mikeymikec
Lifer
I am not an experienced web developer, I have a smattering of experience in ASP and PHP.
My business's contact form page is currently written in ASP which works on my old (Windows) server, and I'm rewriting it in PHP for my new (Linux) server.
There are three fields to the form: name, contact method, message. I'm not doing anything special with these fields (though in ASP I did add a bit to stop spammers from sending web page links), the form contents just gets e-mailed to me. There's a small bit of form validation to ensure that all three fields have to have some content in otherwise the form won't submit successfully.
I used htmlspecialchars on all three fields before the content gets e-mailed to me; my understanding of input sanitisation is a basic awareness of xkcd #327 as well as the rough outline of what XSS attacks are about. My grasp of this topic makes me think that this is a good idea because in theory someone could try to send a web page exploit via e-mail, but also maybe to stop crap being sent into php that could exploit it.
Am I correct, or do I have the wrong end of the stick?
My business's contact form page is currently written in ASP which works on my old (Windows) server, and I'm rewriting it in PHP for my new (Linux) server.
There are three fields to the form: name, contact method, message. I'm not doing anything special with these fields (though in ASP I did add a bit to stop spammers from sending web page links), the form contents just gets e-mailed to me. There's a small bit of form validation to ensure that all three fields have to have some content in otherwise the form won't submit successfully.
I used htmlspecialchars on all three fields before the content gets e-mailed to me; my understanding of input sanitisation is a basic awareness of xkcd #327 as well as the rough outline of what XSS attacks are about. My grasp of this topic makes me think that this is a good idea because in theory someone could try to send a web page exploit via e-mail, but also maybe to stop crap being sent into php that could exploit it.
Am I correct, or do I have the wrong end of the stick?
