I have created a contact form using a flat file to avoid using sendmail. I use fwrite on a flat file which is set to 0622. i am wondering if this is secure code?
<?php
if (!empty($_POST)) {
$file = "contact.txt";
$handle = fopen($file, 'a+');
$ip=$_SERVER['REMOTE_ADDR'];
$name = $_POST["name"];
$nameformat = nameize($name);
$email = $_POST["email"];
$message = $_POST["message"];
$agree = $_POST["agreement"];
if (empty($name)) {
echo "<p><b>“Please supply your name to use this form.”</b></p>";
}
elseif (!$email == "" && (!strstr($email,"@") || !strstr($email,".")) || (empty($email))) {
echo "<p><b>“Please supply a valid email to use this form.”</b></p>";
}
elseif (empty($message)) {
echo "<p><b>“Please supply a reason for contacting us.”</b></p>";
}
elseif ($agree == "disagree") {
echo "<p><b>“All information is confidential. You may agree to terms to submit this form.”</b></p>";
} else {
fwrite($handle, "\n" . "\n" . $ip . "\n" . $nameformat . "\n" . $email . "\n" . $message);
fclose($handle);
echo "<p><b>“Thank you " . $nameformat . ". Your message has been sent.”</b></p>";
}}
function nameize($str,$a_char = array("'","-"," ")){
$string = strtolower($str);
foreach ($a_char as $temp){
$pos = strpos($string,$temp);
if ($pos){
$mend = '';
$a_split = explode($temp,$string);
foreach ($a_split as $temp2){
$mend .= ucfirst($temp2).$temp;
}
$string = substr($mend,0,-1);
}}
return ucfirst($string);
}
?>
My form
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<p>Name:* <input type="text" name="name" value="<?php if (isset($name)) {echo $name;} ?>"/></p>
<p>email:* <input type="text" name="email" value="<?php if (isset($email)) {echo $email;} ?>" /></p>
<p>Reason for contacting us:*<br /><textarea rows="10" cols="40" name="message"><?php if (isset($message)) {echo $message;} ?></textarea></p>
<p><input checked="checked" type="radio" value="disagree" name="agreement" />I do not wish to complete all of the fields.</p>
<p><input type="radio" value="agree" name="agreement" />All Fields are complete I wish to continue.</p>
<hr>
<p><input type="submit" value="Submit" /></p>
</form>
The working code is at http://www.trimtools.net/cont/