Contact Form - The Right Way

[jzm]

Hello,

I have used the below process code for years and now I am looking to improve it and improve security etc.

I have a couple of questions:

* Is it better to validate in JS or PHP?
* How Could I Improve This Script To Avoid Spammers or XSS Attacks?



This is only my minimal code. I have another one that processes value="<? value" of the check boxes etc.

I am just going around in circles trying to google etc.

PHP Code:

<?php
 
        session_start();
         
        if (!empty($_POST['validation']) && strlen($_POST['validation'])==10){
             
            $subject = "Website Contact";
             
        //print_r($_POST); die();
            $required_fields = array('name', 'email','message'); // added 'checkbox' for required.
             
            foreach($_POST as $key => $value) {
         
                $_SESSION[$key] = trim($value);
                 
                if(in_array($key, $required_fields) && empty($value)) $errors[$key] = ucwords($key) .' is required!';
            }
         
             
            // make sure a valid email address is entered.
            if(!preg_match("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $_SESSION['email'])) {
                 
                $errors['email'] = 'A Valid email address is required!';
                 
            }
         
            if(!$errors) {
                         
                $message = $_SESSION['subject'] ."\n\n";
         
                $message .= "Name: ". $_SESSION['name'] ."\n\n";
                         
              $message .= "E-Mail: ". $_SESSION['email'] ."\n\n";
         
                $message .= "Message: ". wordwrap ($_SESSION['message']) ."\n\n";
                 
             $message .= "\n\n";
 
                $message .= date('j/m/Y g:ia');
         
                $headers  = "From:" . $_SESSION['name'] ." <". $_SESSION['email'] .">\n";
                 
            $headers .= "Reply-To: ". $_SESSION['name'] ." <". $_SESSION['email'] .">\n";
         
                $headers .= "Return-Path: ". $_SESSION['name'] ." <". $_SESSION['email'] .">\n";
         
                $headers .= "Bcc: \n";
                 
                 
                if(mail($to, $subject, $message,$headers)){
         
                    $errors['heading'] = "<p>Thank You, Your enquiry has been sent.</p>";

                }else{
         
                    $errors['heading'] = "ERROR! There was a system error, Please send your enquiry again.";
         
                }
         
         
            }
         
         
         
        }
            $_SESSION['error'] = $errors;
            header("Location: ../../contact.php");
            die();
   
            session_destroy ();
        ?>

[NogDog]

JS validation will do nothing to stop any except the most inept of spammers. (All they have to do is disable JavaScript in their browser, in most cases, and 'bots will ignore it anyway.) That's not to say you can't use JS validation as a convenience to your users, but you still need to do any validation -- at least any important stuff -- on the server side.

A couple things I've done that seem to prevent a lot of 'bots from spamming through the form are:

1. Use PHP sessions, generate a random string (e.g. with uniqid()), save that in a session variable and put it into a hidden input field. When the form is submitted, reject it if that input does not match the value in the session data.

2. Create a text input field with some common label, but that you don't actually need. Use CSS styling to make it "display:none". Then in the form processor, if that field has anything entered in it, reject it as a 'bot.

[Belrick]

Use JS to authenticate must be completed parts of the form.

eg:

HTML Code:

if(""==document.forms.contact.name.value)
{
alert("Please provide a name.");
document.forms.contact.name.focus();
return false;
}
}