...

View Full Version : Contact form security + data in form disappear + error message display



angelali
02-22-2012, 01:30 PM
Hello, I have coded a contact form in PHP and I want to know, if according to you, it is secure! I am new in PHP, so I want some feedback from you.

Moreover, I have also two problems based on the contact form. It is a bit complicated to explain, thus, I will break each of my problem one by one.

FIRST:The first thing I want to know, is if my contact form secure according to you:

The HTML with the PHP codes:


<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {

//Assigning variables to elements
$first = htmlentities($_POST['first']);
$last = htmlentities($_POST['last']);
$sub = htmlentities($_POST['subject']);
$email = htmlentities($_POST['email']);
$web = htmlentities($_POST['website']);
$heard = htmlentities($_POST['heard']);
$comment = htmlentities($_POST['message']);
$cap = htmlentities($_POST['captcha']);

//Declaring the email address with body content
$to = 'alithebestofall2010@gmail.com';
$body ="First name: '$first' \n\n Last name: '$last' \n\n Subject: '$sub' \n\n Email: '$email' \n\n Website: '$web' \n\n Heard from us: '$heard' \n\n Comments: '$comment'";

//Validate the forms
if (empty($first) || empty($last) || empty($sub) || empty($email) || empty($comment) || empty($cap)) {
echo '<p class="error">Required fields must be filled!</p>';
return false;

}
elseif (filter_var($first, FILTER_VALIDATE_INT) || filter_var($last, FILTER_VALIDATE_INT)) {
echo '<p class="error">You cannot enter a number as either the first or last name!</p>';
return false;
}
elseif (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
echo '<p class="error">Incorrect email address!</p>';
return false;
}
elseif (!($cap === '12')){
echo '<p class="error">Invalid captcha, try again!</p>';
return false;
}
else {
mail ($to, $sub, $body);
echo '<p class="success">Thank you for contacting us!</p>';
}
}
?>
<form action="<?php echo $_SERVER['PHP_SELF'];?>" method="post">
<p>Your first name: <span class="required">*</span></p>
<p><input type="text" name="first" size="40" placeholder="Ex: Paul"/></p>

<p>Your last name: <span class="required">*</span></p>
<p><input type="text" name="last" size="40" placeholder="Ex: Smith"/></p>

<p>Subject: <span class="required">*</span></p>
<p><input type="text" name="subject" size="40" placeholder="Ex: Contact"/></p>

<p>Your email address: <span class="required">*</span></p>
<p><input type="text" name="email" size="40" placeholder="Ex: example@xxx.com"/></p>

<p>Website:</p>
<p><input type="text" name="website" size="40" placeholder="Ex: http//:google.com"/></p>

<p>Where you have heard us?: <span class="required">*</span></p>
<p><select name="heard">
<option>Internet</option>
<option>Newspapers</option>
<option>Friends or relatives</option>
<option>Others</option>
</select></p>

<p>Your message: <span class="required">*</span></p>
<p><textarea cols="75" rows="20" name="message"></textarea></p>

<p>Are you human? Sum this please: 5 + 7 = ?: <span class="required">*</span></p></p>
<p><input type="text" name="captcha" size="10"/></p>

<p><input type="submit" name="submit" value="Send" class="button"/>
<input type="reset" value="Reset" class="button"/></p>
</form>

SECOND:If a user has made a mistake, he gets the error message so that he can correct! However, when a mistake in the form occurs, all the data the user has entered are disappeared! I want the data to keep appearing so that the user does not start over again to fill the form.

THIRD: When the error message is displayed to notify the user that he made a mistake when submitting the form, the message is displaying on the top of the page. I want it to appear below each respective field. How to do that? In JQuery it is simple, but in PHP, I am confusing!

mlseim
02-22-2012, 03:04 PM
This is sort of a tough one to answer. Security means so many different things.
Secure as in spammers, secure as in hackers, secure as in sending private data?

