Jump to content

Contact form security + data in form disappear + error message display

angelali

By angelali
in PHP Coding Help

 Share

Recommended Posts

angelali Member

angelali

Posted
Posted

Hello, I have coded a contact form in PHP and I want to know, if according to you, it is secure! I am new in PHP, so I want some feedback from you.

 

Moreover, I have also two problems based on the contact form. It is a bit complicated to explain, thus, I will break each of my problem one by one.

 

FIRST:The first thing I want to know, is if my contact form secure according to you:

 

The HTML with the PHP codes:

 

<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {

//Assigning variables to elements
$first = htmlentities($_POST['first']);
$last = htmlentities($_POST['last']);
$sub = htmlentities($_POST['subject']);
$email = htmlentities($_POST['email']);	
$web = htmlentities($_POST['website']);	
$heard = htmlentities($_POST['heard']);
$comment = htmlentities($_POST['message']);
$cap = htmlentities($_POST['captcha']);

//Declaring the email address with body content
$to = 'alithebestofall2010@gmail.com';
$body ="First name: '$first' \n\n Last name: '$last' \n\n Subject: '$sub' \n\n Email: '$email' \n\n Website: '$web' \n\n Heard from us: '$heard' \n\n Comments: '$comment'";

//Validate the forms
if (empty($first) || empty($last) || empty($sub) || empty($email) || empty($comment) || empty($cap)) {
echo '<p class="error">Required fields must be filled!</p>';	
header ('refresh= 3; url= index.php');
return false;

} 
elseif (filter_var($first, FILTER_VALIDATE_INT) || filter_var($last, FILTER_VALIDATE_INT)) {
echo '<p class="error">You cannot enter a number as either the first or last name!</p>';
return false;
} 
elseif (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
echo '<p class="error">Incorrect email address!</p>';
return false;	
}
elseif (!($cap === '12')){
echo '<p class="error">Invalid captcha, try again!</p>';
return false;
}
else {
mail ($to, $sub, $body);
echo '<p class="success">Thank you for contacting us!</p>';	
}
}
?>
<form action="<?php echo $_SERVER['PHP_SELF'];?>" method="post">
<p>Your first name: <span class="required">*</span></p>
<p><input type="text" name="first" size="40" placeholder="Ex: Paul"/></p>

<p>Your last name: <span class="required">*</span></p>
<p><input type="text" name="last" size="40" placeholder="Ex: Smith"/></p>

<p>Subject: <span class="required">*</span></p>
<p><input type="text" name="subject" size="40" placeholder="Ex: Contact"/></p>

<p>Your email address: <span class="required">*</span></p>
<p><input type="text" name="email" size="40" placeholder="Ex: example@xxx.com"/></p>

<p>Website:</p>
<p><input type="text" name="website" size="40" placeholder="Ex: http//:google.com"/></p>

<p>Where you have heard us?: <span class="required">*</span></p>
<p><select name="heard">
<option>Internet</option>
<option>Newspapers</option>
<option>Friends or relatives</option>
<option>Others</option>
</select></p>

<p>Your message: <span class="required">*</span></p>
<p><textarea cols="75" rows="20" name="message"></textarea></p>

<p>Are you human? Sum this please: 5 + 7 = ?: <span class="required">*</span></p></p>
<p><input type="text" name="captcha" size="10"/></p>

<p><input type="submit" name="submit" value="Send" class="button"/>
<input type="reset" value="Reset" class="button"/></p>
</form>

 

 

SECOND PROBLEM:If a user has made a mistake, he gets the error message so that he can correct! However, when a mistake in the form occurs, all the data the user has entered are disappeared! I want the data to keep appearing so that the user does not start over again to fill the form.

 

THIRD: When the erro message is displayed to notify the user that he made a mistake when submitting the form, the message is displaying on the top of the page. I want it to appear below each respective field. How to do that? In JQuery it is simple, but in PHP, I am confusing!

 

 

Link to comment
Share on other sites
trq Prolific Member

trq

Posted
Posted

First things first, because your just starting out, you should get in the habit now of indenting your code properly. Reading your code might seem easy enough now, wait until your application has a few hundred thousand lines of code.

