
I have suffered injection in my website (from a search box in a KB system). I removed that KB system but have a Contact Form (with Google Captcha) where the user enters his name, email and message and I use PHP mail() to send me the message.

Is it possible that an attacker can get access to my website from a possible attack to that form? Or the worst scenario could just be that he uses it to send Spam?

This is my PHP code before calling "main()":


$fname = $_POST['contact-f-name'];
$lname = $_POST['contact-l-name'];
$email = $_POST['contact-email'];
$text = $_POST['contact-message'];

$companyname = $_POST['company-name'];
$subject = $_POST['subject'];

$address = "myemail@myemail.com"; 

$headers  = "From: " . strip_tags($email) . "\r\n";
$headers .= "Reply-To: ". strip_tags($email) . "\r\n";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-type:text/plain; Charset=UTF-8 \r\n";

$message =          ."Name: ".strip_tags($fname)." ".strip_tags($lname)."\r\n"
                    ."Email: ".strip_tags($email)."\r\n"
                    ."Company Name: ".strip_tags($companyname)."\r\n"
                    ."Subject: ".strip_tags($subject)."\r\n"
                    ."Message: ".strip_tags($text)."\r\n";

if(@mail($address, $subject, $message, $headers)) { echo "true"; } 
else { echo "false"; }
  • 223
  • 2
  • 10
  • 1
    as with all web forms that accept user input, the input must be sanitized to prevent injection attacks such as XSS – smoggers Oct 09 '18 at 11:31

1 Answers1


TL;DR: Short answer: Maybe:

While I do not have the time right now to do a complete and exacting answer to this post; I will point you to some best practises, and lots of links to other more verbose answers to similar questions regarding making user inputted data safe.

How to make the inputs safer?

  • Disable certain dangerous PHP functions. Read the second answeer rathr than the "ticked" answer.

  • Use PHPs filter_var() to force input the their correct types, especially for emails:

     $email = filter_var($_POST['contact-email'], FILTER_SANITIZE_EMAIL);
  • use preg_replace() (or str_replace() ) to remove unwanted characters from your values. This can most typically be backticks, quotes of any kind, forward slashes or backslashes. Example.

  • I recommend replacing mail() in your code with PHPMailer.

  • strip_tags is ok, but just ok. It has flaws (such as dealing with unclosed tags). be aware of that.

  • Your PHP should be suitably jailed so if someone can run exec(...) commands (Ohsh1tOhsh1tOhsh1t) you have not (literally) lost your server.

What else can I read?

  • 1
  • 1
  • 19,815
  • 6
  • 53
  • 104