contact form validation help

[DRaleigh]

Greetings all,

 

I am fairly new to PHP & this is my first post to the group. My apologies if this issue has been addressed previously. I've looked around a bit but haven't found quite what I'm looking for.

 

I am working on a simple contact form. I would like to secure the form by validation, particularly the email & website fields, & help protect myself & others against spam & bots. I have seen preg functions used to validate & secure email & url fields but am not quite sure how to apply this to my code. I've tried on several different occasions to work in the preg function on my own but my efforts have only resulted in errors.

 

You will find the php code & html form code below. Does anyone here have any suggestions or ideas as to how I might tighten up this form securely?

 

Thank you in advance for any help...

 

David Raleigh

 

 

form_handle.php

 

<?php # Handle Contact Form

$name = stripslashes($_REQUEST['name']);
$email = $_REQUEST['email'];
$location = stripslashes($_REQUEST['location']);
$url = $_REQUEST['url'];
$comments = stripslashes($_REQUEST['comments']);
$ip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
$to = "david.adams5280@yahoo.com";
$subject = "Comments from DavidRaleigh.net";
$message = "<b>Name:</b> $name<br>
<b>Email address:</b> $email<br>
<b>Location:</b> $location<br>
<b>Website:</b> $url<br><br>

<b>Comments:</b> $comments
";
$from = $_REQUEST['email'];
$headers = "MIME-Version: 1.0" . "\r\n";
$headers .= "Content-type:text/html;charset=iso-8859-1" . "\r\n";
$headers .= "From: $from" . "\r\n";

if (!empty($_REQUEST['email'])) {
$email = ($_REQUEST['email']);

} else {
$email = NULL;
echo 'You forgot your email address.';
} 

if (!empty($_REQUEST['comments'])) {
$comments = stripslashes($_REQUEST['comments']);

} else {
$comments = NULL;
echo 'You forgot to add your message.';
} 

if ($email && $comments) {

echo "Thank you for your comments $name.";
}

if ($email && $comments) {
mail($to,$subject,$message,$headers);
}

?>

 

 

html_form

 

<form name="form1" id="form1" method="post" action="frm_hndl.php">
          <table width="100%" border="0" align="center" cellpadding="7" 

cellspacing="0">
            <tr>
              <td width="25%" align="right" valign="top" 

class="content-bld">Name:</td>
              <td width="75%" align="left" valign="top"><input name="name" 

type="text" id="name" size="30" /></td>
            </tr>
            <tr>
              <td width="25%" align="right" valign="top" 

class="content-bld">Email address:</td>
              <td width="75%" align="left" valign="top"><input name="email" 

type="text" id="email" size="30" /></td>
            </tr>
            <tr>
              <td width="25%" align="right" valign="top" 

class="content-bld">Location:</td>
              <td width="75%" align="left" valign="top"><input name="location" 

type="text" id="location" size="30" /></td>
            </tr>
            <tr>
              <td width="25%" align="right" valign="top" 

class="content-bld">Website:</td>
              <td width="75%" align="left" valign="top"><input name="url" 

type="text" id="url" size="30" /></td>
            </tr>
            <tr>
              <td width="25%" align="right" valign="top" 

class="content-bld">Comments:</td>
              <td width="75%" align="left" valign="top"><textarea 

name="comments" cols="50" rows="6" id="comments"></textarea></td>
            </tr>
          </table>
          <table width="100%" border="0" cellspacing="0" cellpadding="7">
            <tr>
              <td width="50%" align="right" valign="middle"><input type="submit" 

name="Submit" value="Send message" /></td>
              <td width="50%" align="left" valign="middle"><input type="reset" 

name="Submit2" value="Clear form" /></td>
            </tr>
          </table>
          </form>

[9three]

Check to make sure that the email is properly typed. Most email services allow lowercases/periods/numbers.

 

What if the user inputs myemail[]boxgtester@lololfake.com

 

Your email script will still go through.

 

If you want to take it to the next level you can check MX records before sending out the email. Majority of people just use regular expression to validate the email address.

 

Check to make sure that the email is from an actual user not a bot. You can add a hidden input for this.

[charleshill]

I use an anti-bot function with a few combined techniques to stop bots from spamming my forms. There are well-designed bots that are capable of defeating a few or several techniques used by web application designers to stop them, but few bots that can get around all of them.

 

Minimum time -- load timestamp including microseconds on form page load and compare to the timestamp in microseconds when it was submitted

reCAPTCHA -- very effective

Bot traps -- create a random number of input fields in the form that are hidden using css, if any of these inputs have anything in them add the user to a "bad bots" database table (ip address among other info) and disallow form submission from them.

 

I haven't used this technique yet...

Block certain domains in email addresses -- using a regular expression pattern you can separate out the domain name of their email address from the one they submitted and decide if you want to block it or not.  mail.ru is a common one used by spammers.

[ambo]

I asked a question like this before and i got a really good answer you use a variable

he used $readyform

but you can use things like $validation

<?php # Handle Contact Form
$validation = true; //This sets the Form To True For error Checking
$name = stripslashes($_REQUEST['name']);
$email = $_REQUEST['email'];
$location = stripslashes($_REQUEST['location']);
$url = $_REQUEST['url'];
$comments = stripslashes($_REQUEST['comments']);
$ip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
$to = "david.adams5280@yahoo.com";
$subject = "Comments from DavidRaleigh.net";
$message = "<b>Name:</b> $name<br>
<b>Email address:</b> $email<br>
<b>Location:</b> $location<br>
<b>Website:</b> $url<br><br>

