Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 21
  1. #1
    Regular Coder
    Join Date
    Sep 2011
    Posts
    348
    Thanks
    39
    Thanked 0 Times in 0 Posts

    Contact form security + data in form disappear + error message display

    Hello, I have coded a contact form in PHP and I want to know, if according to you, it is secure! I am new in PHP, so I want some feedback from you.

    Moreover, I have also two problems based on the contact form. It is a bit complicated to explain, thus, I will break each of my problem one by one.

    FIRST:The first thing I want to know, is if my contact form secure according to you:

    The HTML with the PHP codes:

    PHP Code:
    <?php
    if ($_SERVER['REQUEST_METHOD'] == 'POST') {

    //Assigning variables to elements
    $first htmlentities($_POST['first']);
    $last htmlentities($_POST['last']);
    $sub htmlentities($_POST['subject']);
    $email htmlentities($_POST['email']);    
    $web htmlentities($_POST['website']);    
    $heard htmlentities($_POST['heard']);
    $comment htmlentities($_POST['message']);
    $cap htmlentities($_POST['captcha']);

    //Declaring the email address with body content
    $to 'alithebestofall2010@gmail.com';
    $body ="First name: '$first' \n\n Last name: '$last' \n\n Subject: '$sub' \n\n Email: '$email' \n\n Website: '$web' \n\n Heard from us: '$heard' \n\n Comments: '$comment'";

    //Validate the forms
    if (empty($first) || empty($last) || empty($sub) || empty($email) || empty($comment) || empty($cap)) {
    echo 
    '<p class="error">Required fields must be filled!</p>';    
    return 
    false;


    elseif (
    filter_var($firstFILTER_VALIDATE_INT) || filter_var($lastFILTER_VALIDATE_INT)) {
    echo 
    '<p class="error">You cannot enter a number as either the first or last name!</p>';
    return 
    false;

    elseif (!
    filter_var($emailFILTER_VALIDATE_EMAIL)) {
    echo 
    '<p class="error">Incorrect email address!</p>';
    return 
    false;    
    }
    elseif (!(
    $cap === '12')){
    echo 
    '<p class="error">Invalid captcha, try again!</p>';
    return 
    false;
    }
    else {
    mail ($to$sub$body);
    echo 
    '<p class="success">Thank you for contacting us!</p>';    
    }
    }
    ?>
    <form action="<?php echo $_SERVER['PHP_SELF'];?>" method="post">
    <p>Your first name: <span class="required">*</span></p>
    <p><input type="text" name="first" size="40" placeholder="Ex: Paul"/></p>

    <p>Your last name: <span class="required">*</span></p>
    <p><input type="text" name="last" size="40" placeholder="Ex: Smith"/></p>

    <p>Subject: <span class="required">*</span></p>
    <p><input type="text" name="subject" size="40" placeholder="Ex: Contact"/></p>

    <p>Your email address: <span class="required">*</span></p>
    <p><input type="text" name="email" size="40" placeholder="Ex: example@xxx.com"/></p>

    <p>Website:</p>
    <p><input type="text" name="website" size="40" placeholder="Ex: http//:google.com"/></p>

    <p>Where you have heard us?: <span class="required">*</span></p>
    <p><select name="heard">
    <option>Internet</option>
    <option>Newspapers</option>
    <option>Friends or relatives</option>
    <option>Others</option>
    </select></p>

    <p>Your message: <span class="required">*</span></p>
    <p><textarea cols="75" rows="20" name="message"></textarea></p>

    <p>Are you human? Sum this please: 5 + 7 = ?: <span class="required">*</span></p></p>
    <p><input type="text" name="captcha" size="10"/></p>

    <p><input type="submit" name="submit" value="Send" class="button"/>
    <input type="reset" value="Reset" class="button"/></p>
    </form>
    SECOND:If a user has made a mistake, he gets the error message so that he can correct! However, when a mistake in the form occurs, all the data the user has entered are disappeared! I want the data to keep appearing so that the user does not start over again to fill the form.

