PHP Form Magic: Does anyone have a general opinion about using premade PHP forms for HTML form processing?

[mjadra]

I know that PHP or CGI files can be exploited and can be dangerous. I have a business website and I want to use Method=get for my HTML submission form. I need a PHP to handle and process my results.

I want to buy one done already online because I do not have enough experience with programming to write my own. At http://www.websitedatabases.com/ they have PHP Form Magic.

Does anyone have an opinion about using this? Has anyone used it? It claims to be safe, but I'm sure if someone wanted to try to maliciously exploit, delete, or get passwords from my database by sending codes instead of text, they easily could.

Any suggestions on what someone should do who wants to have a webform, but does not want to use action="mailto" ??

Thanks. I hope there are some computer programmers out there who can help me.

[Meimi15]

I've not used PHPMagic so I can't speak to its security, efficacy or ease of use.

I can tell you that while you or others can do quite a bit to prevent people from successfully forging or poisoning PHP or CGI variables, there's always a possibility of a new exploit or trick that will defeat your best efforts.

If all you want is to be able to get form results via e-mail, I would use FormMail from Matt's Script Archive:

http://www.scriptarchive.com/formmail.html

It's fairly well proofed against attack and spambots. Also, Matt's offers http://www.formmail.com which will take all the work out of it on your end; you simply set the script up as instructed and they handle security and configuration issues.

If you need your form to insert data into your database, then you do need to take a sincere tone toward security. I don't see anything at PHPMagic that even looks like a guarantee that their program will write code that is not vulnerable to injection or poisoning. I have no reason to believe it would, but again, I see no guarantee it won't.

My advice would be that if security is a singificant concern and you lack the ability to secure your application yourself, you should consider hiring a contractor.

You can probably find someone skilled enough in PHP to write you a simple database insert / update script for about $50 or so at http://www.rentacoder.com but make sure he has extensive experience. I would make sure that your contract on there specifically state the form must be protected against SQL injection, form forgeries and variable poisoning.

Then, I'd spend another $20 at rentacoder and hire someone else who knows what he is doing to try to forge, poison and inject the form, before you call the first contract complete.

[anow2]

I made a script and its unexploitable... I'll sell for 10$ if you want, Its not really much, theres a few commands in php which make it so mysql injections don't go through, and so on.

[Cameron]

I personally don't like PHP Form Magic, I would much rather go with the free PHPFormGen, It has all the features in one simple area, And it can be customized and edited to fit into your existing pages.

[webmasterneo]

I haven't used pre-made scripts that I couldn't edit or scripts that I didn't code myself. You are right in being concerned about security issued. I agree with Meimi15 that what you could probably do is to hire someone to come up with a program that's tailor-made for your needs. You were, after all, willing to pay for a script.