 

Secondly, you cannot output any data prior to calling the header() function. Make sure you have error reporting turned on and you should see warnings about his fact.

 

As for your questions;

 

Is it secure? Overal, there is nothing to be concerned about. The script doesn't actually do a greta deal. Why your encoding everything using html entities is beyond me though, your not sending a html email.

 

Second issue; You have the data the user has submitted in variables. Use them.

 

Third issue; At it's simplest you can simply store all your error messages within an array and then display them next to each missing form element.

Link to comment
Share on other sites
Eiolon Advanced Member

Eiolon

Posted
Posted

You should sanitize user input with mysql_real_escape_string. - EDIT just noticed you aren't also putting into MySQL database so ignore lol.

 

Do not use

 

<?php echo $_SERVER['PHP_SELF'];?>

 

in the form action.

 

To retain user input, you need to echo the value that was POSTed in each field.  Example:

 

<p><input type="text" name="first" size="40" placeholder="Ex: Paul" value="<?php if (isset($_POST['first'])) echo $_POST['first']; ?>/></p>

 

You can tell where error messages go by assigning the error message to a variable, then echo the variable in the spot you want it to be shown.  If you have lots of possible error messages, I suggest making an array and lopping through the error messages.

 

I'm sure others can find more suggestions for you.

Link to comment
Share on other sites
angelali Member

angelali

Posted
  • Author
Posted

For the "Header" part in the code, I forgot to remove when pasting the code here in the forum. I already removed it some hours ago. And yes, it is not stored in database so mysql_real_escape is useless here I think, but I did include the htmlentitities.

 

I included the <?php echo $_SERVER['PHP_SELF'];?> because I am on localhost... I will change it to a page "thankyou.php" later to redirect the user to a thank you page when I will put it online.

 

Huhh, for my second problem, will SESSION ideal to it?

Link to comment
Share on other sites
AyKay47 Member

AyKay47

Posted
Posted

 

To retain user input, you need to echo the value that was POSTed in each field.  Example:

 

<p><input type="text" name="first" size="40" placeholder="Ex: Paul" value="<?php if (isset($_POST['first'])) echo $_POST['first']; ?>/></p>

 

Link to comment
Share on other sites
angelali Member

angelali

Posted
  • Author
Posted

For my third problem, even I declared the error messages in a variable, it is still appearing above. In fact, when it appears, it appears only the error message, but not the form now.. If possible, can you suggest me a good free web hosting to upload tmy script to show you all? All the free web hosting are telling after 12 hours my page will be propagated. I know a hosting called Zymic, but it does not accept the mail () function.

Link to comment
Share on other sites
AyKay47 Member

AyKay47

Posted
Posted

this is because the code that outputs the errors is above the form, so this is where it will be displayed. If your want to position the error below the corresponding field. Store the error in a variable instead of outputting it right away. Then check for the variable being set where you want to display the error.

 

if(some error occurs)
{
    $first_name_error = "An error has occurred in your first name.";
    //return false does nothing in this context
}
?>
<p>Your first name: <span class="required">*</span></p>
<p><input type="text" name="first" size="40" placeholder="Ex: Paul"/></p>
<?php
if(isset($first_name_error))
    echo '<p>' . $first_name_error . '</p>';

 

There are multiple ways to go about this, this is just an example. For input error handling, I prefer to also have real time error responses using jquery.

Link to comment
Share on other sites
angelali Member

angelali

Posted
  • Author
Posted

I tried it...but in vain..again the same thing happens..

 

For example, let say if the first name has numbers in the field, it will give an error, so I did this:

 

if (filter_var($first, FILTER_VALIDATE_INT) || filter_var($last, FILTER_VALIDATE_INT)) {
$first_name_error = "You cannot enter a number as either the first or last name!</p>';
return false;
}

 

Then in the HTML below the first name field:

 

<p>Your first name: <span class="required">*</span></p>
<p><input type="text" name="first" size="40" placeholder="Ex: Paul"/></p>
<?php if(isset($first_name_error)) {
    echo '<p>' . $first_name_error . '</p>';}?>

 

I hope I have done what you suggested..

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.