Anyhow, since the form calls itself (the script), use the "value" properties in the input tags.

Example:

<p><input type="text" name="first" size="40" placeholder="Ex: Paul" value="<?=$first?>"/></p>

The textbox will be blank the first time the form shows, but after they submit data,
the textbox will be given the new value of the variable "$first"

Do that for all of them. That will take care of the "form is blank when they get an error".

Now, expand on the form some more ...
For each error, add a flag.

elseif (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
$flag=3;
// comment this out -- echo '<p class="error">Incorrect email address!</p>';
return false;

Then in your form, look for the flag before each section.
Display the error message if that $flag has been set ....

<?php
if($flag==3){
echo '<p class="error">Incorrect email address!</p>';
}
?>
<p>Your email address: <span class="required">*</span></p>
<p><input type="text" name="email" size="40" placeholder="Ex: example@xxx.com"/></p>

Do that within your form for each one.

angelali
02-22-2012, 03:12 PM
Huhh I tried, it but got an error of undefined variable.. I mean the flag..

mlseim
02-22-2012, 04:12 PM
You probably got a "notice", not an error.

Whatever variables you use ...
Define them at the top of your script ...

$flag1="";
$flag2="";
$flag3="";

When PHP sees a variable in an "if" statement, and the
variable hasn't been assigned anything yet, it sends a "notice", or "warning".
The error is not fatal, it's just telling you something might be wrong.

angelali
02-22-2012, 04:22 PM
This is why I am confusing here, what should I put in the variable? I would put something like an error message, but it is already executed under the HTML tags.

Here is the code for the first name validation only, just to know an overview what I have included with your suggestions:


PHP:


<?php
//I gave the variable name as 'firstt'
$flag="firstt";

if (empty($first) {
$flag=1;
return false;
}
?>

The HTML:


<p>Your first name: <span class="required">*</span></p>
<p><input type="text" name="first" size="40" placeholder="Ex: Paul"/></p>
<?php
if($flag==1){
echo '<p class="error">Incorrect email address!</p>';
}
?>

Is this what you told me? I still get the notice, and nothing happens! I;m confuse what to put in the variable, when it is already echoed the out message below the HTML.

mlseim
02-22-2012, 05:10 PM
Post the actual "notice".

Maybe it's not the $flag variable?


also, if you copied and pasted this from your script, you have a syntax error:
missing parenthesis ...

if (empty($first)) {
$flag=1;
// return false;
}

comment-out those "return false;" lines also.


.

angelali
02-22-2012, 05:12 PM
Its the variable flag: Notice: Undefined variable: flag in C:\xampp\htdocs\contact\index.php on line 16

mlseim
02-22-2012, 05:15 PM
Post the whole script as you have it now ...

angelali
02-22-2012, 05:20 PM
Here is my full script!

Note that I have made what you suggested only for the first name, just test if it is good before I implement it to all.




<form action="<?php echo $_SERVER['PHP_SELF'];?>" method="post">
<p>Your first name: <span class="required">*</span></p>
<p><input type="text" name="first" size="40" placeholder="Ex: Paul"/></p>
<?php
if($flag==1){
echo '<p class="error">Incorrect email address!</p>';
}
?>
<p>Your last name: <span class="required">*</span></p>
<p><input type="text" name="last" size="40" placeholder="Ex: Smith"/></p>

<p>Subject: <span class="required">*</span></p>
<p><input type="text" name="subject" size="40" placeholder="Ex: Contact"/></p>

<p>Your email address: <span class="required">*</span></p>
<p><input type="text" name="email" size="40" placeholder="Ex: example@xxx.com"/></p>

<p>Website:</p>
<p><input type="text" name="website" size="40" placeholder="Ex: http//:google.com"/></p>

<p>Where you have heard us?: <span class="required">*</span></p>
<p><select name="heard">
<option>Internet</option>
<option>Newspapers</option>
<option>Friends or relatives</option>
<option>Others</option>
</select></p>

