| I've not used PHPMagic so I can't speak to its security, efficacy or ease of use.
I can tell you that while you or others can do quite a bit to prevent people from successfully forging or poisoning PHP or CGI variables, there's always a possibility of a new exploit or trick that will defeat your best efforts.
If all you want is to be able to get form results via e-mail, I would use FormMail from Matt's Script Archive:
http://www.scriptarchive.com/formmail.html
It's fairly well proofed against attack and spambots. Also, Matt's offers http://www.formmail.com which will take all the work out of it on your end; you simply set the script up as instructed and they handle security and configuration issues.
If you need your form to insert data into your database, then you do need to take a sincere tone toward security. I don't see anything at PHPMagic that even looks like a guarantee that their program will write code that is not vulnerable to injection or poisoning. I have no reason to believe it would, but again, I see no guarantee it won't.
My advice would be that if security is a singificant concern and you lack the ability to secure your application yourself, you should consider hiring a contractor.
You can probably find someone skilled enough in PHP to write you a simple database insert / update script for about $50 or so at http://www.rentacoder.com but make sure he has extensive experience. I would make sure that your contract on there specifically state the form must be protected against SQL injection, form forgeries and variable poisoning.
Then, I'd spend another $20 at rentacoder and hire someone else who knows what he is doing to try to forge, poison and inject the form, before you call the first contract complete.
 |