Question
form security
I use dreamweaver 8 and use a lot of forms to have
information filled in by web users emailed to me. I have a hosting
service (idmi.net) telling me that my forms are not secure from
spammers and must meet the following guidelines:
(email form server host) Please take a look at the following guidelines for putting a form on our servers. We cannot teach our customers how to secure their forms because: 1. This is a service we sell, 2. It will take time from our developers to help you fix your forms for which we won’t be reimbursed. Please take a look at the guidelines below. All forms on our servers must comply with these guidelines. If not, we will be forced to remove them from our servers. If they are reposted, we will be forced to remove FTP access to make changes to the site. Our primary job is to keep our servers safe for all of our customers.
1. No generic form processing scripts can be used. Each form on your web site must have it’s own code (php,asp,asp.net) to process the results.
2. Submit e-mail is hidden in code to prevent it from being harvested by email bots.
3. At least one field must be required as input to prevent meaningless submissions.
4. All variables are sanitized, scrubbed, and trimmed to prevent any form of malicious injection. Make sure that all e-mail header fields are protected.
5. All input fields have maximum lengths defined and enforced by code (php/asp/asp.net) and not just JavaScript.
6. If email fields are accepted, they must be validated. Full validation is not required (i.e. the address or domain actually exists), but they must be a valid e-mail address.
7. Encode all variables sent via QueryString parameters that will be used in form inputs.
8. User Stored Procedures and variables if writing to a text file or database.
9. Referring page checks can be eliminated because this is easily spoofed.
For more information please view the following reference:
http://www.anders.com/projects/sysadmin/formPostHijacking/
http://computerbookshelf.com/email_injection/
I am not sure where i am not secure?
thanks for any help
(email form server host) Please take a look at the following guidelines for putting a form on our servers. We cannot teach our customers how to secure their forms because: 1. This is a service we sell, 2. It will take time from our developers to help you fix your forms for which we won’t be reimbursed. Please take a look at the guidelines below. All forms on our servers must comply with these guidelines. If not, we will be forced to remove them from our servers. If they are reposted, we will be forced to remove FTP access to make changes to the site. Our primary job is to keep our servers safe for all of our customers.
1. No generic form processing scripts can be used. Each form on your web site must have it’s own code (php,asp,asp.net) to process the results.
2. Submit e-mail is hidden in code to prevent it from being harvested by email bots.
3. At least one field must be required as input to prevent meaningless submissions.
4. All variables are sanitized, scrubbed, and trimmed to prevent any form of malicious injection. Make sure that all e-mail header fields are protected.
5. All input fields have maximum lengths defined and enforced by code (php/asp/asp.net) and not just JavaScript.
6. If email fields are accepted, they must be validated. Full validation is not required (i.e. the address or domain actually exists), but they must be a valid e-mail address.
7. Encode all variables sent via QueryString parameters that will be used in form inputs.
8. User Stored Procedures and variables if writing to a text file or database.
9. Referring page checks can be eliminated because this is easily spoofed.
For more information please view the following reference:
http://www.anders.com/projects/sysadmin/formPostHijacking/
http://computerbookshelf.com/email_injection/
I am not sure where i am not secure?
thanks for any help
AdChoices