<p>Your message: <span class="required">*</span></p>
<p><textarea cols="75" rows="20" name="message"></textarea></p>

<p>Are you human? Sum this please: 5 + 7 = ?: <span class="required">*</span></p></p>
<p><input type="text" name="captcha" size="10"/></p>

<p><input type="submit" name="submit" value="Send" class="button"/>
<input type="reset" value="Reset" class="button"/></p>
</form>
<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
if (isset($_POST['submit'])) {

//Assigning variables to elements
$first = htmlentities($_POST['first']);
$last = htmlentities($_POST['last']);
$sub = htmlentities($_POST['subject']);
$email = htmlentities($_POST['email']);
$web = htmlentities($_POST['website']);
$heard = htmlentities($_POST['heard']);
$comment = htmlentities($_POST['message']);
$cap = htmlentities($_POST['captcha']);
$flag="err";
//Declaring the email address with body content
$to = 'alithebestofall2010@gmail.com';
$body ="First name: '$first' \n\n Last name: '$last' \n\n Subject: '$sub' \n\n Email: '$email' \n\n Website: '$web' \n\n Heard from us: '$heard' \n\n Comments: '$comment'";

//Validate the forms
if (empty($first) || empty($last) || empty($sub) || empty($email) || empty($comment) || empty($cap)) {
echo "<p class="error">All fields required!</p>";
}

elseif (filter_var($first, FILTER_VALIDATE_INT) || filter_var($last, FILTER_VALIDATE_INT)) {
$flag=1;
return false;
}
elseif (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
echo '<p class="error">Incorrect email address!</p>';
return false;
}
elseif (!($cap === '12')){
echo '<p class="error">Invalid captcha, try again!</p>';
return false;
}
else {
mail ($to, $sub, $body);
echo '<p class="success">Thank you for contacting us!</p>';
}
}
}
?>

mlseim
02-22-2012, 06:00 PM
Try this script ...
I made a lot of changes ... so make a safe copy of your current script.




<?php

//Assigning variables to elements
$first = htmlentities($_POST['first']);
$last = htmlentities($_POST['last']);
$sub = htmlentities($_POST['subject']);
$email = htmlentities($_POST['email']);
$web = htmlentities($_POST['website']);
$heard = htmlentities($_POST['heard']);
$comment = htmlentities($_POST['message']);
$cap = htmlentities($_POST['captcha']);

// define some flags
$flag1=0;
$flag2=0;
$flag3=0;
$flag4=0;
$flag5=0;
$flag6=0;
$flag7=0;
$flag9=0;

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
if (isset($_POST['submit'])) {

//Validate the forms
if (empty($first)) {
// echo "<p class="error">All fields required!</p>";
$flag1=1;
}
if (empty($last)) {
// echo "<p class="error">All fields required!</p>";
$flag2=1;
}
if (empty($sub)) {
// echo "<p class="error">All fields required!</p>";
$flag3=1;
}
if (empty($comment)) {
// echo "<p class="error">All fields required!</p>";
$flag4=1;
}
if (empty($heard)) {
// echo "<p class="error">All fields required!</p>";
$flag7=1;
}

if (filter_var($first, FILTER_VALIDATE_INT) || filter_var($last, FILTER_VALIDATE_INT)) {
$flag5=1;
//return false;
}

if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
//echo '<p class="error">Incorrect email address!</p>';
//return false;
$flag6=1;
}
if (!($cap === '12')){
//echo '<p class="error">Invalid captcha, try again!</p>';
//return false;
$flag8=1;
}

if($flag1==0 && $flag2==0 && $flag3==0 && $flag4==0 && $flag5==0 && $flag6==0 && $flag7==0 && $flag8==0){
//Declaring the email address with body content
$to = 'alithebestofall2010@gmail.com';
$body ="First name: '$first' \n\n Last name: '$last' \n\n Subject: '$sub' \n\n Email: '$email' \n\n Website: '$web' \n\n Heard from us: '$heard' \n\n Comments: '$comment'";

mail ($to, $sub, $body);
echo '<p class="success">Thank you for contacting us!</p>';
exit;
}
}
}
?>

