0

I have a lengthy HTML form with around 20-26 file uploads required and some of them are even multiple. I am really concerned about how secure it is. I would really like to have some secure solution to it.

I am using phpmailer for my project. And rather then storing the file uploads anywhere I am directly sending them as attachments to the admin.

This is the snippet for file uploads which I'm using currently to handle different file uploads. (& is also included in the full code below)


if (array_key_exists('month', $_FILES))
            {
                 foreach ($_FILES["month"]["name"] as $k => $v) 
                 {
                    $mail->addAttachment( $_FILES["month"]["tmp_name"][$k], $_FILES["month"]["name"][$k] );
                 }                
            }

This is the full code. Any help is highly appreciated. Thank you!

<?php

use PHPMailer\PHPMailer\PHPMailer;

require "./vendor/autoload.php";



$errors = [];
$errorMessage4 = "";

$name = $email = $phone ="";

if(isset($_POST["sub3"]) && $_SERVER["REQUEST_METHOD"] == "POST")
{

        function test_input($data) 
        {
            $data = trim($data);
            $data = stripslashes($data);
            $data = htmlspecialchars($data);
            return $data;
        }
    

        if (empty($_POST["name"])) {
            $errors[] = "*Name cannot be empty";
        }
        else 
        {
            $name = test_input($_POST["name"]);
            //var_dump($_POST["name"]);
                if (!preg_match("/^[a-zA-Z-' ]*$/",$name)) 
                {
                    $errors[] = "*Only letters and white spaces are allowed in Name";
                }
            
        }


        if (empty($_POST["email"])) {
            $errors[] = "*Email is required";
        } 
        else  
        {
            $email = test_input($_POST["email"]);
            if(!filter_var($email, FILTER_VALIDATE_EMAIL))
            {$errors[] = "*Email is invalid";}
            
        }

        if (empty($_POST["phone"])) {
            $errors[] = "*Mobile number is required";
        }
        else{
            $phone = test_input($_POST["phone"]);
        }
if (!empty($errors)) 
        {
            $allErrors = join("<br/>", $errors);
            $errorMessage4 = "<p style='color: red;'>{$allErrors}</p>";
        }
        else 
        {   
        
            // Instantiation and passing `true` enables exceptions
            $mail = new PHPMailer();

            // specify SMTP credentials
            $mail->isSMTP();
            $mail->SMTPSecure = "ssl";
            $mail->Port = 465;
            $mail->Host = "smtp.gmail.com";
            $mail->SMTPAuth = true;
            $mail->Username = "mymail";
            $mail->Password = "mypassword";
        
        

            $mail->setFrom($email, $name);
            $mail->addAddress("mymail", "Me");
            $mail->Subject = "Upload Documents for Salaried";

if (array_key_exists('filename3', $_FILES))
            {
                 foreach ($_FILES["filename3"]["name"] as $k => $v) 
                 {
                    $mail->addAttachment( $_FILES["filename3"]["tmp_name"][$k], $_FILES["filename3"]["name"][$k] );
                 }                
            }
$mail->isHTML(true);

            $bodyParagraphs = ["<tr><td>Name:</td> <td>{$name}</td></tr>", "<tr><td>Email:</td> <td>{$email}</td></tr>", 
            "<tr><td>Phone:</td> <td>{$phone}</td></tr>","<tr><td>ID Proof:</td> <td>{$idproof}</td></tr>","<tr><td>Relationship Proof:</td> <td>{$idproof1}</td></tr>",
            "<tr><td>Copy of Latest Address Proof:</td> <td>{$idproof2}</td></tr>","<tr><td>Permanent Address Proof:</td> <td>{$idproof3}</td></tr>"];

            $body = join("<br />", $bodyParagraphs);
            $mail->Body = $body;
            //$mail->send();

            //echo $body;
            if($mail->send()){
                $name=NULL;
                $email=NULL;
                $phone=NULL;

                //header ("Location: ThankYou.php");
            } else {
                $errorMessage4 = "<p style='color: red;'>*Oops, something went wrong. Mailer Error: {$mail->ErrorInfo}</p>" ;
            }
        }
}

?>
Sarcasm
  • 1
  • 2
    You should better define what you mean by secure and what are your expectations. This is a basic form to E-mail that can potentially deliver **malicious files** to recipients. As far as I can see you are not even attempting to restrict file types by extension. In that sense, it is potentially "insecure". If you are concerned that someone could abuse your form to hack your server - this is another matter. Given that you are not using a database, SQL injection is not a problem here, the script is quite basic. The security risk lies more in the uploaded files than in the script proper I think. – Kate Sep 24 '20 at 20:11
  • @Anonymous Thank you for your input! – Sarcasm Sep 27 '20 at 03:52

0 Answers0