Ive been doing alot of reading and even more thinking on this topic.How does one go about tightening up secuurity on data or a script even? The only reason I thought about trying to tighten up security on my mail script is that the form data that gets mailed to my clients from their website will contain personal information and one of those realy personal things is a social security number. With identity theft being the easiest and largest crime today I figured if there is anything I can do to keep potential employees of my client safe id like to atleast try.Now I am very new to PHP and have been trying to learn what I can at the same time some of this stuff is still over my head. So Im going to post my script and see what you guys have to say and see if any of you have ideas or pointers as far as security goes. Also im kind curious on how to avoid my clients getting hit by spam bots. Just keep in mind im still getting my cherry popped on this stuff:lol: Maybe I have nothing to worry about but thought it was deffinatly worth checking out considering the nature of the topic.

Thanks alot for all the help, keep it up.


<?
ob_start();
$email = "My_email_for_testing@someserver.com";
//$email = "client@company.com";
$headers = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";


if((!$firstname) || (!$lastname) || (!$address) || (!$city) || (!$state)) {
header("Location: Test Application.php?error=1");
}


//Be-low this is all the information that represents fields on the job application form that will be filled out and sent to the specified email ($email).
$subject = "Job Application Submited.\r\n";

$message .= "---Personal Information----------------\r\n";
$message .= "Firstname: " . $firstname . "\r\n";
$message .= "Lastname: " . $lastname . "\r\n";
$message .= "Address: " . $address . "\r\n";
$message .= "City: " . $city . "\r\n";
$message .= "State: " . $state . "\r\n";
$message .= "Zipcode: " . $zip . "\r\n";
$message .= "Home Phone: " . $home . "\r\n";
$message .= "Other Phone: " . $other . "\r\n";
$message .= "Cell Phone: " . $cell . "\r\n";
$message .= "Social Security Number: " . $SSN_TOTAL=$SSN1."-".$SSN2."-".$SSN3 . "\r\n";
$message .= "Email: " . $Email . "\r\n";
$message .= "Eligible to work in US: " . $eligible . "\r\n";
$message .= "-------------------------------\r\n";
$message .= "Convicted Felony: " . $convicted . "\r\n";
$message .= "Explanation: " . $explanation . "\r\n";
$message .= "-------------------------------\r\n";
$message .= "Position Applied For: " . $position . "\r\n";
$message .= "Able To Start: " . $start . "\r\n";

$message .= "---Education----------------------------\r\n";
$message .= "Name and Address of School: " . $schooladdress . "\r\n";
$message .= "Degree/Diploma: " . $degreediploma . "\r\n";
$message .= "Graduation: " . $graduation . "\r\n";
$message .= "Skills and Qualifications: " . $Skills . "\r\n";

$message .= "---Employment History----------------------------\r\n";

$message .= "---Employer1-------------------------------------\r\n";
$message .= "Name and Address: " . $nameaddress . "\r\n";
$message .= "Job Duties: " . $duties . "\r\n";
$message .= "Employed From: " . $startmonth . "\r\n";
$message .= "Reason For Leaving: " . $reason1 . "\r\n";

$message .= "---Employer2-------------------------------------\r\n";
$message .= "Name and Address: " . $nameaddress2 . "\r\n";
$message .= "Job Duties: " . $duties2 . "\r\n";
//insert period of emplyment here for Employer2
$message .= "Reason For Leaving: " . $reason2 . "\r\n";

$message .= "---Employer3-------------------------------------\r\n";
$message .= "Name and Address: " . $nameaddress3 . "\r\n";
$message .= "Job Duties: " . $duties3 . "\r\n";
//insert period of emplyment here for Employer3
$message .= "Reason For Leaving: " . $reason3 . "\r\n";

$headers = "From: " . $email . "\r\n" . "Bcc: " . $bcc . "\r\n";
mail($email, $subject, stripslashes($message), $headers);


?>


<?php
//This part of the script is the instant notification that the applicant will receive after filling out the application form.
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
function reply() {

$rep = <<<EOD
<p><font color="#000000" size="5" face="Arial, Helvetica, sans-serif"><strong>
.:Miller Machine Company Inc. Job Application Completed :.</strong></font></p>
<p><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">
Thank you for your interest in Miller Machine Company Inc. We have received your application for employment and will evaluate it along with the information that you have submited to us.Thank you for your time and interest we will contact you after your application has been evaluated.</font></p>
<hr>
<font color="#000000" size="2" face="Arial, Helvetica, sans-serif"><br>
Sincerly,<br>
Steve Miller and Team<br>
Miller Machine Company Inc.<br>
</font>
<div align="left"><font color="#000000" size="2" face="Arial,
Helvetica, sans-serif"><br>
<font size="1">You are receiving this e-mail becuase you submited a
job application form at http://www.millermachinecompany.com.
THIS IS NOT SPAM. If you did not request this, send an e-mail to
mikes@millermachinecompany.com with subject &quot;Wrong Email&quot; and nothing in the body. If
you would not like to receive anymore updates about this request.
</font></font><font color="#000000" size="3" face="Arial, Helvetica, sans-serif"><br>
</font>
<hr>
<div align="center"><font color="#000000" size="3" face="Arial,
Helvetica, sans-serif"><br>
http://www.millermachinecompany.com</font></font><font color="#000000"
size="3" face="Arial, Helvetica, sans-serif">
</font></div>
</div>
EOD;

