Please help me check this code if it safe from hackers or spammers

[Osaze]

Good day friends, please i am still an upcoming developer please could you help me check if this contact form code is secured from hackers. Thanks

<?php
require "define.php";
$seotitlemeta = "Contact $sitename";
include './themes/header.php';
function filter_spam(&$string){ $url = str_replace(array("'", '', '%20'), ' ', $string); $url = preg_replace('~[\pL0-9]+u', ' ', $url); $url= strtolower($url); $url = trim($url, ""); return $url;}
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
$data = strip_tags($data);
return $data; } ?>
<h1 title="Contact <?php echo $sitename;?>">Contact <?php echo $sitename;?></h1>
<?php
if ($SERVER["REQUEST_METHOD"] == "POST") {
$code1= trim(preg_replace(array("'", "[^a-z0-9]+"), array("", ""), strtolower(test_input($POST['code']))), "-");
$code1 = substr($code1, 0, 10);
$code= trim(preg_replace(array("'", "[^0-9]+"), array("", ""), strtolower(bin2hex(test_input($POST['code1'])))), "-");
$code = substr($code, 0, 10);
if (filter_var(test_input($POST['mail']), FILTER_VALIDATE_EMAIL)) {
if(strlen(test_input($POST["message"])) > 5){
$email_sumbit = test_input($POST['mail']);
$contact_name = test_input(filter_spam($POST['name']));
$subject_submit = test_input($POST['head']);
$message_submit= test_input($POST["message"]);
if($code1!== $code)
{ } else {
$from = "$email_sumbit";
$to_email = "mail@example.com";
$subject = $subject_submit;
$message = $message_submit;
$headers = "From: $contact_name $from";
mail($to_email,$subject,$message,$headers);
$sent_show_response = '<div class="contact-done">Your message has been sent successfully</div>';
$message_sent_remove_form = "1";
}
}}
if ($SERVER["REQUEST_METHOD"] == "POST") {
if($sent_show_response){
$sent_show_response = $sent_show_response; } else {
if(strlen(test_input($POST["message"])) < 5){
$sent_show_response = '<div class="contact-fail">Your message is too short</div>'; } else{
$sent_show_response = '<div class="contact-fail">Please provide valid information</div><br>';
}}}}
?><p><?php echo $sent_show_response; ?></p><?php if ($message_sent_remove_form == '1'){ } else{ ?><?php $Random_code=mt_rand(); $Random_code = substr($Random_code, 0, 5); $Random_codehex = substr(bin2hex($Random_code), 0, 10); ?><div class="contact"><form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>"><label> Full name: <input type="text" name="name" placeholder="Enter your full name" value="<?php echo $contact_name;?>" class="" required></label><label> E-mail address: <input type="email" name="mail" placeholder="Enter your valid e-mail address" value="<?php echo $email_sumbit;?>" class="" required></label><label> Subject: <input type="text" name="head" placeholder="Enter subject of your message" value="<?php echo $subject_submit;?>" class="" required></label><label> Message: <textarea name="message" placeholder="Write your complete message here..." class="" required><?php echo $message_submit;?></textarea></label><label> Human verification: <input type="text" name="code1" autocomplete="off" spellcheck="false" placeholder="Enter text shown on below image" class="captcha-in " required /><input type="hidden" name="code" value="<?php echo $Random_codehex; ?>" /></label><div class="captcha"><div class="image"><h3><b><?php $random_spilit = str_split($Random_code);foreach($random_spilit as $code_one_one){ echo "$code_one_one "; }?></b></h3><span class="overlay"></span></div><div class="reload"><font color="white" style="font-weight: bold;">CODE</font></div></div><button type="submit" name="submit"><span class="fas fa-paper-plane"></span> Send Message </button></form></div><?php }?></div></div><?php include './themes/footer.php'; ?>

[requinix]

Worry about that after you've made sure that it actually works.

[Osaze]

wow am honored @requinix thanks for replying, the code work and changes users input into html 

for example this code

<?php $hack = "my name is osaze";
echo $hack; ?>

will become 

&lt;?php $hack = &quot;my name is osaze&quot;;

echo $hack; ?&gt;

i just wanted to know if it safe and if hackers can hack me, via the form. Thanks am still an upcoming developer

 

[requinix]

And what I'm saying is, that code you posted, it does not work correctly.
Fix the code so that it does work correctly, so that it does what it's supposed to do when you enter in (safe) information, and then we can worry about whether it's safe.

[Osaze]

Please @requinix please could u point the area for me please am begging am still an upcoming but i dont know what area i am missing in the code pls help me.

[requinix]

Here's a list of all the things I can see that should be changed:

1. filter_spam() takes its argument by-reference. It does not need to use references. Don't pass variables by reference.
2. The regular expression to preg_replace (in filter_spam) is incorrect. Check the syntax.
3. You cannot trim nothingness from a string.
4. The "SERVER" superglobal variable is supposed to have an underscore in its name.
5. Same for "POST".
6. Variables need to be set before they can be used. Make sure that no matter what path the code follows, the variables you need to use are being given some value beforehand.
7. $sent_show_response = $sent_show_response is pointless.

In addition,

8. Security is not about throwing str_replace and preg_replace and filter_var and trim and whatever other functions you can think of at your input. You need to understand what each one does, why you should use them, when you should use them, and whether they should be here too.
9. You have two sanitization functions that do similar things. You also have inline code that repeats a lot of the same things. See also #8.
10. The code is very poorly formatted. Especially the last part. Isn't it hard for you to read?
11. You've invented some form of cheap CAPTCHA. That rarely ever works well. Poor security is worse than no security, so remove it. If your form starts getting abused then you can worry about adding *real* CAPTCHA to it.

