I am adding a page to my site that allows doctors to send me referrals. Some of the data will be highly sensitive, so I need to be sure that it is handled as securely as possible. The data doesn't get stored in a database. It is simply emailed directly to me. The PHP script is below.

I use the str_replace function to filter out URLs. I'm not too concerned about that. I really, though, need to be sure that bad guys cannot intercept what's being sent. The lawsuit may be a little more than ugly. How does it look? Does anyone think I need to add or remove anything to keep the bad guys at bay? I plan on adding a Captcha before I publish the page. Thanks in advance.

if(isset($_POST['submit'])) {


			$domains = array('.com', '.org', '.net', '.gov', '.edu', '.mil', '.int');

			$replacement = array('/*com*', '/*org*', '/*net*', '/*gov*', '/*edu*', '/*mil*', '/*int*');

			$to = "email@place.com";

			$subject = "**** (Referral)";

			$physican_field = strip_tags($_POST['physician']);

			$name_field = strip_tags($_POST['patient']);

			$insurance_field = strip_tags($_POST['primary']);

			$insurancenumber_field = strip_tags($_POST['insurance#']);

			$phone_field = strip_tags($_POST['phone']);

			$address = strip_tags($_POST['address']);

			$address = str_replace($domains, $replacement, $address);


			$body = "Physician: $physican_field\n Patient: $name_field\n Phone: $phone_field\n Primary Insurance: $insurance_field\n Insurance/Medicare#: $insurancenumber_field\n File: $file_uploaded\n Address: $message\n";


			mail($to, $subject, $body);


		} else {

			die("We apologize, but your form was not submitted succesfully");


Edited by pallen: Make it clearer

5 Years
Discussion Span
Last Post by urtrivedi

If you want to make interception more difficult, use an SSL connection. Then it will at least be sent encrypted.

Or let those doctors e-mail it to you directly, without using the webpage.


I was thinking about an SSL, but I don't want to pay for it. And they could email it, but they invariably leave out important info that patients never want to give out over the phone. With the form, I make each field required, and then I know I have it. I guess an SSL maybe the safest bet, though.

Thanks for the reply


Imo, CAPTCHA will not serve your purpose much. SSL is the best way. Find it expensive? I guess if so, there's the alternative of making your own SSL (but then users viewing a warning may be a downside).


Thanks for the reply. I guess a private SSL isn't too bad. I checked and it's less expensive than I thought. Why don't you think CAPTHCA will serve the purpose?

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.