Security Issue - In Need of Some Advice

Hello, All

I have just completed a CMSB project for a small charity. However, the situation is very complex and has led to all sorts of problems. Without going into too much boring detail it is suffice to say that I control the web site; another company controls the hosting and a third controls all email and security.

As a result, it has proved impossible to set-up any standard email pipelines from the website to the client. The client cannot receive notification messages from the site, nor even the most basic contact email (via web forms, etc).

It's complex!

In an attempt to aleviate some of the problems, I decided to set-up a contact form which instead of sending an email to the client (which they would ever receive) feeds the data straight into the database. I created a new editor in CMSB and set it up with all of the fields you would expect to find on a contact form. The client then only needs to check the CMSB back end at regular intervals to see if any new messages have arrived.

It's clunky - but it works.

This method of adding data to CMSB isn't new. In fact you can download php files from here which will allow you to set-up similar data entry pages - such as addForm.php. The only difference is that my approach doesn't require the user to be logged in. Any member of Joe Public can use the form - and that presents a security hole.

What I want to know is am I starring iminent spam disaster in the face (or worse) or can I securely sanitize the incoming data?

(NB: It's worth noting that the form has a re-captcha widget on it.)

:0/

Perch