<form action="<?php echo $_SERVER['PHP_SELF'];?>" method="post">
<p>Your first name: <span class="required">*</span></p>
<p><input type="text" name="first" size="40" placeholder="Ex: Paul" value="<?=$first?>" /></p>
<?php
if($flag1==1){
echo '<p class="error">Field Required!</p>';
}
if($flag5==1){
echo '<p class="error">Invalid First or Last Name!</p>';
}
?>

<p>Your last name: <span class="required">*</span></p>
<p><input type="text" name="last" size="40" placeholder="Ex: Smith" value="<?=$last?>" /></p>
<?php
if($flag2==1){
echo '<p class="error">Field Required!</p>';
}
if($flag5==1){
echo '<p class="error">Invalid First or Last Name!</p>';
}
?>

<p>Subject: <span class="required">*</span></p>
<p><input type="text" name="subject" size="40" placeholder="Ex: Contact" value="<?=$sub?>" /></p>
<?php
if($flag3==1){
echo '<p class="error">Field Required!</p>';
}
?>

<p>Your email address: <span class="required">*</span></p>
<p><input type="text" name="email" size="40" placeholder="Ex: example@xxx.com" value="<?=$email?>" /></p>
<?php
if($flag6==1){
echo '<p class="error">Invalid Email Address!</p>';
}
?>

<p>Website:</p>
<p><input type="text" name="website" size="40" placeholder="Ex: http//:google.com" value="<?=$web?>" /></p>

<p>Where you have heard us?: <span class="required">*</span></p>
<p><select name="heard" value="<?=$heard?>">
<?php
if($heard){
echo "<option value=\"$heard\">$heard</option>\n";
}
?>
<option value="Internet">Internet</option>
<option value="Newspapers">Newspapers</option>
<option value="Friends or Relatives">Friends or relatives</option>
<option value="Others">Others</option>
</select></p>
<?php
if($flag7==1){
echo '<p class="error">Field Required!</p>';
}
?>

<p>Your message: <span class="required">*</span></p>
<p><textarea cols="75" rows="20" name="message"><?=$comment?></textarea></p>
<?php
if($flag4==1){
echo '<p class="error">Field Required!</p>';
}
?>

<p>Are you human? Sum this please: 5 + 7 = ?: <span class="required">*</span></p></p>
<p><input type="text" name="captcha" size="10"/ value="<?=$cap?>" ></p>
<?php
if($flag8==1){
echo '<p class="error">Invalid Captcha!</p>';
}
?>

<p><input type="submit" name="submit" value="Send" class="button"/>
<input type="reset" value="Reset" class="button"/></p>
</form>

angelali
02-22-2012, 06:14 PM
LOL, I appreciate your patience on my problem, you are helping me very much but I am getting this notices now:

Notice: Undefined index: first in C:\xampp\htdocs\contact\index.php on line 15

Notice: Undefined index: last in C:\xampp\htdocs\contact\index.php on line 16

Notice: Undefined index: subject in C:\xampp\htdocs\contact\index.php on line 17

Notice: Undefined index: email in C:\xampp\htdocs\contact\index.php on line 18

Notice: Undefined index: website in C:\xampp\htdocs\contact\index.php on line 19

Notice: Undefined index: heard in C:\xampp\htdocs\contact\index.php on line 20

Notice: Undefined index: message in C:\xampp\htdocs\contact\index.php on line 21

Notice: Undefined index: captcha in C:\xampp\htdocs\contact\index.php on line 22

Have you tested it? I think, I will change the form presentation if I do not get a solution. On all websites, they are teaching the way I did! If I have used JQuery to validate it on client side, it would be ok, as JQuery has "hide" and "show" and works great with CSS. But in PHP, there is no hide and show even it works with CSS.

