I want to get a better understanding of security issues in the processing of contact forms, so that I can ensure that I'm doing everything that I could conceivably need to do while I work on my form's PHP script. I had first better list what I'm doing so far:
- Converting to HTML entities and trimming spaces
- Checking for any unfamiliar array keys in POST (inc select options)
- ...for things like "content-type", "bcc:", etc.
- ...that the max length of inputs are as they should be
- ...each input with some regular expressions
- ...for common spam keywords
- ...and for URLs in the message
Reading that, it looks like I might know what I'm doing, but my knowledge is very patchy and I've had to spend a lot of time learning as a go along. Some of what I've added to my script may even be unnecessary or ineffective, possibly. Understanding PHP has been particularly difficult. Anyway, the questions:
Leaving aside spam for a minute, exactly what would a hacker enter into a form to try something malicious? What should I include in the regular expression that checks for such data (e.g. 3rd item in above list)? At the moment, I have a regex that I saw on another forum somewhere and it looks like this:
And what .htaccess tricks should I look out for and use? I have a few, mostly from perishablepress.com, but again, a thorough checklist would be very helpful to my research/learning.
My site doesn't have a database, so at least that's one less thing to worry about. But what can a hacker do in other ways? (I assume that there's quite a lot of things).