Could you check my first mailform script?

[digitalecartoons]

I've made my very first flash mailform on my own. It uses php to check for errors and send the email. Could you check if my code is any good? Perhaps there's room for improvement or e.g. make the php more secure? Any comments are welcome. Speaking of comments: both in the actionscript and php I've placed comments which show what the code's supposed to do to make it more clear. First here's the actionscript and second the php which processes the flash information.

 

//Form movieclip has two frames
//Frame 1 shows the input fields and scroll/sent buttons
//Frame 2 shows the thank-you screen
//When pressing Mail button frame 1 of the Form
//movieclip is shown with all its input fields cleared
//"naam" is name field of mailform
//"email" is email address field of mailform
//"bericht" is message field of mailform
//
Formulier.gotoAndStop(1);
Formulier.naam.text = "";
Formulier.email.text = "";
Formulier.bericht.text = "";
//
//When using TAB key only input fields are allowed to
//be moved through
//
Formulier.naam.tabIndex = 1;
Formulier.email.tabIndex = 2;
Formulier.bericht.tabIndex = 3;
//
//Scrolling arrows function
//In case of large text being typed into the message  
//field, the text can be scrolled with the arrow buttons
//
Formulier.Hoog.onRelease = function() {
Formulier.bericht.scroll = Formulier.bericht.scroll-1;
};
Formulier.Laag.onRelease = function() {
Formulier.bericht.scroll = Formulier.bericht.scroll+1;
};
//
//Sending inputed name, email address and message text
//variables to php script
//
Formulier.Versturen.onRelease = function() {
mySendVars = new LoadVars();
myLoadVars = new LoadVars();
mySendVars.naam = Formulier.naam.text;
mySendVars.email = Formulier.email.text;
mySendVars.bericht = Formulier.bericht.text;
mySendVars.sendAndLoad("testmail.php", myLoadVars, "POST");
//
//The returned variables indicate whether there 
//was an error in one or more input fields
//In case of no error the email has already been 
//sent by the php script and Flash goes to frame 2 
//of the movieclip, showing the Thank-You screen
//
myLoadVars.onLoad = function(success) {
	if (success) {
		if ((myLoadVars.naam != "error") && (myLoadVars.email != "error") && (myLoadVars.bericht != "error")) {
			Formulier.gotoAndStop(2);
		} else {
			//
			//In case of an error the error message 
			//is displayed in red characters in 
			//the input field(s) which has the error
			if (myLoadVars.naam == "error") {
				Formulier.naam.text = "Niet (goed) ingevuld";
				naamformat = new TextFormat();
				naamformat.color = 0xFF0000;
				Formulier.naam.setTextFormat(naamformat);
			}
			if (myLoadVars.email == "error") {
				Formulier.email.text = "Niet (goed) ingevuld";
				emailformat = new TextFormat();
				emailformat.color = 0xFF0000;
				Formulier.email.setTextFormat(emailformat);
			}
			if (myLoadVars.bericht == "error") {
				Formulier.bericht.text = "Niet ingevuld";
				berichtformat = new TextFormat();
				berichtformat.color = 0xFF0000;
				Formulier.bericht.setTextFormat(berichtformat);
			}
		}
	}
};
};
//
//When an error has been found in a field, the error
//message has been put in it and when clicked on that
//input field the field is cleared so it can be typed
//in again
//
Formulier.naam.onSetFocus = function(oldFocus) {
if (Formulier.naam.text == "Niet (goed) ingevuld") {
	Formulier.naam.text = "";
}
};
Formulier.email.onSetFocus = function(oldFocus) {
if (Formulier.email.text == "Niet (goed) ingevuld") {
	Formulier.email.text = "";
}
};
Formulier.bericht.onSetFocus = function(oldFocus) {
if (Formulier.bericht.text == "Niet ingevuld") {
	Formulier.bericht.text = "";
}
};

 

<?php
session_start();

/* Session variables are used so the php script can't be accessed directly */
/* Session variable is set on the html page displaying the form */
if(!isset($_SESSION["putyourpasswordhere"])){
echo "Dit script kan enkel via de bijbehorende website aangeroepen worden!";
exit;
} else {
session_destroy();
unset ($_SESSION["putyourpasswordhere"]);
}

/* Email settings, doing some basic filtering */
/* Used by Flash form so utf8 decode neccessary for allowing international (accented) characters */
/* Using stripslashes so names like O'Brien don't get converted to O/'Brien when posting */
$to = "mail@yourownemailaddress.nl";
$subject = "Request for information";
$naam = stripslashes(utf8_decode($_POST["naam"]));
$email = stripslashes(utf8_decode($_POST["email"]));
$bericht = stripslashes(utf8_decode($_POST["bericht"]));

/* To protect agains email injection, some regular expressions to validate inputed values */
/* Checking for a proper name, including accented characters, apostrophe, space and hyphen */
if (!preg_match('~^[a-zÀ-ÿ][\'a-zÀ-ÿ \-]*$~i', $naam)) {
$naam = "error";
/*echoes are used the send variables back to Flash again */
echo "&naam=error&";
} else {
echo "&naam=correct&";
}

/* Checking for properly formed email address*/
if (!preg_match('~^[a-z0-9][a-z0-9_.\-]*@([a-z0-9]+\.)*[a-z0-9][a-z0-9\-]+\.([a-z]{2,6})$~i', $email)) {
$email = "error";
echo "&email=error&";
} else {
echo "&email=correct&";
}

/* Has a message been filled in? */
if (!$bericht) {
$bericht = "error";
echo "&bericht=error&";
} else {
echo "&bericht=correct&";
}

/* Everything is ok and mail will be sent as plain text mail */
/* When sending as html text mail, the use of htmlentities on the message is advised */
/* That way the message part can't be used to input malicious scripts */
if ($naam != "error" && $email != "error" && $bericht != "error") {

$message = "Naam:\r\n".$naam."\r\n\r\n";
$message .= "Emailadres:\r\n".$email."\r\n\r\n";
$message .= "Bericht:\r\n".$bericht."\r\n";

$headers = "MIME-Version: 1.0\r\n";  
$headers .= "Content-type: text/plain; charset=iso-8859-1\r\n";
$headers .= "From: ".mb_encode_mimeheader($naam, "iso-8859-1", "Q")." <".$email.">\r\n";  

mail($to, $subject, $message, $headers);

}
?>

 

[/code]

[digitalecartoons]

What do you think of my script so far? I'm just starting with php and am not a actionscript pro either. Programmed it myself with hardly any tutorial use, so perhaps I'm doing it not as most of you would do it. Perhaps there are still mistakes in both the action- and php-script? Or instances where the procedure still wouldn't work? Any comments are welcome.