angelali
02-22-2012, 06:18 PM
I forgot to say, the scrip works great, only these NOTICES remain now... If these notices are correctly gone, I can learn a lot with your method..

angelali
02-22-2012, 06:21 PM
The notices are on the variables I created:

$first = htmlentities($_POST['first']);
$last = htmlentities($_POST['last']);
$sub = htmlentities($_POST['subject']);
$email = htmlentities($_POST['email']);
$web = htmlentities($_POST['website']);
$heard = htmlentities($_POST['heard']);
$comment = htmlentities($_POST['message']);
$cap = htmlentities($_POST['captcha']);

mlseim
02-22-2012, 06:26 PM
Let's just do this ...


error_reporting (E_ALL ^ E_NOTICE);
$first = htmlentities($_POST['first']);
$last = htmlentities($_POST['last']);
$sub = htmlentities($_POST['subject']);
$email = htmlentities($_POST['email']);
$web = htmlentities($_POST['website']);
$heard = htmlentities($_POST['heard']);
$comment = htmlentities($_POST['message']);
$cap = htmlentities($_POST['captcha']);


You know that the variables are OK,
so suppress the notice messages.


.

angelali
02-22-2012, 06:34 PM
You are making me laugh...lol.. No, there must be a solution, right? Because your script is so great, I am new in PHP, since 3 days I am learning it after mastering myself on client side languages. I will use your script to learn...so, there must be a solution to eradicate these notices!.

Using this error reporting, seems bad principles for me, I mean its like we lost a battle. I like to fight when something weird happens in codes..

I thank you so much for your patience for helping me, and also you have responded with good manners..but..if possible, let's try to fight this...if you don't mind please...

mlseim
02-22-2012, 06:39 PM
When you added that red line to the top of your script, didn't the notices go away?

<?php
error_reporting (E_ALL ^ E_NOTICE);


There's nothing wrong with suppressing notices.

Warning and fatal errors will still be reported.

angelali
02-22-2012, 06:41 PM
Yes, the notices go away... but putting this is like a bad principle for me. Instead to correct it, we are putting the error reporting.. That's why i asked, there must be a solution to deal with it without putting the error notices code... Im still fighting with it..

Nightfire
02-22-2012, 06:47 PM
This is where I'd move them to



// define some flags
$flag1=0;
$flag2=0;
$flag3=0;
$flag4=0;
$flag5=0;
$flag6=0;
$flag7=0;
$flag9=0;

if ($_SERVER['REQUEST_METHOD'] == 'POST') {

//Assigning variables to elements
$first = htmlentities($_POST['first']);
$last = htmlentities($_POST['last']);
$sub = htmlentities($_POST['subject']);
$email = htmlentities($_POST['email']);
$web = htmlentities($_POST['website']);
$heard = htmlentities($_POST['heard']);
$comment = htmlentities($_POST['message']);
$cap = htmlentities($_POST['captcha']);

if (isset($_POST['submit'])) {

mlseim
02-22-2012, 06:49 PM
Nightfire ...

There you go .. that should fix it.

Or ...

if(isset($_POST['first'])){
$first = htmlentities($_POST['first']);
}

doing that (for each one) would be the same thing sort of, but more lines of code.



.

angelali
02-22-2012, 06:52 PM
@NightFire, thank you for replying!

The NOTICES have gone away but now, I'm getting undefined in my text fields, I mean in the values...

angelali
02-22-2012, 07:00 PM
I think, I have to decide, both of your suggestions are ok, except I am having undefined variable for the fields values now... I think its because to keep the data on the form if the user has made a mistake, but if I use SESSIONS to fight my Second problems, do you think it will be an ideal way? My second problem which I stated in my first post is the data disappear when the user has made a mistake filling the form after clicking the submit button. If I can use SESSION, , then I can use your suggestions for the third problem!



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum