Form Security

In Chapter 16 ("Processing Forms," page 416), I note that people with bad intentions may exploit vulnerabilities in your form processing. This can result in things like their gaining access to the information in your database, corrupting that information, using your server to send thousands of spam emails, and more unpleasantries.

There are security measures you can include in your form processing to help thwart these attacks. Although by no means definitive coverage on the subject, the following list of articles can help you make your forms more secure. You might find some of the material somewhat advanced if you aren't familiar with processing forms or PHP.

• Web Form Security with PHP (Sevenforty) — Provides a concise list of common form security issues to be aware of
• Serious Form Security (CSS-Tricks) — Discusses ways to secure your forms
• PHP Security (phpro.org) — Explains one of the vulnerabilities with form scripts that send emails.

All of those focus on using PHP for processing forms, but many of the concepts translate to using other server-side languages, such as Python or Ruby. Please search online for additional information regarding form validation and security.

Important: I've provided the articles as a convenience, but unfortunately, I can't guarantee your forms will never be violated even if you've followed their advice. The information in the articles should help stave off attacks, but no system is 100% hacker-proof if your attacker is extremely capable and sophisticated.