Reality Check on Formmail Security

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

As an exercise to satisfy my own curiosity, I am rolling my own "contact
me" script. The idea is to have it be AJAX-enhanced, but fall-over to a
regular old POST for browsers with JavaScript disabled. That part is the
easy part.

Naturally, I want this form to be impervious to spammers. I don't care
about people spamming me with it; rather, I don't want spammers to
exploit the form to spam others, with an injection (or some such attack).

Of course, the email that the form gets sent to (mine) is coded into the
PHP script, and not included in the HTML form in any way (such as a
hidden input element). I'm checking form field inputs to strip "\r",
"\n", "%0a", "%0d", "Content-Type:", "Content-Transfer-Encoding:",
"MIME-Version:", "bcc:", "to:", and "cc:". I was also planning on using
this regular expression to validate the email address:

...whaddya think? Am I practicing safe formmail?

David H.

Re: Reality Check on Formmail Security

On Tue, 16 Mar 2010 13:09:19 -0700, David J. Hennessy wrote in

Quoted text here. Click to load it

Sounds like it.
Add in an optional Captcha and you'll have a winner.
That way, usrs of your FM won't have to hack to add.

A lot of people are afraid of heights. Not me, I'm afraid of widths.

Site Timeline