Webpage and contact form

[aidan.f]

I have volunteered provide a web based contact form for a seekret society.
..well not that seekret they do want people to know they exist and attract new members 

It is a pretty simple job:

One static webpage with a picture and text - 'we do this... if you are interested please fill in this contact form'

Form linked to the domain email - so correspondence does not involve a personal email address

Any tips or potential slips - especially security and spam ones?

[Kim]

I think spam's the thing.  Our local cycle campaign had to implement a captcha in the end (with a database of simple questions that anyone who knows Birmingham should be able to answer, rather than those horrible picture things).

[Diver300]

I had a problem with spam on a web form, and found that a really simple capture worked fine. I just asked for a day of the week, and as long as someone could spell any day of the week or any of the three-letter abbreviations, the message would get through.

I've not had any spam since and I haven't had any complaints on the phone number that's also provided. However it does only handle homeopathic levels of traffic.

[aidan.f]

Thanks for the spam advice, I like the idea of a question. Can think of some good ones!
And yes, I also only expect 'homeopathic' levels of traffic ...

[citoyen]

One thing I remember from doing something like this years ago is needing to protect the form against people using it to send malicious code to your website. But it was a long time ago and I can’t remember the details. Something to do with escape characters. Others will know much more about this than me.

[Pingu]

Ob: https://xkcd.com/327/

[Diver300]

One thing I remember from doing something like this years ago is needing to protect the form against people using it to send malicious code to your website. But it was a long time ago and I can’t remember the details. Something to do with escape characters. Others will know much more about this than me.

Pingu has linked to the XKCD of the problem.

Anywhere that the user can run a database query can be vulnerable. This website is made from a database, and it says so at the bottom:-

Page created in 0.081 seconds with 18 queries.

The queries depend on what the user types in, and what is in the address bar. All of that should be sanitised so that arbitrary queries put into web addresses or forms can't end up in the query that is sent to the database.

For instance, the web address for this page ends

;last_msg=2766055

. If I were writing the code to process the value of "last_msg" I would make sure that it can only be a number, in a specific range, so a malicious value like

;last_msg=/drop table "users"

won't result in the query

drop table "users"

being run, it will just result in an incorrect value for last_msg.

I don't think that it's so much of a problem with forms that send emails only. The risk there is that a cleverly crafted message or "from" field could result in multiple spam messages being sent to recipients other than yourself, but looking like they come from your website. It could be a good idea to remove "<" and ">" etc from the email addresses and "@" from the message itself.

[ian]

Basically, any kind of user input offers a path into what's behind the site.

[aidan.f]

Thank you for the additional advice, very useful