Results 1 to 3 of 3

Thread: Contact Form - The Right Way

  1. #1
    Join Date
    Aug 2007

    Contact Form - The Right Way


    I have used the below process code for years and now I am looking to improve it and improve security etc.

    I have a couple of questions:

    * Is it better to validate in JS or PHP?
    * How Could I Improve This Script To Avoid Spammers or XSS Attacks?

    This is only my minimal code. I have another one that processes value="<? value" of the check boxes etc.

    I am just going around in circles trying to google etc.

    PHP Code:
            if (!empty(
    $_POST['validation']) && strlen($_POST['validation'])==10){
    $subject "Website Contact";
    //print_r($_POST); die();
    $required_fields = array('name''email','message'); // added 'checkbox' for required.
    foreach($_POST as $key => $value) {
    $_SESSION[$key] = trim($value);
    in_array($key$required_fields) && empty($value)) $errors[$key] = ucwords($key) .' is required!';
    // make sure a valid email address is entered.
    if(!preg_match("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/ix"$_SESSION['email'])) {
    $errors['email'] = 'A Valid email address is required!';
    $errors) {
    $message $_SESSION['subject'] ."\n\n";
    $message .= "Name: "$_SESSION['name'] ."\n\n";
    $message .= "E-Mail: "$_SESSION['email'] ."\n\n";
    $message .= "Message: "wordwrap ($_SESSION['message']) ."\n\n";
    $message .= "\n\n";
    $message .= date('j/m/Y g:ia');
    $headers  "From:" $_SESSION['name'] ." <"$_SESSION['email'] .">\n";
    $headers .= "Reply-To: "$_SESSION['name'] ." <"$_SESSION['email'] .">\n";
    $headers .= "Return-Path: "$_SESSION['name'] ." <"$_SESSION['email'] .">\n";
    $headers .= "Bcc: \n";
    $errors['heading'] = "<p>Thank You, Your enquiry has been sent.</p>";

    $errors['heading'] = "ERROR! There was a system error, Please send your enquiry again.";
    $_SESSION['error'] = $errors;
    header("Location: ../../contact.php");
    session_destroy ();

  2. #2
    Join Date
    Aug 2004
    JS validation will do nothing to stop any except the most inept of spammers. (All they have to do is disable JavaScript in their browser, in most cases, and 'bots will ignore it anyway.) That's not to say you can't use JS validation as a convenience to your users, but you still need to do any validation -- at least any important stuff -- on the server side.

    A couple things I've done that seem to prevent a lot of 'bots from spamming through the form are:

    1. Use PHP sessions, generate a random string (e.g. with uniqid()), save that in a session variable and put it into a hidden input field. When the form is submitted, reject it if that input does not match the value in the session data.

    2. Create a text input field with some common label, but that you don't actually need. Use CSS styling to make it "display:none". Then in the form processor, if that field has anything entered in it, reject it as a 'bot.
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

  3. #3
    Join Date
    Apr 2010
    Use JS to authenticate must be completed parts of the form.

    HTML Code:
    alert("Please provide a name.");
    return false;

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
HTML5 Development Center