Web form and security
I want to create a web form, which users are supposed fill out their personal information. This information will be sent to my email. I don't plan to store this information on the database.
How do you secure the data? From what I read, I can secure information from user's computer to my server using PHP scripts (like Tectite FormMail and PHPMailer version 5.0.0). I'm wondering if I still need to use Secure Sockets Layer (SSL) service?
On the other end (from my web server to email), how do I make the information secure?
Thank you in advance!
You'll need to maintain a secure connection while requesting the page, submitting the info from the page, and then needing to send it through a secure mail server.
You do need to set up SSL on your server--make sure the form submits to an https:// URL.
However, email itself is highly insecure. You either need to have your PHP script sending all of the data as an encrypted attachment, or you need to store it in a password protected area of the site. For even better security, you'll want this data password-encrypted server-side as well.
In general, it's a bad idea to have web forms submit data via email.
Does that help?
Thanks a lot for giving me the answers.
Can you recommend a PHP script sending all of the data as an encrypted attachment?
Does it matter in term of security to send the data to yahoo email account vs @mydomainname.com?
I personally do not know what the best extensions and/or functions are for sending encrypted attachments via PHP are. As I said, the best thing to do is probably just to store things server-side in a protected folder and access them via a secure, authenticated connection, like SFTP.
In terms of whether a yahoo account versus a @yourdomain account ...
... it depends. More than likely, the yahoo account will have better back-end security. But, since yahoo is a well-known mail service, it's also much more likely to be subject to directed attacks.
Though, unless you're a mail server, something like Yahoo would probably be better (Gmail would probably be even better).
Quote "to store things server-side in a protected folder and access them via a secure, authenticated connection, like SFTP."
Does it mean creating a database to store the data and using PHP script to request the data to be sent to an email account?
I was thinking to use Matt's FormMail Perl script, but I heard it has a serious security issue. Do you know if the data that is sent from the web form to the web server is being stored? I didn't see that it involves any database. I was assuming there is no data stored on the server.
The "SFTP access method" just requires your PHP script to create a file for each form entry in a specific directory, which is completely inaccessible by the web daemon (username is usually www or apache). You then use something like Filezilla (if on windows or mac) to log into the server and grab the files as necessary.
Again--this is just a really simple solution for securing that data. And even at that, if the data is really sensitive, you may want to encrypt it somehow before storing it (not usually necessary for most information). You can get more complex by creating a database and storing encrypted data in a table there--then allowing access to that data via an authenticated, secure HTTP connection.
Your post is really helpful, svidgen. Thanks for your help.
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)