What precautions should be taken when sending an email via PHP

Question

What precautions should be taken when sending an email via PHP

Asked 10 years, 3 months ago

Viewed 148 times

3

I am developing a contact form for my site, as usual I first make it functional, and then work on the security of it.

In the case of a simple form, which will only receive one field name, another field email and finally a field message; What precautions should be taken with this security form?

I’m not experienced in PHP, but I’ve read articles telling us that forms that access the Mysql database can be manipulated in such a way that malicious users can have access to information that they shouldn’t have.

Is there any danger like this when there is no interaction with the database?

I know I must do the validation to prevent the user to send an empty field for example.

2 answers

5

I believe that the precautions to be taken when sending emails through some web system are those well-known common precautions: validate whether the typed email really follows an e-mail pattern (via regular expression for example)if the name and message fields are not empty and add a captcha to prevent some malicious script from sending non-stop emails is enough.

About the articles you read of forms that make access to the bank be manipulated, this is nothing more than the old known sql injection, present in web systems in general and not specific to the PHP language.

I hope I’ve helped.

Hug!

Browser other questions tagged php security-guard

You are not signed in. Login or sign up in order to post.

by Papa Charlie • **8,721** points · Answer 1 · 2014-08-08T21:18:20+00:00

Form does not connect to the database, it only provides the information that will be inserted into the DB. You need to validate before saving the information, check if what you received is of the corresponding type...

SQL Injection occurs when you receive instructions next to an input and execute the query without validation. You can conceder acesso a login system or even run a DROP TABLE. The use of PDO eliminates a significant percentage - the debate is over.

You can have an input(_GET or _POST) that saves data in DB or in files, login and password data, sending email... Each case is a case and the data does not come solely from forms.

_{filter_var( $emial , FILTER_VALIDATE_EMAIL )}
Does not provide secure email validation. You need to validate with an ER as quoted.