www.webdeveloper.com
Results 1 to 3 of 3

Thread: Contact Form - The Right Way

  1. #1
    Join Date
    Aug 2007
    Posts
    20

    Contact Form - The Right Way

    Hello,

    I have used the below process code for years and now I am looking to improve it and improve security etc.

    I have a couple of questions:

    * Is it better to validate in JS or PHP?
    * How Could I Improve This Script To Avoid Spammers or XSS Attacks?



    This is only my minimal code. I have another one that processes value="<? value" of the check boxes etc.

    I am just going around in circles trying to google etc.

    PHP Code:
    <?php
     
            session_start
    ();
             
            if (!empty(
    $_POST['validation']) && strlen($_POST['validation'])==10){
                 
                
    $subject "Website Contact";
                 
            
    //print_r($_POST); die();
                
    $required_fields = array('name''email','message'); // added 'checkbox' for required.
                 
                
    foreach($_POST as $key => $value) {
             
                    
    $_SESSION[$key] = trim($value);
                     
                    if(
    in_array($key$required_fields) && empty($value)) $errors[$key] = ucwords($key) .' is required!';
                }
             
                 
                
    // make sure a valid email address is entered.
                
    if(!preg_match("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/ix"$_SESSION['email'])) {
                     
                    
    $errors['email'] = 'A Valid email address is required!';
                     
                }
             
                if(!
    $errors) {
                             
                    
    $message $_SESSION['subject'] ."\n\n";
             
                    
    $message .= "Name: "$_SESSION['name'] ."\n\n";
                             
                  
    $message .= "E-Mail: "$_SESSION['email'] ."\n\n";
             
                    
    $message .= "Message: "wordwrap ($_SESSION['message']) ."\n\n";
                     
                 
    $message .= "\n\n";
     
                    
    $message .= date('j/m/Y g:ia');
             
                    
    $headers  "From:" $_SESSION['name'] ." <"$_SESSION['email'] .">\n";
                     
                
    $headers .= "Reply-To: "$_SESSION['name'] ." <"$_SESSION['email'] .">\n";
             
                    
    $headers .= "Return-Path: "$_SESSION['name'] ." <"$_SESSION['email'] .">\n";
             
                    
    $headers .= "Bcc: \n";
                     
                     
                    if(
    mail($to$subject$message,$headers)){
             
                        
    $errors['heading'] = "<p>Thank You, Your enquiry has been sent.</p>";

                    }else{
             
                        
    $errors['heading'] = "ERROR! There was a system error, Please send your enquiry again.";
             
                    }
             
             
                }
             
             
             
            }
                
    $_SESSION['error'] = $errors;
                
    header("Location: ../../contact.php");
                die();
       
                
    session_destroy ();
            
    ?>

  2. #2
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,529
    JS validation will do nothing to stop any except the most inept of spammers. (All they have to do is disable JavaScript in their browser, in most cases, and 'bots will ignore it anyway.) That's not to say you can't use JS validation as a convenience to your users, but you still need to do any validation -- at least any important stuff -- on the server side.

    A couple things I've done that seem to prevent a lot of 'bots from spamming through the form are:

    1. Use PHP sessions, generate a random string (e.g. with uniqid()), save that in a session variable and put it into a hidden input field. When the form is submitted, reject it if that input does not match the value in the session data.

    2. Create a text input field with some common label, but that you don't actually need. Use CSS styling to make it "display:none". Then in the form processor, if that field has anything entered in it, reject it as a 'bot.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  3. #3
    Join Date
    Apr 2010
    Posts
    227
    Use JS to authenticate must be completed parts of the form.

    eg:
    HTML Code:
    if(""==document.forms.contact.name.value)
    {
    alert("Please provide a name.");
    document.forms.contact.name.focus();
    return false;
    }
    }

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles