Contact Form

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
jzmwebdevelopment
Forum Commoner
Posts: 32
Joined: Mon Nov 01, 2010 1:45 pm

Contact Form

Post by jzmwebdevelopment »

Hello,

I have used the below process code for years and now I am looking to improve it and improve security etc.

I have a couple of questions:

* Is it better to validate in JS or PHP?
* How Could I Improve This Script To Avoid Spammers or XSS Attacks?



This is only my minimal code. I have another one that processes value="<? value" of the check boxes etc.

I am just going around in circles trying to google etc.

Code: Select all

<?php
 
	session_start();
	 
	if (!empty($_POST['validation']) && strlen($_POST['validation'])==10){
	     
	    $subject = "Website Contact";
	     
	//print_r($_POST); die();
	    $required_fields = array('name', 'email','message'); // added 'checkbox' for required.
	     
	    foreach($_POST as $key => $value) {
         
	        $_SESSION[$key] = trim($value);
	         
	        if(in_array($key, $required_fields) && empty($value)) $errors[$key] = ucwords($key) .' is required!';
	    }
	 
	     
	    // make sure a valid email address is entered.
	    if(!preg_match("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $_SESSION['email'])) {
	         
	        $errors['email'] = 'A Valid email address is required!';
	         
	    }
	 
	    if(!$errors) {
	                 
	        $message = $_SESSION['subject'] ."\n\n";
	 
	        $message .= "Name: ". $_SESSION['name'] ."\n\n";
	                 
              $message .= "E-Mail: ". $_SESSION['email'] ."\n\n";
	 
	        $message .= "Message: ". wordwrap ($_SESSION['message']) ."\n\n";
	         
             $message .= "\n\n";
 
	        $message .= date('j/m/Y g:ia');
	 
	        $headers  = "From:" . $_SESSION['name'] ." <". $_SESSION['email'] .">\n";
	         
            $headers .= "Reply-To: ". $_SESSION['name'] ." <". $_SESSION['email'] .">\n";
	 
	        $headers .= "Return-Path: ". $_SESSION['name'] ." <". $_SESSION['email'] .">\n";
	 
	        $headers .= "Bcc: \n";
	          
	         
	        if(mail($to, $subject, $message,$headers)){
	 
	            $errors['heading'] = "<p>Thank You, Your enquiry has been sent.</p>";

	        }else{
	 
	            $errors['heading'] = "ERROR! There was a system error, Please send your enquiry again.";
	 
	        }
	 
	 
	    }
	 
	 
	 
	}
	    $_SESSION['error'] = $errors;
	    header("Location: ../../contact.php");
	    die();
    
	    session_destroy ();
	?>

User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: Contact Form

Post by Jonah Bron »

jzmwebdevelopment wrote:Is it better to validate in JS or PHP?
Always validate with PHP. It can be convenient for the user for you to validate with Javascript in addition to server-side validation, but do not rely on it.
jzmwebdevelopment wrote:How Could I Improve This Script To Avoid Spammers...
There a a couple of ways to avoid spammers. One way, is to use a Captcha. ReCaptcha is a popular one. Another way is to use "captcha alternatives". These methods include honey pots, session keys embedded in the form, and filtering based on content. I hear Akismet is a good service for that.
jzmwebdevelopment wrote:...or XSS Attacks?
Process all text input with htmlentities(). Google for more info.

I see a problem with your code here:
jzmwebdevelopment wrote:

Code: Select all

foreach($_POST as $key => $value) {
         
                $_SESSION[$key] = trim($value);
                 
                if(in_array($key, $required_fields) && empty($value)) $errors[$key] = ucwords($key) .' is required!';
            }
This code checks if there are no extraneous fields in post. It needs to be the other way around, and check that there are no missing fields in post.

P.S. For future reference, this belongs in PHP - Security
jzmwebdevelopment
Forum Commoner
Posts: 32
Joined: Mon Nov 01, 2010 1:45 pm

Re: Contact Form

Post by jzmwebdevelopment »

Thanks for that - yes I was just about to post it there :). Is there any particular way that you would write a script - is there a right and wrong way?
klevis miho
Forum Contributor
Posts: 413
Joined: Wed Oct 29, 2008 2:59 pm
Location: Albania
Contact:

Re: Contact Form

Post by klevis miho »

There are many ways to write a particular script.
There are of course right and wrong ways :)
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Contact Form

Post by Apollo »

Jonah Bron wrote:
jzmwebdevelopment wrote:Is it better to validate in JS or PHP?
Always validate with PHP. It can be convenient for the user for you to validate with Javascript in addition to server-side validation, but do not rely on it.
In addition to Jonah's correct remark: please realize JS validation serves a completely different purpose than PHP validation!

JS validation is helpful to the user, to help him avoid submitting incorrect data.
PHP validation is for you (the server), to avoid invalid input.

JS validation can be easily disabled/circumvented by any visitor.
n2dn
Forum Newbie
Posts: 1
Joined: Tue Dec 14, 2010 6:45 pm

Re: Contact Form

Post by n2dn »

I am wondering if something like this would be effective:

Code: Select all

// check the post variables
$post = serialize($_POST);
$clean = array("<",">","content-type","cc","bcc");
foreach($clean as $value){
	if(stristr($post, $value)) {
		$error = "there is a problem with your input!";
	}
}
if(!filter_var($email, FILTER_VALIDATE_EMAIL)){
	$error = "there is a problem with your email!";
}
if(isset($error)){
	die($error);
}
Post Reply