    THIRD: When the error message is displayed to notify the user that he made a mistake when submitting the form, the message is displaying on the top of the page. I want it to appear below each respective field. How to do that? In JQuery it is simple, but in PHP, I am confusing!
    Last edited by angelali; 02-22-2012 at 01:34 PM.

  • #2
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,472
    Thanks
    8
    Thanked 1,085 Times in 1,076 Posts
    This is sort of a tough one to answer. Security means so many different things.
    Secure as in spammers, secure as in hackers, secure as in sending private data?

    Anyhow, since the form calls itself (the script), use the "value" properties in the input tags.

    Example:

    <p><input type="text" name="first" size="40" placeholder="Ex: Paul" value="<?=$first?>"/></p>

    The textbox will be blank the first time the form shows, but after they submit data,
    the textbox will be given the new value of the variable "$first"

    Do that for all of them. That will take care of the "form is blank when they get an error".

    Now, expand on the form some more ...
    For each error, add a flag.

    elseif (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
    $flag=3;
    // comment this out -- echo '<p class="error">Incorrect email address!</p>';
    return false;

    Then in your form, look for the flag before each section.
    Display the error message if that $flag has been set ....

    <?php
    if($flag==3){
    echo '<p class="error">Incorrect email address!</p>';
    }
    ?>
    <p>Your email address: <span class="required">*</span></p>
    <p><input type="text" name="email" size="40" placeholder="Ex: example@xxx.com"/></p>

    Do that within your form for each one.

  • #3
    Regular Coder
    Join Date
    Sep 2011
    Posts
    348
    Thanks
    39
    Thanked 0 Times in 0 Posts
    Huhh I tried, it but got an error of undefined variable.. I mean the flag..

  • #4
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,472
    Thanks
    8
    Thanked 1,085 Times in 1,076 Posts
    You probably got a "notice", not an error.

    Whatever variables you use ...
    Define them at the top of your script ...

    $flag1="";
    $flag2="";
    $flag3="";

    When PHP sees a variable in an "if" statement, and the
    variable hasn't been assigned anything yet, it sends a "notice", or "warning".
    The error is not fatal, it's just telling you something might be wrong.

  • #5
    Regular Coder
    Join Date
    Sep 2011
    Posts
    348
    Thanks
    39
    Thanked 0 Times in 0 Posts
    This is why I am confusing here, what should I put in the variable? I would put something like an error message, but it is already executed under the HTML tags.

    Here is the code for the first name validation only, just to know an overview what I have included with your suggestions:


    PHP:

    PHP Code:
    <?php
    //I gave the variable name as 'firstt'
    $flag="firstt";

    if (empty(
    $first) {
    $flag=1;
    return 
    false;
    }
    ?>
    The HTML:
    Code:
    <p>Your first name: <span class="required">*</span></p>
    <p><input type="text" name="first" size="40" placeholder="Ex: Paul"/></p>
    <?php
    if($flag==1){
    echo '<p class="error">Incorrect email address!</p>';
    }
    ?>
    Is this what you told me? I still get the notice, and nothing happens! I;m confuse what to put in the variable, when it is already echoed the out message below the HTML.

  • #6
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,472
    Thanks
    8
    Thanked 1,085 Times in 1,076 Posts
    Post the actual "notice".

    Maybe it's not the $flag variable?


    also, if you copied and pasted this from your script, you have a syntax error:
    missing parenthesis ...

    if (empty($first)) {
    $flag=1;
    // return false;
    }

    comment-out those "return false;" lines also.


    .

  • #7
    Regular Coder
    Join Date
    Sep 2011
    Posts
    348
    Thanks
    39
    Thanked 0 Times in 0 Posts
    Its the variable flag: Notice: Undefined variable: flag in C:\xampp\htdocs\contact\index.php on line 16

  • #8
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,472
    Thanks
    8
    Thanked 1,085 Times in 1,076 Posts
    Post the whole script as you have it now ...

