PHP Contact Form Mailer

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Tintin81
Forum Newbie
Posts: 2
Joined: Tue Jan 22, 2008 4:08 am

PHP Contact Form Mailer

Post by Tintin81 »

Hey, I'm new to this forum, and I wonder if you can help me with this: I am currently working on a php contact form using the PEAR::Validate package. The form I am developing is for a large client, so I want to make sure the input validation really works and has no security gaps.

Maybe some of you can take a look at the code I came up with (I tried really hard to keep it simple):

Code: Select all

 
<?php
require_once('Validate.php');
 
// Include file to strip quotes if needed
// require_once('MagicQuotes/strip_quotes.php');
 
$errors = array('name'=>'','email'=>'','message'=>''); // Initialize errors array
 
$ok = false;
if (isset ($_POST['submit'])) { // If the form is submitted...
    
    $ok = true;
    $name_options = array('format'=>VALIDATE_ALPHA.VALIDATE_SPACE,'min_length'=>3);
    $message_options = array('min_length'=>3);
 
   if (!Validate::string($_POST['name'],$name_options)) {
        $errors['name']=' class="error"';
        $ok = false;
    }
 
    if (!Validate::email($_POST['email'])) {
    $errors['email']=' class="error"';
        $ok = false;
    }
 
   if (!Validate::string($_POST['message'],$message_options)) {
        $errors['message']=' class="error"';
        $ok = false;
    }
}
    
if ($ok) {
    mail('myemail@gmail.com', 'Test', $_POST['message']);
    echo "<b>Thanks for your message!</b>";
}
 
else {
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
 
<head>
    <title>Form</title>
    <link rel="stylesheet" href="styles.css" type="text/css" media="screen" />
</head>
 
<body>
    <form method="post">
    <div>
        <label<?php echo ($errors['name']); ?>>Name:</label>
        <span><input type="text" name="name" value="<?php echo(@$_POST['name']);?>"></span>
    </div>
    <div>
        <label<?php echo ($errors['email']); ?>>Email:</label>
        <span><input type="text" name="email" value="<?php echo(@$_POST['email']);?>"></span>
    </div>
    <div>
        <label<?php echo ($errors['message']); ?>>Message:</label>
        <span><input type="text" name="message" value="<?php echo(@$_POST['message']);?>"></span>
    </div>
    <div>
        <span><input type="submit" name="submit" value="send"></span>
    </div>
</form>
<?php
} 
?>
</body>
</html>
 
I also uploaded this file to here. Feel free to try it out and see if it works (I think it does!).

The code seems to work ok, but is it really safe? How could it be further improved? Thanks for any feedback...
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: PHP Contact Form Mailer

Post by Jonah Bron »

It looks secure from here -- as long as PEAR::Validate is secure... :roll:

Welcome to the PHPDN!
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: PHP Contact Form Mailer

Post by Christopher »

Even thought you validate, you should still filter and escape the values appropriately before you use them. For example I only see you validating the name and message as strings, but not limiting the contents to not allow HTML for example.
(#10850)
Tintin81
Forum Newbie
Posts: 2
Joined: Tue Jan 22, 2008 4:08 am

Re: PHP Contact Form Mailer

Post by Tintin81 »

OK, good point. But isn't the PHP::Validate module doing that for me? I think I read it somewhere, but I'm not entirely sure. I just got into PHP a short while ago...
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: PHP Contact Form Mailer

Post by Christopher »

Maybe, I don't know the details of that library.
(#10850)
Post Reply