<b>Comments:</b> $comments
";
$from = $_REQUEST['email'];
$headers = "MIME-Version: 1.0" . "\r\n";
$headers .= "Content-type:text/html;charset=iso-8859-1" . "\r\n";
$headers .= "From: $from" . "\r\n";



if (!empty($_REQUEST['email'])) {
$email = ($_REQUEST['email']);

} else {
$validation = false; // There Was an error The Field was empty so Validation was set to False Display error 
echo 'You forgot your email address.';
} 

if (!empty($_REQUEST['comments'])) {
$comments = stripslashes($_REQUEST['comments']);

} else {
$validation = false; // There Was an error The Field was empty so Validation was set to False Display error 
echo 'You forgot to add your message.';
} 

if ($validation = true) { // If no errors then Validation stayed true and you can execute the script

echo "Thank you for your comments $name.";
mail($to,$subject,$message,$headers);
}

?>

For Spam bots you can do a form text field and say some thing like 4+8="Textfield"

Then check with

<?php if ($spamcheck == 12) {
$validation = true;
}else{
$validation = false; 
}?>

[mrMarcus]

instead of $_REQUEST, use $_POST or $_GET .. be specific as to the method of your form submission .. using $_REQUEST opens up security issues on the site.

 

as well, you need to get better organized .. $_REQUEST['email']; has been assigned twice .. once as $email and once as $from.

 

and you can just merge these to statements together ..

if ($email && $comments) {

echo "Thank you for your comments $name.";
}

if ($email && $comments) {
mail($to,$subject,$message,$headers);
}

 

into...

 

if ($email && $comments) {

echo "Thank you for your comments $name.";

mail($to,$subject,$message,$headers);
}

[ambo]

I was going to comment on that to but i figured if it was working lol....

I combined that section of code together as well in the validation sample i showed him..

[mrMarcus]

I was going to comment on that to but i figured if it was working lol....

I combined that section of code together as well in the validation sample i showed him..

ah yes, i see that now

 

the deal with $_REQUEST is that it will take either a $_GET or $_POST value .. so, if buddy web developer is assuming his info is being passed behind the scenes and he creates a variable $name and fills that variable like so : $name = $_REQUEST['name'];, then all buddy 'lookin to crack'a'hack a site' has to do is is throw in a ?name='you just got punked and he's just filled that $name variable with whatever he wants.

 

there are many simple ways to validate your forms .. keep you numbers as number, ie. where $id is an integer...

(int)$id

 

this ensures that $id is an integer, otherwise it fails.

 

'is_numeric()' is also your friend.

 

'mysql_real_escape_string()' is the new 'addslashes()'.

 

easiest way (and most versatile as well), is to create a function to clean your vars.  something like :

$_POST = array_map('strip_tags', $_POST);

works too.

[charleshill]

Most attacks on sites are by bots, not humans... so they'll try everything possible (sending post data and get data).  It really doesn't matter if you take the info from $_REQUEST, $_POST, or $_GET... you still have to clean it the same.

[ambo]

it seems to me that the

For Spam bots you can do a form text field and say some thing like 4+8="Textfield"

Then check withCode: [select]<?php if ($spamcheck == 12) {

$validation = true;

}else{

$validation = false;

}?>

Works pretty Fine as the what is 4+8 is not wraped with a <label tag and you can name the field spam so it shouldint read the text you can also use the name of the site and accept multiple answers like .com and what not

[DRaleigh]

Thanks so much for all your suggestions! They are all greatly appreciated.

 

I've successfully (surprise to me) installed reCAPTCHA at my site. It seems to work pretty well, but I have fooled it a couple times already. But, at least you have to enter something into the CAPTCHA field...something reasonably close...so I guess that's ok for now.

 

My site is not actually live yet. When it does go live, I don't expect a lot of traffic since my site is being primarily for informational purposes only. I am going to continue trying to tightening my script up (have made corrections noted earlier) & further securing it, but is it possible reCAPTCHA will suffice until I come up with additional security?

 

Also, I've read somewhere about validating forms using hidden fields & CSS. Does anyone know where I might find out more about this? And, if validation is done through a hidden field, how should I test it to make sure it's functioning properly?

 

Thanks much once again!

 

David Raleigh

[DRaleigh]

Thanks again for all replies...

 

I've added this regex to my code. It seems to actually work!! Yesssss!

Along with reCAPTCHA, am I fairly good to go with this form?

 

$name = stripslashes($_POST['name']);
$email = $_POST['email'];
$location = stripslashes($_POST['location']);
$website = $_POST['website'];
$comments = stripslashes($_POST['comments']);
$ip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
$to = "david.adams5280@yahoo.com";
$subject = "Comments from DavidRaleigh.net";
$message = "<b>Name:</b> $name<br>
<b>Email address:</b> $email<br>
<b>Location:</b> $location<br>
<b>Website:</b> $website<br>
<b>IP address:</b>$ip<br><br>

<b>Comments:</b> $comments
";
$from = $_POST['name'];
$headers = "MIME-Version: 1.0" . "\r\n";
$headers .= "Content-type:text/html;charset=iso-8859-1" . "\r\n";
$headers .= "From: $from" . "\r\n";

if (!empty($_POST['email'])) {
$email = ($_POST['email']);

} else {
$email = NULL;
echo 'You forgot your email address.';
} 

if(!preg_match('/^[a-zA-Z0-9._-]+@[a-zA-Z0-9._-]+\.([a-zA-Z]{2,4])$/', $email)) {

echo 'Email address is invalid.';
exit();
}

if (!empty($_POST['comments'])) {
$comments = stripslashes($_POST['comments']);

} else {
$comments = NULL;
echo 'You forgot to add your message.';
} 

if ($email && $comments) {

echo "Thank you for your comments $name.";

mail($to,$subject,$message,$headers);
}



?>

 

Thanks once again, folks!