Building a secure contact form - Page 2 - Webmaster Forum - Web Design, Programming and SEO forums

05-24-2008, 05:01 PM

BlaineSch

Status: Member
Join date: Mar 2005
Location: Trapped in my own little world
Expertise: Web Applications
Software: Notepad++

Posts: 385

iTrader: 0 / 0%

BlaineSch is on a distinguished road

If you just check to see if they mailed you in the last few minutes and they were "adding" something to the last email then you have a problem they cant re-email you and they might go elsewhere for work.

I would do simply checks making sure email is valid format, take the ip, and add it to the database

On one of my old sites I had in the admin panel a place setup so I can check the emails and reply/delete them.

If they already had sent an "email" to the database just add it to it with a separator and new time in there.

05-24-2008, 09:03 PM

mason.sklut

Status: Junior Member
Join date: Mar 2007
Location: North Carolina
Expertise: Photography
Software:

Posts: 73

iTrader: 0 / 0%

mason.sklut is on a distinguished road

This is the code I used for the contact form....Any comments?

Code:

<?php

// Pick up the form data and assign it to variables

	$name = $_POST['name'];
	$email = $_POST['email'];
	$topic = $_POST['url'];
	$comments = $_POST['comments'];

// Build the email 

	$to = 'mason@masonsklut.com';
	$subject = "New message: $topic";
	$message = "$name said: $comments";
	$headers = "E-mail: $email";

// Send the mail using PHPs mail() function

	mail($to, $subject, $message, $headers);

// Redirect

	header('Location: http://masonsklut.com/test/success.html');

// Mail header removal

	function remove_headers($string) { 
	  $headers = array(
	    "/to\:/i",
	    "/from\:/i",
	    "/bcc\:/i",
	    "/cc\:/i",
	    "/Content\-Transfer\-Encoding\:/i",
	    "/Content\-Type\:/i",
	    "/Mime\-Version\:/i" 
	  ); 
	  $string = preg_replace($headers, '', $string);
	  return strip_tags($string);
	} 

// Pick up the cleaned form data

	$name = remove_headers($_POST['name']);
	$email = remove_headers($_POST['email']);
	$topic = remove_headers($_POST['url']);
	$comments = remove_headers($_POST['comment']);
		
?>

05-24-2008, 09:29 PM

creativejen

Status: Paladin
Join date: Jul 2006
Location: Sheffield, UK
Expertise: design, front-end markup
Software: Photoshop

Posts: 2,353

iTrader: 25 / 96%

creativejen is an unknown quantity at this point

It's ok, but you'll get spam.

05-24-2008, 10:50 PM

JulesR

Status: Member
Join date: Apr 2008
Location:
Expertise:
Software:

Posts: 129

iTrader: 0 / 0%

JulesR is on a distinguished road

Originally Posted by enigma

It's ok, but you'll get spam.

Hardly a constructive comment. Please elaborate for the author.

ncmason: Whilst your form will work with the code you've provided, you seem to have completely ignored all aspects of security we've mentioned. You have no field checking, no flood control, no anti-bot measures. Did we waste our time advising you?

05-25-2008, 12:24 AM

mason.sklut

Status: Junior Member
Join date: Mar 2007
Location: North Carolina
Expertise: Photography
Software:

Posts: 73

iTrader: 0 / 0%

mason.sklut is on a distinguished road

Well, I did a lot of research on contact forms and I saw that most spammers get around by manipulating headers. I like the advice, it's just there's lots of info out there, and I wanted to know as much as possible. I'll post the new code when I have time.

Thanks,
Mason

05-25-2008, 01:14 AM

mason.sklut

Status: Junior Member
Join date: Mar 2007
Location: North Carolina
Expertise: Photography
Software:

Posts: 73

iTrader: 0 / 0%

mason.sklut is on a distinguished road

Here's the link to the new and improved secured contact form:
http://masonsklut.com/contact

I have two questions now:

1. How can I make it so it goes to a "success" page only after valid completion of the form?

2. How can I make the email only send when all the forms have been filled out? Right now, it sends even with empty fields.

05-25-2008, 01:23 AM

Vizon - Click for my Image

Status: R'tard
Join date: Jan 2007
Location: USA
Expertise:
Software:

Posts: 2,959

iTrader: 21 / 100%

Vizon is an unknown quantity at this point

I had a custom one built for my site, McAurie. It can be seen here: http://mcaurie.com/contact/. (Please note the site hasn't launched.) To eliminate spam we have the custom captcha in place and there is a block only allowing 1 message per five minutes from an IP address. Also, you must supply a valid email address, not just "EMAIL" or something of the sort.