Security Issue - In Need of Some Advice

3 posts by 3 authors in: Forums > CMS Builder
Last Post: May 31, 2013   (RSS)

By Perchpole - May 28, 2013

Hello, All

I have just completed a CMSB project for a small charity. However, the situation is very complex and has led to all sorts of problems. Without going into too much boring detail it is suffice to say that I control the web site; another company controls the hosting and a third controls all email and security.

As a result, it has proved impossible to set-up any standard email pipelines from the website to the client. The client cannot receive notification messages from the site, nor even the most basic contact email (via web forms, etc).

It's complex!

In an attempt to aleviate some of the problems, I decided to set-up a contact form which instead of sending an email to the client (which they would ever receive) feeds the data straight into the database. I created a new editor in CMSB and set it up with all of the fields you would expect to find on a contact form. The client then only needs to check the CMSB back end at regular intervals to see if any new messages have arrived.

It's clunky - but it works.

This method of adding data to CMSB isn't new. In fact you can download php files from here which will allow you to set-up similar data entry pages - such as addForm.php. The only difference is that my approach doesn't require the user to be logged in. Any member of Joe Public can use the form - and that presents a security hole.

What I want to know is am I starring iminent spam disaster in the face (or worse) or can I securely sanitize the incoming data?

(NB: It's worth noting that the form has a re-captcha widget on it.)

:0/

Perch

By gregThomas - May 28, 2013

Hi Perch,

The latest version of CMS Builder allows you to send e-mail via SMTP, have you looked into using it to send mail from the site? If you can't use the clients SMTP servers you could always set up a free email account such as  gmail to send the mail for you. If you go to the General Settings menu in CMS Builder you should see an e-mail settings area where you can enter your SMTP servers details, and choose which method CMS Builder will use to send mail.

If you've integrated a re-captcha it should drastically reduce your chances of getting spam. This thread has a couple of methods than you could also use to decrease the chances further:

http://www.interactivetools.com/forum/forum-posts.php?postNum=2229338#post2229338

Let me know if you have any questions.

Thanks

Greg

Greg Thomas







PHP Programmer - interactivetools.com