  • #9
    Regular Coder
    Join Date
    Sep 2011
    Posts
    348
    Thanks
    39
    Thanked 0 Times in 0 Posts
    Here is my full script!

    Note that I have made what you suggested only for the first name, just test if it is good before I implement it to all.



    PHP Code:
    <form action="<?php echo $_SERVER['PHP_SELF'];?>" method="post">
    <p>Your first name: <span class="required">*</span></p>
    <p><input type="text" name="first" size="40" placeholder="Ex: Paul"/></p>
    <?php
    if($flag==1){
    echo 
    '<p class="error">Incorrect email address!</p>';
    }
    ?>
    <p>Your last name: <span class="required">*</span></p>
    <p><input type="text" name="last" size="40" placeholder="Ex: Smith"/></p>

    <p>Subject: <span class="required">*</span></p>
    <p><input type="text" name="subject" size="40" placeholder="Ex: Contact"/></p>

    <p>Your email address: <span class="required">*</span></p>
    <p><input type="text" name="email" size="40" placeholder="Ex: [email]example@xxx.com[/email]"/></p>

    <p>Website:</p>
    <p><input type="text" name="website" size="40" placeholder="Ex: http//:google.com"/></p>

    <p>Where you have heard us?: <span class="required">*</span></p>
    <p><select name="heard">
    <option>Internet</option>
    <option>Newspapers</option>
    <option>Friends or relatives</option>
    <option>Others</option>
    </select></p>

    <p>Your message: <span class="required">*</span></p>
    <p><textarea cols="75" rows="20" name="message"></textarea></p>

    <p>Are you human? Sum this please: 5 + 7 = ?: <span class="required">*</span></p></p>
    <p><input type="text" name="captcha" size="10"/></p>

    <p><input type="submit" name="submit" value="Send" class="button"/>
    <input type="reset" value="Reset" class="button"/></p>
    </form>
    <?php
    if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    if (isset(
    $_POST['submit'])) {
        
    //Assigning variables to elements
    $first htmlentities($_POST['first']);
    $last htmlentities($_POST['last']);
    $sub htmlentities($_POST['subject']);
    $email htmlentities($_POST['email']);    
    $web htmlentities($_POST['website']);    
    $heard htmlentities($_POST['heard']);
    $comment htmlentities($_POST['message']);
    $cap htmlentities($_POST['captcha']);
    $flag="err";
    //Declaring the email address with body content
    $to 'alithebestofall2010@gmail.com';
    $body ="First name: '$first' \n\n Last name: '$last' \n\n Subject: '$sub' \n\n Email: '$email' \n\n Website: '$web' \n\n Heard from us: '$heard' \n\n Comments: '$comment'";

    //Validate the forms
    if (empty($first) || empty($last) || empty($sub) || empty($email) || empty($comment) || empty($cap)) {
    echo 
    "<p class="error">All fields required!</p>";
    }

    elseif (
    filter_var($firstFILTER_VALIDATE_INT) || filter_var($lastFILTER_VALIDATE_INT)) {
    $flag=1;
    return 
    false;

    elseif (!
    filter_var($emailFILTER_VALIDATE_EMAIL)) {
    echo 
    '<p class="error">Incorrect email address!</p>';
    return 
    false;    
    }
    elseif (!(
    $cap === '12')){
    echo 
    '<p class="error">Invalid captcha, try again!</p>';
    return 
    false;
    }
    else {
    mail ($to$sub$body);
    echo 
    '<p class="success">Thank you for contacting us!</p>';    
    }
    }
    }
    ?>

  • #10
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,472
    Thanks
    8
    Thanked 1,085 Times in 1,076 Posts
    Try this script ...
    I made a lot of changes ... so make a safe copy of your current script.

