Page 1 of 1

PHP Contact Form Mailer

Posted: Tue Jan 22, 2008 4:12 am
by Tintin81
Hey, I'm new to this forum, and I wonder if you can help me with this: I am currently working on a php contact form using the PEAR::Validate package. The form I am developing is for a large client, so I want to make sure the input validation really works and has no security gaps.

Maybe some of you can take a look at the code I came up with (I tried really hard to keep it simple):

Code: Select all

 
<?php
require_once('Validate.php');
 
// Include file to strip quotes if needed
// require_once('MagicQuotes/strip_quotes.php');
 
$errors = array('name'=>'','email'=>'','message'=>''); // Initialize errors array
 
$ok = false;
if (isset ($_POST['submit'])) { // If the form is submitted...
    
    $ok = true;
    $name_options = array('format'=>VALIDATE_ALPHA.VALIDATE_SPACE,'min_length'=>3);
    $message_options = array('min_length'=>3);
 
   if (!Validate::string($_POST['name'],$name_options)) {
        $errors['name']=' class="error"';
        $ok = false;
    }
 
    if (!Validate::email($_POST['email'])) {
    $errors['email']=' class="error"';
        $ok = false;
    }
 
   if (!Validate::string($_POST['message'],$message_options)) {
        $errors['message']=' class="error"';
        $ok = false;
    }
}
    
if ($ok) {
    mail('myemail@gmail.com', 'Test', $_POST['message']);
    echo "<b>Thanks for your message!</b>";
}
 
else {
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
 
<head>
    <title>Form</title>
    <link rel="stylesheet" href="styles.css" type="text/css" media="screen" />
</head>
 
<body>
    <form method="post">
    <div>
        <label<?php echo ($errors['name']); ?>>Name:</label>
        <span><input type="text" name="name" value="<?php echo(@$_POST['name']);?>"></span>
    </div>
    <div>
        <label<?php echo ($errors['email']); ?>>Email:</label>
        <span><input type="text" name="email" value="<?php echo(@$_POST['email']);?>"></span>
    </div>
    <div>
        <label<?php echo ($errors['message']); ?>>Message:</label>
        <span><input type="text" name="message" value="<?php echo(@$_POST['message']);?>"></span>
    </div>
    <div>
        <span><input type="submit" name="submit" value="send"></span>
    </div>
</form>
<?php
} 
?>
</body>
</html>
 
I also uploaded this file to here. Feel free to try it out and see if it works (I think it does!).

The code seems to work ok, but is it really safe? How could it be further improved? Thanks for any feedback...

Re: PHP Contact Form Mailer

Posted: Tue Jan 22, 2008 1:22 pm
by Jonah Bron
It looks secure from here -- as long as PEAR::Validate is secure... :roll:

Welcome to the PHPDN!

Re: PHP Contact Form Mailer

Posted: Tue Jan 22, 2008 2:25 pm
by Christopher
Even thought you validate, you should still filter and escape the values appropriately before you use them. For example I only see you validating the name and message as strings, but not limiting the contents to not allow HTML for example.

Re: PHP Contact Form Mailer

Posted: Tue Jan 22, 2008 2:43 pm
by Tintin81
OK, good point. But isn't the PHP::Validate module doing that for me? I think I read it somewhere, but I'm not entirely sure. I just got into PHP a short while ago...

Re: PHP Contact Form Mailer

Posted: Tue Jan 22, 2008 2:47 pm
by Christopher
Maybe, I don't know the details of that library.