return $rep;
}

$replymessage = reply();
$replyto = $Email; //This will send an instant notification to the applicant that we have received the online job application they filled out.
$replysubject = "Job Application Received.\r\n";

mail($replyto, $replysubject, $replymessage, $headers);

ob_end_flush();

?>
</body>
</html>

you should NEVER send sensitive information through email.

I would never do it. If I had to do it I may encrypt all sensitive information.

sensitive information should be encrypted and stored in a secure database.

Well that might be something worth looking into. What are some of the best things/methods to use for encrypting this type of info? Also once my client receives an application with the SSN on it is there anyway to have any traces of is cleaned off the DB if thats indeed a place it may have been? Just trying to see what my options are and whats needed to be dones keep thing tight.Any other ideas or thoughts on this would be much appreciated.

thanks alot you all

php offers some built in has functions like:

sha1 (http://us2.php.net/manual/en/function.sha1.php)

read the user comments for in depth instruction on creating a strong(er) encryption.

sha1 cant be decrypted! its a hash algorithm (infact sha stands for secure hash algorithm)

What would be required is a Asymetric key encryption, 1024bit RSA is available via PEAR look at that instead. The public key could be held in the script and a program on the clients computer would have to have the private key in some file (as then it allows the keys to be changed if comprimised).

Either way it cant be done with sha1 (unless you work at the NSA)

if you are serious about it you need to look at the mcrypt functions on www.PHP.net. They let you encrypt and decrypt data/files with a fair bit of security.

an example on the aforementioned page:

this isnt considered password encryption and decryption? I must be missing something...


// Generate SSHA hash
mt_srand((double)microtime()*1000000);
$salt = pack("CCCC", mt_rand(), mt_rand(), mt_rand(), mt_rand());
$hash = "{SSHA}" . base64_encode(pack("H*", sha1($password . $salt)) . $salt);
echo $hash . "\n";

// Verify SSHA hash
$ohash = base64_decode(substr($hash, 6));
$osalt = substr($ohash, 20);
$ohash = substr($ohash, 0, 20);
$nhash = pack("H*", sha1($password . $osalt));
if ($ohash == $nhash) {
echo "Password OK\n";
} else {
echo "Password verifiaction failed\n";
}


edit: Ahhh.. it is not being decrypted at all.. only verified.

exactly!

to encrypt/decrypt messages i have a basic encryption script as so:


$filename = $_GET[fn];
$handle = fopen($filename, "r");
$message = fread($handle, filesize($filename));
fclose($handle);
echo"computing $filename<br />";
/* Open the cipher */
$td = mcrypt_module_open('rijndael-256', '', 'ofb', '');
/* Create the IV and determine the keysize length, although IV is often
created with a md5() of the file name this appears to through errors sometimes due
to the mcrypt_creat function not reading the entire HASH */
$iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
$ks = mcrypt_enc_get_key_size($td);

/* Create key I have found various ways todo this but i quite like this*/
$key_list="abcdefghijklmnopqrstuvwxyz123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
for($i=0; $i<500; $i++)
{
$n=rand(0, strlen($key_list) );
$key_input .= $key_list{$n};
}
$key = substr(sha1($key_input), 0, $ks);

/* Intialize encryption */
mcrypt_generic_init($td, $key, $iv);
/* Encrypt data */
encrypted = mcrypt_generic($td, $message);


/*WRITE DATA TO FILE*/
$encrypted=$iv."||||||||".$encrypted; /* Again probably not the best way todo it but it works and makes sense to me! */
$filename = "output.txt";
$handle = fopen($filename, "w");
if (fwrite($handle, $encrypted) === FALSE)
{
echo "Cannot write to file ($filename)";
exit;
}
echo "<br />Success, wrote encrytped to file ($filename)";

fclose($handle);


$filename = "key.txt";
$handle = fopen($filename, "w");
if (fwrite($handle, $key) === FALSE) {
echo "Cannot write to file ($filename)";
exit;
}

echo "<br />Success, wrote key to file ($filename)";

fclose($handle);
/* Terminate encryption handler */
mcrypt_generic_deinit($td);
}



although this requires the mcrypt library installed on the server, i have a decrypt somewhere aswell.