Back to Home: PHP FormMail Generator I Need Help : Ask Question Without Registration

My form has upload fields. Will hackers upload backdoor scripts to my website? Is my form secure?
  • admin September 2011
    Question:

    There are security problems in some email form written in php languages. I read this article and know about the security problem in php file upload at http://www.scanit.be/uploads/php-file-upload.pdf. My form has upload fields. Will hackers upload backdoor scripts to my website? Is my form secure?

    Answer:

    Thank you for the article link. I read along the articles, and I'm very confident that my form file handling is very security. or at least, there is no security holes as described in those articles, especially this article at http://www.scanit.be/uploads/php-file-upload.pdf.

    Long in short, in order to use php attack, hacker will have ( see screen shot for the highlight ):
    1) a php file (back door) upload to your server
    2) the web path of the php file
    3) or any other file (.gif, .html, .js, .css, etc...) that will be executed as php file because of the server side setting

    In my form file upload handling, a uploaded file will be handled as following:
    1) renamed with a random id prefix to the file name
    2) if the file is harmful, it will be also renamed with .bak
    3) I guess no server will execute .bak as php file
    4) option to save files out of the webroot in form.lib.php.

    define( 'PHPFMG_ROOT_DIR' , dirname(__FILE__) );
    define( 'PHPFMG_SAVE_FILE' , PHPFMG_ROOT_DIR . '/form-data-log.php' ); // save submitted data to this file
    define( 'PHPFMG_EMAILS_LOGFILE' , PHPFMG_ROOT_DIR . '/email-traffics-log.php' ); // log email traffics to this file
    define( 'PHPFMG_ADMIN_URL' , 'admin.php' );

    define( 'PHPFMG_SAVE_ATTACHMENTS' , 'Y' );
    define( 'PHPFMG_SAVE_ATTACHMENTS_DIR' ,  '/secured-folder/uploaded/' );

    As a result, the form file upload should have no security problems. If you happen to find any, please let me know. I will be more than happy to fix any security issues in the email form maker.