Building a secure contact form

This has been bugging me for a while now.... There are lots of ways to do this, but what's the most logical way to go about making an anti-spammer contact form? Please provide code snippets if you wish.

Thanks,
Mason

Well, I'd provide code snippets but wouldn't that essentially be giving you a free secure contact form?

In my opinion the 3 most important things to consider:

1. Confirm the users e-mail address COMPLETELY. The purpose of a contact form is to be able to respond to the person trying to get in touch with you. It's simply not enough to check the format of their e-mail address, so actually check that the domain they're using exists and has MX entries for it so it's capable of receiving mail. If using PHP the checkdnsrr function is ideal for this.

2. Anti-bot features are, unfortunately, essential to any contact form these days. Usually a simple CAPTCHA implementation is enough to thwart most scripts with relatively minimal inconvenience to legitimate users. Use CAPTCHA where possible. PHP+GD make this a breeze.

3. Something a staggering amount of people don't consider is anti-flood controls, much like those you'd find on a forum. Consider that in the worst possible scenario an "annoying" user may use your contact page to send you a flood of e-mail. Implement checks to ensure that they haven't already submitted you a message within the last few minutes. This is easily accomplished using sessions.

Apart from the other basic content checks, these would be my priority.

Thanks for those tips. I'll use 'em for sure.

Simple way is like this;

But you add as many error check as you like. Expanding on the above..

Originally Posted by enigma Simple way is like this; PHP Code: <?php if($email == "") { echo "You must enter your email!"; } else { mail(); } ?> But you add as many error check as you like. Expanding on the above.. PHP Code: <?php if($name == "") { echo "Give me your name dammit!"; } if($subject == "") { echo "Enter a subject!"; } if($email == "") { echo "You must enter your email!"; } else { if($comments == ""){ echo "Comments - Empty!"; } else { mail(); } ?>

Well, not only have you not finished an if statement in there, that's a horrid way of doing it. Just use elseifs, otherwise they could send an email without entering a name or a subject.

Well for the redirect just use a div saying success and then reveal it when the mail message goes through. I'm not an expert so does this make sense guys?

Also keep mail injection in mind
http://www.securephpwiki.com/index.php/Email_Injection

Thanks guys. I've got my contact form up and running. Security can really be a pain in the tush sometimes

Sometimes?

Originally Posted by Village Idiot Sometimes?

OK, always. My bad.