This may be a really dumb question, but how do I sanitize a “Contact Us” form?
My form has the following fields:
For the sender’s e-mail and name, I run them through a Regex.
The subject is a drop-down, so I compare the entry against a list.
Other than trim, I don’t do anything for the Question/Comment which is maybe bad?
When a user submits the “Contact Us” form, it gets e-mailed to the admin.
How can I make things more secure?
The first thing I need to better understand is what bad things could someone do in a “Question/Comment” text field in a “Contact Us” form…
Since it is a free-form text area, it makes it harder to check what is legitimate or not as opposed to an e-mail field or a numeric field.
Your biggest concern needs to be XSS attacks (yes it is possible with Email too or so I think if you use HTML email).
So can I just use htmlentities on the Comment/Question field and be safe?
Or do I need to apply one of the filters that Ryan mentioned above?
I guess I really never thought about text area fields (e.g. Comment, PM, Question)…
If you do not wish to permit any formatting (bold, italic, underline) htmlentities would work, so would strip_tags.
If you do want formatting, strip_tags.
You’d use the filters for Email and URL.
@RyanReese, I have to disagree with this suggestion. I looked into it, and it seems like it removes things that it shouldn’t for a Contact Form (e.g. tabs, new lines, and even tags.)
htmlentities disables HTML tags, but leaves them in the field.
So if you sent this question…
Could you help me understand why my <b>,/b> tags aren't working in PM's?…then I could still see them in your question.
htmlentities has nothing to do with sanitising. To sanitise the comment field simply strip out any characters you don’t want to allow.
sanitising and validating are input functions and come first in the code while htmlentities does escaping rather than sanitising and is an output function and so comes last in the code.
[quote=“felgall, post:8, topic:114720”]
htmlentities has nothing to do with sanitising. To sanitise the comment field simply strip out any characters you don’t want to allow.[/quote]
And how would I do that?
For example, if I also log the Comment/Question into my database, what would I have to do to “sanitize” the Comment/Question field, which is a text area field?
Oh, I guess I saw it as sanitizing, because it prevents CSRF and issues in emails too.
Keep in mind, your email body is a form of output, so htmlentities does feel appropriate to me (if you wish to leave the code tags in there to see what the user entered).
For the entire code base, I use mysqli and prepared statements.
I started second-guessing my code and thinking I had a big flaw in not using mysql_real_escape_string() on inputs, however based on some research, it sounds like my prepared statements take care of escaping automatically…
IF that is correct then all of the “Contact Us” form data should be safe to INSERT into my database after I verify (i.e. sanitize) the Email, Name and Subject - plus applying htmlentities to the Body to disable, yet preserve HTML tags.
Then for output, since I applied htmlentities before inserting it, it should be safe to output in an email to the administrator, right?
You only need to escape when data is jumbled with code. When using prepare statements the code is in the prepare and the data is in a separate bind or execute statement where it can’t possibly be misinterpreted as code.
htmlentities is an escape function specific to jumbling data with HTML. If you used it when outputting to a plain text email or a word document then you will have converted the data to garbage.
Just because keeping the data separate prevents injection doesn’t mean that you don’t need to validate or sanitise first. If you don’t then I could enter my name as ‘1234’, my age as “happy birthday” and my address as “?!@@@” - all of which would be rejected by validation, cleaned up by sanitising or would otherwise simply process junk through your code.
So it sounds like I alright on that point.
Unless you want to see the HTML in a literal format.
True, but I was asking about my Comment/Question field which is a free-form field.
I do check that the Email, Name and Subject are valid.
But there is no way to determine if a comment or question is legitimate, UNLESS there would be some way for a hacker to type something in that field and blow up my INSERT or email to the admin.
Since I use prepared statements, it sounds like I am safe on the database end with this last form field.
And since I understand what htmlentities does, I guess I am okay there too.
So did I leave anything out that I need to make sure the Comment/Question doesn’t blow up MySQL or the Email?
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.