Secure Use With Universal Email

Hi,

I got the following fields.

NAME, EMAIL, SUBJECT(selectbox) and MESSAGE.

what validations do i have to put on, so that no one can missuse the form.

I will send it via UNIVERSAL EMAIL

Denis

It depends on how you define missuse...

Basic email injection should not work no matter what when using Universal Email... however there are many more ways you can missuse a form... for instance, simply trying to use a form with a bot testing if it has any vulrnerabilities could be considered misuse in itself.

For the most complete security you can do things like:
1) Use the trigger "current page submit" in universal email. It will do referrer checking to make sure the page is submitted to itself and nobody is posting from their own form.
2) Add email address validation on the email field and don't use that as the to field or mentioned anywhere except the email body.
3) Add alphanumeric validation to the Name field so that no code can be entered, even though it is unlikely the code would work, it prevents them from even trying.
4) Add entry length validation to the Message field. I don't think you expect a large volume of data to be typed into that field, but a hacker would likely have quite a bit if they were trying to use email injeciton techniques.
5) Honeypot validation will often prevent bots... this is just a matter of placing a few blank hidden fields and text fields with style="display:none" and style="visibility:hidden" on the page and verifying they are still blank after the page is submitted. Bots often can't resist filling out all fields in a form and no human could possibly enter a value, so you can catch bots this way.
6) CAPTCHA is a good option, since most bots cannot read them, and would also prevent a submission from a remote domain, the only limitation is that blind people could not fill out your form without help.
7) Obvious question is a great preventor of bots, since it pretty much ensures only a human can fill out and submit the form. It also can be read by screen readers for the blind, and prevents any submission from a remote server.
8) Be sure to use Server Validation where I mention validation, since client validation is really only good for aesthetics and not real security since javascript can always be disabled on the client.

Hi Ray,

I tried to set alphanumeric validation to the texarea but that does not work. I think its because the linebreak, how do I let the linebreak go through?

  2) Add email address validation on the email field and don't use that as the to field or mentioned anywhere except the email body.  

what do you mean with that?

cheers
Denis

I just mean don't use it as the TO or FROM field, since people may then simply abuse the form to send email TO or FROM an email address of their choice using your page.

I think you could add: \r\n to the list of allowed characters. Those are the line break characters and should be able to be added... you may need to use \\r\\n since backslash is normally and escape character.