Is this php form processing script safe from hackers and spammers
I don't know very much about using php for online form submissions. However, I copied this php out of a tutorial. Does this script provide everything i need to protect myself from spammers and hackers?
If not could you please insert the proper precautions into this script.
Thank you in advance
/* Set e-mail recipient */
$myemail = "firstname.lastname@example.org";
$subject = "internet contact form submission";
/* Check all form inputs using check_input function */
$name = check_input($_POST['name'], "Enter your name");
$email = check_input($_POST['email']);
$phone = check_input($_POST['phone']);
$company = check_input($_POST['company']);
$comments = check_input($_POST['comments']);
/* If e-mail is not valid show error message */
if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/", $email))
show_error("Please enter a valid E-mail address");
/* Let's prepare the message for the e-mail */
$message = "Greetings
Your contact form has been submitted by:
End of message
/* Send the message using mail() function */
mail($myemail, $subject, $message);
/* Redirect visitor to the thank you page */
/* Functions we used */
function check_input($data, $problem='')
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
if ($problem && strlen($data) == 0)
<b>Please correct the following error:</b><br />
<?php echo $myError; ?>
Looks to be safe from being used to relay spam (no mail header injection). I would probably add some stuff to make it more difficult for robot scripts to submit it. Also, the email validation pattern used in the preg_match() is likely to give false negatives on some valid email addresses (e.g.: "email@example.com" would fail). I use this validation function.
PS: If you wrap your code examples in [php]...[/php] tags, it's much easier to read.
Someone else told me it offered no protection at all. Now I am really confused. Is this thing safe to put on my website. I looked at the link you gave and it looks very complicated. and I dont know what version to choose.
I think there was a little bit of "skim" not "read" going on in the other reply where it was mentioned that this offered no protection. Knowing that this will fall within the following:
1) Not be displayed back to the page
2) Not stored in a database
you can eliminate a good portion of the security practices that are only used for those situations.
Thanks for answering. Would you use that script on your page and feel safe about it.
I would have to agree with NogDog:
And also that your email validation might need a brush up. You can use his provided link above to address that.
Looks to be safe from being used to relay spam (no mail header injection). I would probably add some stuff to make it more difficult for robot scripts to submit it.
thanks criterion and nogdog
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)