Forms and Site Security Help

Hi everyone! I have most of my site set up with just HTML and CSS, I want to add a form to receive some information such as Name, Phone Number and Email Address and have that emailed to me. I have a php setup for that, but I'm worried that having a form may create a vulnerability in my site and allow it to be hacked (it's happened before). How are you all preventing injection attacks and other exploits?

Jochem•1/21/25, 8:41 AM

Prepared statements

JJochem Prepared statements

raw-powerOP•1/21/25, 8:50 AM

Would this work or are there vulnerabilities still?

Jochem•1/21/25, 8:51 AM

oh, sorry, I assumed you meant SQL injection

Jochem•1/21/25, 8:53 AM

I'm not terribly up to date on the security concerns with sending mail through the function, but that looks like a good start at least. Hopefully someone else can weigh in

JJochem I'm not terribly up to date on the security concerns with sending mail through t...

raw-powerOP•1/21/25, 8:54 AM

thank you!

Ἔ

ἔρως•1/21/25, 10:24 AM

it looks ok, but you dont implement any type of rate limiting from php

Ἔ

ἔρως•1/21/25, 10:25 AM

you need to implement it from apache/nginx if you prefer

13eck•1/21/25, 11:21 AM

This might be a good read. OWASP has some great stuff on security, as that's kinda their thing :p

13eck•1/21/25, 11:21 AM

Also, see #How To Ask Good Questions to see how to properly format code blocks in Discord

Ἔ

ἔρως•1/21/25, 12:08 PM

i always forget about owasp

Ἔ

ἔρως•1/21/25, 12:08 PM

but seriously, i would consider not even sending an email

Ἔ

ἔρως•1/21/25, 12:09 PM

i would just ram all the data into the database and then send a daily email with all the contacts or something

Ἔ

ἔρως•1/21/25, 12:09 PM

also, you dont have any server-side validation or verificarion or any records at all

Ἔ

ἔρως•1/21/25, 12:10 PM

in fact, this even sounds like you didnt even request consent to use user's data, as required by the gdpr

Ἔ

ἔρως•1/21/25, 12:10 PM

some states are also slowly starting to have some data protection laws too, so, you should look into that

Ἔ

ἔρως•1/21/25, 12:13 PM

if i were you, i would even avoid sending an email from your own server, as you will have to deal with an annoying amount of work, as would try to use sendgrid or other service that has a nice free tier

113eck [This might be a good read](<https://owasp.org/Top10/A04_2021-Insecure_Design/>)...

raw-powerOP•1/21/25, 5:02 PM

thank you, I've formatted the post

Ἔἔρως also, you dont have any server-side validation or verificarion or any records at...

raw-powerOP•1/21/25, 5:04 PM

I don't need gdpr where I am which is why it's not implemented. why do you say sending from my own server would be an annoying amount of work?

Ἔἔρως it looks ok, but you dont implement any type of rate limiting from php

raw-powerOP•1/21/25, 5:08 PM

oh didn't consider rate limiting, thank you, would throttling like this work?

Ἔ

ἔρως•1/21/25, 5:10 PM

no, i can just send from a "browser" that doesnt support cookies (or disable cookies in curl)

Rraw-power I don't need gdpr where I am which is why it's not implemented. why do you say ...

Ἔ

ἔρως•1/21/25, 5:11 PM

you need to make it clear who the target audience is then, in the form

Ἔ

ἔρως•1/21/25, 5:12 PM

and it is annoying because of all the configurations you have to do to try to avoid spoofing

Ἔ

ἔρως•1/21/25, 5:13 PM

also, if some asshole decides to spam the living crap out of your server, and you send an email per request, your email box may get full and/or you get blacklisted

Ἔἔρως no, i can just send from a "browser" that doesnt support cookies (or disable coo...

raw-powerOP•1/21/25, 5:14 PM

then how about using the database to store the session details such as:

This plus ReCaptcha should do it? or can they still be bypassed?

Ἔ

ἔρως•1/21/25, 5:16 PM

with recaptcha, it's possible to slow it down

Ἔ

ἔρως•1/21/25, 5:17 PM

but you added a possible sql injection

Ἔ

ἔρως•1/21/25, 5:18 PM

use prepared statements to insert stuff into the database

Ἔ

ἔρως•1/21/25, 5:18 PM

also, you dont need to read and send the value to the database to increment

Ἔ

ἔρως•1/21/25, 5:18 PM

by the way, remove the closing tag

raw-powerOP•1/21/25, 5:24 PM

which part do you see as a possible injection risk? none of this is coming from the form fields. not sure I understand what you meant by not needing to read and send to the database to increment, and yes, removing the closing tag for server efficiency, just keeping it there when doing snippet examples

Ἔ

ἔρως•1/21/25, 5:25 PM

the ip address comes from external programs

Ἔ

ἔρως•1/21/25, 5:26 PM

and if im not mistaken, it can be controlled in some scenarios

raw-powerOP•1/21/25, 5:26 PM

the ip address can be manipulated to inject sql code???

raw-powerOP•1/21/25, 5:26 PM

omg

Ἔ

ἔρως•1/21/25, 5:26 PM

i think it is possible, yes

raw-powerOP•1/21/25, 5:26 PM

how is anyone implementing forms on their sites!?!

Ἔ

ἔρως•1/21/25, 5:26 PM

painfully

raw-powerOP•1/21/25, 5:27 PM

seems so

Ἔ

ἔρως•1/21/25, 5:27 PM

with prepared statements

Ἔ

ἔρως•1/21/25, 5:28 PM

prepared statements have another advantage: mysql can cache the compiled query and subsequent queries are a lot faster

Ἔἔρως i think it is possible, yes

Jochem•1/21/25, 5:28 PM

it's very unlikely... but the reason you would still use prepared statements are twofold:
1) Forming the habbit. It's too important to ignore and good to just always use the right way
2) Just in case there's a PHP vulnerability where can be manipulated. It'd be much nicer to know that "huh, maybe the rate limiter won't work so well" rather than "in theory my entire DB is now vulnerable"

Ἔ

ἔρως•1/21/25, 5:28 PM

if you provide the values directly, those are new queries and wont be cached

Jochem•1/21/25, 5:29 PM

basically, you're writing code with in the back of your mind that other parts of the stack might have vulnerabilities you didn't count on

JJochem it's very unlikely... but the reason you would still use prepared statements are...

Ἔ

ἔρως•1/21/25, 5:29 PM

there's a lot of stuff that is user-controlled in the superglobal

Ἔ

ἔρως•1/21/25, 5:29 PM

stuff you wouldnt expect

Jochem•1/21/25, 5:29 PM

pretty sure REMOTE_ADDR isn't, but it's still good practice

Ἔ

ἔρως•1/21/25, 5:30 PM

it's passed by apache to php

Ἔ

ἔρως•1/21/25, 5:30 PM

or nginx

Ἔ

ἔρως•1/21/25, 5:30 PM

it's a good idea to be paranoid

raw-powerOP•1/21/25, 5:31 PM

so, like this?