On Mon, April 4, 2005 2:00 pm, Eric Gorr said: > I wanted to setup a good 'contact me' page on my website. I do not want > to reveal my e-mail address, so I was going to use a form. > > The PHP script with the actual mail() function would define the To and > Subject parameters, so these could not be faked. > > I also plan to use a captcha. A what? > The only concern I had was how to process the body text. Any > recommendations? > > One useful function would appear to be strip_tags, so no one could embed > annoying or destructive HTML, etc. which I may accidentally cause my > e-mail application to render. It's possible, though extremely unlikely, that somebody could construct a malicious email that passes through strip_tags and/or htmlentities and still does something *bad* for your particular email application. htmlentities is going to be safe, but will convert HTML enhanced (cough, cough) email into a bunch of junk you can't even read. Which might be a morally correct thing to do with HTML email anyway, but probably not all that useful to even send it at that point. Since you anticipate such a low volume, and seem concerned that you will lose valuable info from an HTML-enhanced email, perhaps you should log the original and provide a link to view it in the email you send to yourself. So if you REALLY need that "enhanced" email, you can surf to it. Of course, then your web-server/browser might be attacked by their code you are viewing/executing (JavaScript). You may also want to consider using a "throttle" on the form based on $_SERVER['REMOTE_ADDR'] and if more than X emails are sent in Y hours from the same IP, refuse to send it and send them to an error page. I do this on sites where I forward "blind" emails to others, so they can't get (easily) attacked with a DOS attack on their email by a script kiddie. Certainly, it can be defeated by somebody who knows how to change their IP, but it's a small hurdle to weed out some of the more clueless folks who want to try to abuse your form. You could also send them a Cookie, again easily defeated by the clueful, as well as checking their IP to add another hurdle. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
