that is what is needed for security. I have another thought. Can I simply add one of the available captcha image codes to the form after it is created with phpformgenerator? Or does that address a different issue?
Thanks for your patience. The issues we are discussing are obvious to you, but I am trying to understand them ;-)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
>>This was added for every field in the form, I just took a snippet
Probably not necessary, but it doesn't hurt.
>>>Does the phpformgenerator do this?
FormGenerator just collects the data and produces the email. Issues like this can occur in the mail program.
>>>Are you saying that the forms created by phpformgenerator cannot be automatically abused?
No, what I am saying is that I manage the data and make sure only the data intended for use is passed to other programs like mail().
>>>If that is what is needed for security. I have another thought. Can I simply add one of the available captcha image codes to the form after it is created with phpformgenerator? Or does that address a different issue?
I do not know what is necessary because I do not know how your form is used, or abused. You have to have some idea of how your form is being abused before you can define a method of protecting it.
Captcha images require visual recognition of a random image encrypting specific text. Once the specific text is recognized and entered into the form the form can procede. This prevents automated form processors from filling in form data and submitting the form via some automated script or program.
It's a decent security measure that protects from automated hacks. It does require custom integration into the phpFormgenerator because it is not currently an available feature.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It is my undersatnding that there are fairly easy ways to 'hijack' a php form and use it to send spam, and that specific steps need to be taken to prevent that. Can you tell me if phpFormGenerator is vulnerable to those hacks?
Thanks!
All forms are subject to attack. If someone is serious about using forms to send SPAM, they will find a way no matter how hard you try to protect your form. How often does this happen to the average web site? Not very often. What measures can you take? It depends on your level of paranoia, or your actual experience with form generated SPAM.
I have many forms in use and don't have any abuse going on. I leave some mostly unprotected. I have some with what I consider adequate security for my application.
What are your specific concerns? If you tell me what you would like to protect yourself from, I am sure I can provide some kind of answer/solution that you can implement.
Thanks for the quick reply. I wish I knew enough to tell you exactly what I need. Like some others I've seen on this forum, I provide web services, including dedicated server (which I lease) and rely on other professionals to do the technical stuff.
One of my servers got blacklisted and after some investigation it turned out to be because someone hijacked a php form. The developer did two things to secure it:
1) made a sendmail app separate from the form
2) looked for invalid entries. following is part of the code:
// -- Check for invalid input --
if (eregi("\r",$subject) || eregi("\n",$subject)) { die("Invalid Data :("); }
if (eregi("\r",$to) || eregi("\n",$to)) { die("Invalid Data :("); }
// -- End Of Check for invalid input --
Does this help?
Simple code to see if multiple entries (requiring a carriage return) are added to the "to" and "subject" variables used in the mail function. Sometimes the carriage return is interpreted as field separators and lines are taken out of order (substituted for other variables). Forms should really avoid any entry that allows a form user to input these fields to be used by the sendmail program. All of my forms only take data from a user to be used later by myself or by other programs I write. This way the form can never be automatically abused. The other programs I write take necessary precautions to avoid any abuse.
So now I have to ask again, what is it that you want or need to do to your phpGenerator forms?
Do you want to add the above mentioned code equivalent?
My responses follow yours:
Simple code to see if multiple entries (requiring a carriage return) are added to the "to" and "subject" variables used in the mail function.
>>This was added for every field in the form, I just took a snippet
Sometimes the carriage return is interpreted as field separators and lines are taken out of order (substituted for other variables). Forms should really avoid any entry that allows a form user to input these fields to be used by the sendmail program.
>>>Does the phpformgenerator do this?
All of my forms only take data from a user to be used later by myself or by other programs I write. This way the form can never be automatically abused.
>>>Are you saying that the forms created by phpformgenerator cannot be automatically abused?
Do you want to add the above mentioned code equivalent?
>>>If that is what is needed for security. I have another thought. Can I simply add one of the available captcha image codes to the form after it is created with phpformgenerator? Or does that address a different issue?
Thanks for your patience. The issues we are discussing are obvious to you, but I am trying to understand them ;-)
>>This was added for every field in the form, I just took a snippet
Probably not necessary, but it doesn't hurt.
>>>Does the phpformgenerator do this?
FormGenerator just collects the data and produces the email. Issues like this can occur in the mail program.
>>>Are you saying that the forms created by phpformgenerator cannot be automatically abused?
No, what I am saying is that I manage the data and make sure only the data intended for use is passed to other programs like mail().
>>>If that is what is needed for security. I have another thought. Can I simply add one of the available captcha image codes to the form after it is created with phpformgenerator? Or does that address a different issue?
I do not know what is necessary because I do not know how your form is used, or abused. You have to have some idea of how your form is being abused before you can define a method of protecting it.
Captcha images require visual recognition of a random image encrypting specific text. Once the specific text is recognized and entered into the form the form can procede. This prevents automated form processors from filling in form data and submitting the form via some automated script or program.
It's a decent security measure that protects from automated hacks. It does require custom integration into the phpFormgenerator because it is not currently an available feature.