Finally,

12. Don't do any of the above yet.
13. Find your local php.ini and change two settings: make display_errors=on and error_reporting=-1. Restart your local web server.
14. Then try using your page as it is now. See what errors you get. Try with proper inputs. Try with a short message. Try with a bad email. Try every possible scenario you can think of, note what error messages come up, learn what they mean, and fix them.

The point of that list is not to say you're doing things wrong. The list is to show you that thinking about people hacking your form is admirable and generally good but you're too early for it. If you're new to PHP then you should learn the most important parts of it first with a little bit of security here and there as it comes up. Because it's very hard to learn about code security when you're not familiar with code in the first place.

[Osaze]

Thanks @requinix i will work on that right now 😀

[Osaze]

@requinix you're right the code is a mess, i just did what u said i am seeing some errors, am correcting them right now

[Osaze]

Thanks @requinix i have edited the code to be better, kindly check and score me please

<?php 
require "define.php";
$seotitlemeta = "Contact $sitename";
$noindex_page = "1"; // 1 means Google and other search engine can't index this page, while 0 means allow index
include './themes/header.php';
function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  $data = strip_tags($data);
  return $data; } ?>
<h1 title="Contact <?php echo $sitename;?>">Contact <?php echo $sitename;?></h1><?php
if ($_SERVER["REQUEST_METHOD"] == "POST") { 
$email_sumbit = test_input($_POST['mail']);
$contact_name = test_input($_POST['name']);
$subject_submit = test_input($_POST['head']);
$message_submit= test_input($_POST["message"]);
$from = $email_sumbit;
$to_email = $contact_email;
$subject = $subject_submit;
$message = $message_submit;
$headers = "From: $contact_name $from";
if(isset($_POST['g-recaptcha-response'])){
$captcha=$_POST['g-recaptcha-response'];
}
$secretKey = "6LfcgNcZAAAAAHdYwHrWaq7-BaqK3hXq8XsWkRd7";
$ip = $_SERVER['REMOTE_ADDR'];
$google_verify_human = 'https://www.google.com/recaptcha/api/siteverify?secret=' . urlencode($secretKey) .  '&response=' . urlencode($captcha); $ch = curl_init();curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_URL, $google_verify_human); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_VERBOSE, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); $response = curl_exec($ch); curl_close($ch); $responseKeys = json_decode($response,true);
if(filter_var($email_sumbit, FILTER_VALIDATE_EMAIL) && strlen($message_submit) > 2 && $subject_submit && $contact_name && $responseKeys["success"]){
mail($to_email,$subject,$message,$headers);
$sent_show_response = '<div class="contact-done">Your message has been sent successfully</div>';
$remove_form = "1"; // means form will remove after submitted
} else { if(!$captcha){
$sent_show_response    = '<p><div class="contact-fail">Please check the the captcha form.</div></p>';
} else { if (strlen($message_submit) < 2){ $sent_show_response = '<p><div class="contact-fail">Your message is too short</div></p>'; } else { $sent_show_response = '<p><div class="contact-fail">Please provide valid information</div></p>'; }
} 
} }
?><?php echo $sent_show_response; ?><?php if ($remove_form == '1'){ } else{ ?><div class="contact"><form method="post" action="<?php echo htmlspecialchars($_SERVER["REQUEST_URI"]);?>"><label> Full name: <input type="text" name="name" placeholder="Enter your full name" value="<?php echo $contact_name;?>" class="" required></label><label> E-mail address: <input type="email" name="mail" placeholder="Enter your valid e-mail address" value="<?php echo $email_sumbit;?>" class="" required></label><label> Subject: <input type="text" name="head" placeholder="Enter subject of your message" value="<?php echo $subject_submit;?>" class="" required></label><label> Message: <textarea name="message" placeholder="Write your complete message here..." class="" required><?php echo $message_submit;?></textarea></label><div class="g-recaptcha" data-sitekey="6LfcgNcZAAAAAKucY3v7UWLS-0GAfy2ExyBj9aSl"></div><p></p><button type="submit" name="submit"><span class="fas fa-paper-plane"></span> Send Message</button></form></div><?php }?><script src='https://www.google.com/recaptcha/api.js' async defer></script>
</div><?php include './themes/footer.php'; ?>

Edited October 15, 2020 by Osaze

[Osaze]

and the preg_replace have corrected it

function Url(&$string){ $url = str_replace(array("'", '', '%20'), ' ', $string); $url = preg_replace('~[^\\pL0-9]+~u', '-', strtolower($url)); $url = trim($url, "-"); return $url; } 

I noticed the previous error was accepting underscore _, after modifying the code everything now worked fine 😄

Mehn @requinix you're really a genius 

[requinix]

3 hours ago, Osaze said:

$secretKey = "6LfcgNcZAAAAAHdYwHrWaq7-BaqK3hXq8XsWkRd7";

Secret means secret. It does not mean you should post it publicly for the internet to see.

Tell Google you want to revoke/delete these credentials and create new ones.

[Osaze]

27 minutes ago, requinix said:

Secret means secret. It does not mean you should post it publicly for the internet to see.

Tell Google you want to revoke/delete these credentials and create new ones.

No @requinix I edit the secret that not the real one oo 😂,I edited it before posting it. But please now is the security cool after your review  🙏🙏

[requinix]

Then yes: it is possible for someone to hijack your contact form to send spam or whatever to any address they want, through header injection with $contact_name and/or $from.

[Osaze]

Noticed i will work on that right now