www.webdeveloper.com
Results 1 to 8 of 8

Thread: Web form and security

  1. #1
    Join Date
    Oct 2009
    Posts
    4

    Web form and security

    I want to create a web form, which users are supposed fill out their personal information. This information will be sent to my email. I don't plan to store this information on the database.

    How do you secure the data? From what I read, I can secure information from user's computer to my server using PHP scripts (like Tectite FormMail and PHPMailer version 5.0.0). I'm wondering if I still need to use Secure Sockets Layer (SSL) service?

    On the other end (from my web server to email), how do I make the information secure?

    Thank you in advance!

  2. #2
    Join Date
    Nov 2006
    Location
    Springfield, MO
    Posts
    1,541
    You'll need to maintain a secure connection while requesting the page, submitting the info from the page, and then needing to send it through a secure mail server.

  3. #3
    Join Date
    Jan 2007
    Location
    Wisconsin
    Posts
    2,120
    You do need to set up SSL on your server--make sure the form submits to an https:// URL.

    However, email itself is highly insecure. You either need to have your PHP script sending all of the data as an encrypted attachment, or you need to store it in a password protected area of the site. For even better security, you'll want this data password-encrypted server-side as well.

    In general, it's a bad idea to have web forms submit data via email.

    Does that help?

  4. #4
    Join Date
    Oct 2009
    Posts
    4
    Thanks a lot for giving me the answers.

    Can you recommend a PHP script sending all of the data as an encrypted attachment?

    Does it matter in term of security to send the data to yahoo email account vs @mydomainname.com?

  5. #5
    Join Date
    Jan 2007
    Location
    Wisconsin
    Posts
    2,120
    I personally do not know what the best extensions and/or functions are for sending encrypted attachments via PHP are. As I said, the best thing to do is probably just to store things server-side in a protected folder and access them via a secure, authenticated connection, like SFTP.

    In terms of whether a yahoo account versus a @yourdomain account ...
    ... it depends. More than likely, the yahoo account will have better back-end security. But, since yahoo is a well-known mail service, it's also much more likely to be subject to directed attacks.

    Though, unless you're a mail server, something like Yahoo would probably be better (Gmail would probably be even better).

  6. #6
    Join Date
    Oct 2009
    Posts
    4
    Quote "to store things server-side in a protected folder and access them via a secure, authenticated connection, like SFTP."

    Does it mean creating a database to store the data and using PHP script to request the data to be sent to an email account?

    I was thinking to use Matt's FormMail Perl script, but I heard it has a serious security issue. Do you know if the data that is sent from the web form to the web server is being stored? I didn't see that it involves any database. I was assuming there is no data stored on the server.

  7. #7
    Join Date
    Jan 2007
    Location
    Wisconsin
    Posts
    2,120
    The "SFTP access method" just requires your PHP script to create a file for each form entry in a specific directory, which is completely inaccessible by the web daemon (username is usually www or apache). You then use something like Filezilla (if on windows or mac) to log into the server and grab the files as necessary.

    Again--this is just a really simple solution for securing that data. And even at that, if the data is really sensitive, you may want to encrypt it somehow before storing it (not usually necessary for most information). You can get more complex by creating a database and storing encrypted data in a table there--then allowing access to that data via an authenticated, secure HTTP connection.

  8. #8
    Join Date
    Oct 2009
    Posts
    4
    Your post is really helpful, svidgen. Thanks for your help.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles