I have a PHP script on my server that validates a form and sends the form to a CRM and an email address that I specify. In order to send the form data to my specified email, the script must include a valid email account and the account password. Basically, this script with an email address and password is sitting on my server and I am wondering if this is a security issue.
Here's a version of the script for your reference:
// Hidden fields
$hidden1 = $_POST['LEADCF7'];
$hidden2 = $_POST['LEADCF8'];
$hidden3 = $_POST['LEADCF9'];
$hidden4 = $_POST['LEADCF10'];
$hidden5 = $_POST['LEADCF11'];
// Form fields
$_POST['First_Name'];
$_POST['Last_Name'];
$Company = $_POST['Company'];
$_POST['Email'];
$Phone = $_POST['Phone'];
$LeadMessage = $_POST['LEADCF1'];
// CRM form specific fields
$data = array();
$data['fieldname']='fieldvalue';
$data['fieldname']='';
$data['fieldname']='fieldvalue';
$data['fieldname']='fieldvalue';
$data['fieldname']='fieldvalue';
$data['fieldname']='fieldvalue';
$data['fieldname']='fieldvalue';
$post_str = '';
foreach($data as $key=>$value){
$post_str .= $key.'='.urlencode($value).'&';
}
$post_str = substr($post_str, 0, -1);
$errors = '';
if ($_POST['First_Name'] != ""){
$FirstName = filter_var($_POST['First_Name'], FILTER_SANITIZE_STRING);
if ($_POST['First_Name'] == "") {
$errors .= 'Please enter a valid name.';
}
} else {
$errors .= 'Please enter your name.';
}
if ($_POST['Last_Name'] != "") {
$LastName = filter_var($_POST['Last_Name'], FILTER_SANITIZE_STRING);
if ($_POST['Last_Name'] == "") {
$errors .= 'Please enter a valid name.';
}
} else {
$errors .= 'Please enter your name.';
}
if ($_POST['Email'] != "") {
$Email = filter_var($_POST['Email'], FILTER_SANITIZE_EMAIL);
if (!filter_var($_POST['Email'], FILTER_VALIDATE_EMAIL)) {
$errors .= "$Email is <strong>NOT</strong> a valid email address.<br/><br/>";
}
} else {
$errors .= 'Please enter your email address.<br/>';
}
if ($_POST['Phone'] != "") {
$Phone = filter_var($_POST['Phone'], FILTER_SANITIZE_NUMBER_FLOAT);
if (!filter_var($_POST['Phone'], FILTER_SANITIZE_NUMBER_FLOAT)) {
$errors .= "$Phone is <strong>NOT</strong> a valid phone number.<br/><br/>";
}
} else {
$errors .= 'Please enter your phone number.<br/>';
}
if (!$errors) {
// then send the data to Zoho
$ch = curl_init();
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13');
curl_setopt($ch, CURLOPT_URL, 'CRM-specific-url-goes-here');
curl_setopt($ch, CURLOPT_POST, TRUE);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_str."&First Name=$FirstName&Last Name=$LastName&Company=$Company&Email=$Email&Phone=$Phone&LEADCF1=$LeadMessage&LEADCF7=$hidden1&LEADCF8=$hidden2&LEADCF9=$hidden3&LEADCF10=$hidden4&LEADCF11=$hidden5");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
$response = curl_exec($ch);
// print_r(curl_getinfo($ch));
header("Location:url-to-site-thank-you-page");
curl_close($ch);
require_once "Mail.php";
$from_add = "[email protected]"; // This email will be used by script to send the form data to email address below.
$to_add = "[email protected]"; // This email address will receive the form data.
$subject = "New Lead from our Site";
$body = <<<EMAIL
Below is the information for a new lead:
>First Name: $FirstName.
>Last Name: $LastName.
>Email: $Email.
>Phone: $Phone.
>Company: $Company.
>Additional Info: $LeadMessage.
EMAIL;
$host = "mail.emailsrvr.com";
$username = "[email protected]";
$password = "account-password"; // This is the part I think might be a security issue.
$headers = array ('From' => $from_add,
'To' => $to_add,
'Subject' => $subject);
$smtp = Mail::factory('smtp',
array ('host' => $host,
'auth' => true,
'username' => $username,
'password' => $password));
$mail = $smtp->send($to_add, $headers, $body);
if (PEAR::isError($mail)) {
return false;
} else {
return true;
}
} else {
echo "The following errors were found. Please go back to correct them: <br>
<div style='color:red;'>.$errors.</div>";
}
2 Answers 2
If you are asking about the password being inside the server side code, that shouldn't be a security issue, because this information doesn't leave the server.
I don't see a Security issue there.
PHP Code is Never available to Client Side. so anything that you write in the code is not available to Client side.
You might want to set up something like a configuration file and store the password there, then if someone can see your PHP code they still won't be able to see the password, and you can use it in different locations in your code and only have to change it once, better maintainability.
-
\$\begingroup\$ Do you know where I can learn more about setting up a configuration file for this? Thanks for your response. \$\endgroup\$user30967– user309672013年10月21日 19:30:17 +00:00Commented Oct 21, 2013 at 19:30
-
\$\begingroup\$ here is something that you can start with. I am not very familiar with PHP though. parse_ini_file \$\endgroup\$Malachi– Malachi2013年10月21日 20:44:28 +00:00Commented Oct 21, 2013 at 20:44
One problem is inserting user input into post fields. There's probably not much damage that can be done here but it's still a security issue:
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_str."&First Name=$FirstName&Last Name=$LastName&Company=$Company&Email=$Email&Phone=$Phone&LEADCF1=$LeadMessage&LEADCF7=$hidden1&LEADCF8=$hidden2&LEADCF9=$hidden3&LEADCF10=$hidden4&LEADCF11=$hidden5");
All parameters need to be urlencoded. You've used FILTER_SANITIZE_STRING but this doesn't do url encoding.