What precautions should be taken when sending an email via PHP

3

I'm developing a contact form for my site, as usual I first leave it functional, and then work on the security of it.

For a simple form, which will only receive a name field, another email field, and finally a message field; What care should be taken with this form regarding safety?

I'm not experienced in PHP, but I've read articles telling us that forms that access the MySQL database can be manipulated in a way that malicious users can access information they should not have.

Is there any such danger when there is no interaction with the database?

I know that I should do the validation to prevent the user from sending an empty field for example.

    
asked by anonymous 08.08.2014 / 14:45

2 answers

5

I believe that the care to be taken when sending emails through a web system, are those common well-known care: validate if the typed e-mail actually follows an e-mail standard (via regular expression for example ), if the name and message fields are not empty and adding a captcha to prevent any malicious script from sending unsolicited mail is enough.

About articles you read from forms that access the database are manipulated, this is nothing more than the old SQL injection , present in web systems in general and not specific to the PHP language.

I hope I have helped.

Hugs!

    
08.08.2014 / 14:53
2

Form does not connect to the database, it only provides the information that will be inserted into the DB. You need to validate before saving the information, verify that what you received is of the corresponding type ...

SQL Injection occurs when you receive statements next to an input and execute the query without validation. You can conceder acesso to a login system or even run DROP TABLE . The use of PDO eliminates a significant percentage - the debate is long.

You can have an input (_GET or _POST) that saves data in DB or files, login and password data, email sending ... Each case is a case and the data does not come from forms alone. >

filter_var ($ emial, FILTER_VALIDATE_EMAIL)
Does not provide secure email validation. You need to validate with an ER as quoted.

    
08.08.2014 / 23:18