PHP Contact Form Mailer
Posted: Tue Jan 22, 2008 4:12 am
Hey, I'm new to this forum, and I wonder if you can help me with this: I am currently working on a php contact form using the PEAR::Validate package. The form I am developing is for a large client, so I want to make sure the input validation really works and has no security gaps.
Maybe some of you can take a look at the code I came up with (I tried really hard to keep it simple):
I also uploaded this file to here. Feel free to try it out and see if it works (I think it does!).
The code seems to work ok, but is it really safe? How could it be further improved? Thanks for any feedback...
Maybe some of you can take a look at the code I came up with (I tried really hard to keep it simple):
Code: Select all
<?php
require_once('Validate.php');
// Include file to strip quotes if needed
// require_once('MagicQuotes/strip_quotes.php');
$errors = array('name'=>'','email'=>'','message'=>''); // Initialize errors array
$ok = false;
if (isset ($_POST['submit'])) { // If the form is submitted...
$ok = true;
$name_options = array('format'=>VALIDATE_ALPHA.VALIDATE_SPACE,'min_length'=>3);
$message_options = array('min_length'=>3);
if (!Validate::string($_POST['name'],$name_options)) {
$errors['name']=' class="error"';
$ok = false;
}
if (!Validate::email($_POST['email'])) {
$errors['email']=' class="error"';
$ok = false;
}
if (!Validate::string($_POST['message'],$message_options)) {
$errors['message']=' class="error"';
$ok = false;
}
}
if ($ok) {
mail('myemail@gmail.com', 'Test', $_POST['message']);
echo "<b>Thanks for your message!</b>";
}
else {
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Form</title>
<link rel="stylesheet" href="styles.css" type="text/css" media="screen" />
</head>
<body>
<form method="post">
<div>
<label<?php echo ($errors['name']); ?>>Name:</label>
<span><input type="text" name="name" value="<?php echo(@$_POST['name']);?>"></span>
</div>
<div>
<label<?php echo ($errors['email']); ?>>Email:</label>
<span><input type="text" name="email" value="<?php echo(@$_POST['email']);?>"></span>
</div>
<div>
<label<?php echo ($errors['message']); ?>>Message:</label>
<span><input type="text" name="message" value="<?php echo(@$_POST['message']);?>"></span>
</div>
<div>
<span><input type="submit" name="submit" value="send"></span>
</div>
</form>
<?php
}
?>
</body>
</html>
The code seems to work ok, but is it really safe? How could it be further improved? Thanks for any feedback...