Critique and help improve my contact form
Posted: Thu Jun 05, 2008 9:53 am
I want to create a contact form but this time I want to optimize it.
1) Is it secure enough? Can it prevent injections? (I am also going to add captcha in it later)
2) The contact.php form page executes send.php after the submit button is pressed. How can I make it so that the errors like "First name field is not complete." appear at the top of my contact form instead of a new white page? I had an idea for writing those error messages to a file and including them, but it would be a problem if multiple users were using the form at the same time. Isn't a way to pass those messages as variables to the contact form?
send.php
1) Is it secure enough? Can it prevent injections? (I am also going to add captcha in it later)
2) The contact.php form page executes send.php after the submit button is pressed. How can I make it so that the errors like "First name field is not complete." appear at the top of my contact form instead of a new white page? I had an idea for writing those error messages to a file and including them, but it would be a problem if multiple users were using the form at the same time. Isn't a way to pass those messages as variables to the contact form?
send.php
Code: Select all
<?php
//Contact Form
//the sending address [From]
$from = "info@mydomain.com";
//the destination address [To]
$to = "info@mydomain.com";
//the message subject
$subject = "New Contact";
//ip list filename
$ip_file="ip-list.txt";
//function email_validate
function email_validate ($email)
{
if (strlen (trim ($email)))
return (eregi("^[a-z0-9]([_\\.\\-]?[a-z0-9]+)*@((([a-z0-9]+[a-z0-9\\-]*[a\-z0-9]+)|[a-z0-9])+\\.)+[a-z]{2,10}$", $email));
return false;
}
//get variables from form
$first = $_POST['first']; //first name
$last = $_POST['last']; //last name
$day = $_POST['day'];
$month = $_POST['month'];
$year = $_POST['year'];
$address = $_POST['address'];
$number = $_POST['arithm'];
$city = $_POST['city'];
$tk = $_POST['tk']; //zip code
$email = $_POST['email'];
$url = $_POST['url']; //how you learned about us, survey question
$message = $_POST['message']; //user message
//get IP address
$ip=$_SERVER['REMOTE_ADDR'];
//read file and check the IPs from the array
$ip_id=fopen($ip_file,"r");
$ip_array=fread($ip_id,9999);
fclose($ip_id);
$ip_array = explode("\n", $ip_array);
//check the IP
if(in_array($_SERVER['REMOTE_ADDR'], $ip_array))
{
//blocked IP returned, display error and stop submission
echo "<center><font family='Verdana'><font >We are sorry but your IP address <font color='red'><b>$ip</b></font> has been blocked from using the contact form.<br /></font></center>";
}
else
{
//IP not in blocked IP list, allow contact
//check the required fields and validate email
$email_is_valid=email_validate($email);
if ($first=="" || $last=="" || $message=="" || $email=="" || $email_is_valid==false)
{
//some of the required fields are not filled
if ($first==""){echo "First name field is not complete.<br />";}
if ($last==""){echo "Surname field is not complete.<br />";}
if ($message==""){echo "Message field is not complete.<br />";}
if ($email_is_valid==false){echo "The email address "; if ($email==""){echo "is not complete and ";} echo "not valid.<br />";}
}
else
{
//all required fields are completed
//wrap characters so the message shows shorter
$wrappedmessage =wordwrap($message, 50, "<br />\n");
//set the message content
$form_message = "
This is the email that is delivered. It's going to have all variables passed from the form in it.
";
//set the mail headers
$headers = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=utf-8\r\n";
$headers .= "To: <$from> \r\n";
$headers .= "From: <$to>\r\n";
//send the message
mail($to, $subject, $form_message, $headers);
//output success html to the user
echo "<center><p style='a:link {color: #840E64;text-decoration: none;}'><font color='black'><center>message success<!center></font><br /><a href='javascript:history.back(-1);'><b>[Back]</b></a></p></center>";
}
}
?>