Page 1 of 1

Contact Form

Posted: Mon Nov 01, 2010 1:54 pm
by jzmwebdevelopment
Hello,

I have used the below process code for years and now I am looking to improve it and improve security etc.

I have a couple of questions:

* Is it better to validate in JS or PHP?
* How Could I Improve This Script To Avoid Spammers or XSS Attacks?



This is only my minimal code. I have another one that processes value="<? value" of the check boxes etc.

I am just going around in circles trying to google etc.

Code: Select all

<?php
 
	session_start();
	 
	if (!empty($_POST['validation']) && strlen($_POST['validation'])==10){
	     
	    $subject = "Website Contact";
	     
	//print_r($_POST); die();
	    $required_fields = array('name', 'email','message'); // added 'checkbox' for required.
	     
	    foreach($_POST as $key => $value) {
         
	        $_SESSION[$key] = trim($value);
	         
	        if(in_array($key, $required_fields) && empty($value)) $errors[$key] = ucwords($key) .' is required!';
	    }
	 
	     
	    // make sure a valid email address is entered.
	    if(!preg_match("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $_SESSION['email'])) {
	         
	        $errors['email'] = 'A Valid email address is required!';
	         
	    }
	 
	    if(!$errors) {
	                 
	        $message = $_SESSION['subject'] ."\n\n";
	 
	        $message .= "Name: ". $_SESSION['name'] ."\n\n";
	                 
              $message .= "E-Mail: ". $_SESSION['email'] ."\n\n";
	 
	        $message .= "Message: ". wordwrap ($_SESSION['message']) ."\n\n";
	         
             $message .= "\n\n";
 
	        $message .= date('j/m/Y g:ia');
	 
	        $headers  = "From:" . $_SESSION['name'] ." <". $_SESSION['email'] .">\n";
	         
            $headers .= "Reply-To: ". $_SESSION['name'] ." <". $_SESSION['email'] .">\n";
	 
	        $headers .= "Return-Path: ". $_SESSION['name'] ." <". $_SESSION['email'] .">\n";
	 
	        $headers .= "Bcc: \n";
	          
	         
	        if(mail($to, $subject, $message,$headers)){
	 
	            $errors['heading'] = "<p>Thank You, Your enquiry has been sent.</p>";

	        }else{
	 
	            $errors['heading'] = "ERROR! There was a system error, Please send your enquiry again.";
	 
	        }
	 
	 
	    }
	 
	 
	 
	}
	    $_SESSION['error'] = $errors;
	    header("Location: ../../contact.php");
	    die();
    
	    session_destroy ();
	?>


Re: Contact Form

Posted: Mon Nov 01, 2010 2:08 pm
by Jonah Bron
jzmwebdevelopment wrote:Is it better to validate in JS or PHP?
Always validate with PHP. It can be convenient for the user for you to validate with Javascript in addition to server-side validation, but do not rely on it.
jzmwebdevelopment wrote:How Could I Improve This Script To Avoid Spammers...
There a a couple of ways to avoid spammers. One way, is to use a Captcha. ReCaptcha is a popular one. Another way is to use "captcha alternatives". These methods include honey pots, session keys embedded in the form, and filtering based on content. I hear Akismet is a good service for that.
jzmwebdevelopment wrote:...or XSS Attacks?
Process all text input with htmlentities(). Google for more info.

I see a problem with your code here:
jzmwebdevelopment wrote:

Code: Select all

foreach($_POST as $key => $value) {
         
                $_SESSION[$key] = trim($value);
                 
                if(in_array($key, $required_fields) && empty($value)) $errors[$key] = ucwords($key) .' is required!';
            }
This code checks if there are no extraneous fields in post. It needs to be the other way around, and check that there are no missing fields in post.

P.S. For future reference, this belongs in PHP - Security

Re: Contact Form

Posted: Tue Nov 02, 2010 1:18 am
by jzmwebdevelopment
Thanks for that - yes I was just about to post it there :). Is there any particular way that you would write a script - is there a right and wrong way?

Re: Contact Form

Posted: Tue Nov 02, 2010 3:44 am
by klevis miho
There are many ways to write a particular script.
There are of course right and wrong ways :)

Re: Contact Form

Posted: Tue Nov 02, 2010 10:20 am
by Apollo
Jonah Bron wrote:
jzmwebdevelopment wrote:Is it better to validate in JS or PHP?
Always validate with PHP. It can be convenient for the user for you to validate with Javascript in addition to server-side validation, but do not rely on it.
In addition to Jonah's correct remark: please realize JS validation serves a completely different purpose than PHP validation!

JS validation is helpful to the user, to help him avoid submitting incorrect data.
PHP validation is for you (the server), to avoid invalid input.

JS validation can be easily disabled/circumvented by any visitor.

Re: Contact Form

Posted: Tue Dec 14, 2010 6:57 pm
by n2dn
I am wondering if something like this would be effective:

Code: Select all

// check the post variables
$post = serialize($_POST);
$clean = array("<",">","content-type","cc","bcc");
foreach($clean as $value){
	if(stristr($post, $value)) {
		$error = "there is a problem with your input!";
	}
}
if(!filter_var($email, FILTER_VALIDATE_EMAIL)){
	$error = "there is a problem with your email!";
}
if(isset($error)){
	die($error);
}