    PHP Code:

    <?php
        
    //Assigning variables to elements
    $first htmlentities($_POST['first']);
    $last htmlentities($_POST['last']);
    $sub htmlentities($_POST['subject']);
    $email htmlentities($_POST['email']);    
    $web htmlentities($_POST['website']);    
    $heard htmlentities($_POST['heard']);
    $comment htmlentities($_POST['message']);
    $cap htmlentities($_POST['captcha']);

    // define some flags
    $flag1=0;
    $flag2=0;
    $flag3=0;
    $flag4=0;
    $flag5=0;
    $flag6=0;
    $flag7=0;
    $flag9=0;

    if (
    $_SERVER['REQUEST_METHOD'] == 'POST') {
    if (isset(
    $_POST['submit'])) {

    //Validate the forms
    if (empty($first)) {
    // echo "<p class="error">All fields required!</p>";
    $flag1=1;
    }
    if (empty(
    $last)) {
    // echo "<p class="error">All fields required!</p>";
    $flag2=1;
    }
    if (empty(
    $sub)) {
    // echo "<p class="error">All fields required!</p>";
    $flag3=1;
    }
    if (empty(
    $comment)) {
    // echo "<p class="error">All fields required!</p>";
    $flag4=1;
    }
    if (empty(
    $heard)) {
    // echo "<p class="error">All fields required!</p>";
    $flag7=1;
    }

    if (
    filter_var($firstFILTER_VALIDATE_INT) || filter_var($lastFILTER_VALIDATE_INT)) {
    $flag5=1;
    //return false;


    if (!
    filter_var($emailFILTER_VALIDATE_EMAIL)) {
    //echo '<p class="error">Incorrect email address!</p>';
    //return false;
    $flag6=1;    
    }
    if (!(
    $cap === '12')){
    //echo '<p class="error">Invalid captcha, try again!</p>';
    //return false;
    $flag8=1;
    }

    if(
    $flag1==&& $flag2==&& $flag3==&& $flag4==&& $flag5==&& $flag6==&& $flag7==&& $flag8==0){
    //Declaring the email address with body content
    $to 'alithebestofall2010@gmail.com';
    $body ="First name: '$first' \n\n Last name: '$last' \n\n Subject: '$sub' \n\n Email: '$email' \n\n Website: '$web' \n\n Heard from us: '$heard' \n\n Comments: '$comment'";

    mail ($to$sub$body);
    echo 
    '<p class="success">Thank you for contacting us!</p>';
    exit;   
    }
    }
    }
    ?>

    <form action="<?php echo $_SERVER['PHP_SELF'];?>" method="post">
    <p>Your first name: <span class="required">*</span></p>
    <p><input type="text" name="first" size="40" placeholder="Ex: Paul" value="<?=$first?>" /></p>
    <?php
    if($flag1==1){
    echo 
    '<p class="error">Field Required!</p>';
    }
    if(
    $flag5==1){
    echo 
    '<p class="error">Invalid First or Last Name!</p>';
    }
    ?>

    <p>Your last name: <span class="required">*</span></p>
    <p><input type="text" name="last" size="40" placeholder="Ex: Smith" value="<?=$last?>" /></p>
    <?php
    if($flag2==1){
    echo 
    '<p class="error">Field Required!</p>';
    }
    if(
    $flag5==1){
    echo 
    '<p class="error">Invalid First or Last Name!</p>';
    }
    ?>

    <p>Subject: <span class="required">*</span></p>
    <p><input type="text" name="subject" size="40" placeholder="Ex: Contact" value="<?=$sub?>" /></p>
    <?php
    if($flag3==1){
    echo 
    '<p class="error">Field Required!</p>';
    }
    ?>

    <p>Your email address: <span class="required">*</span></p>
    <p><input type="text" name="email" size="40" placeholder="Ex: [email]example@xxx.com[/email]" value="<?=$email?>" /></p>
    <?php
    if($flag6==1){
    echo 
    '<p class="error">Invalid Email Address!</p>';
    }
    ?>

    <p>Website:</p>
    <p><input type="text" name="website" size="40" placeholder="Ex: http//:google.com" value="<?=$web?>" /></p>

    <p>Where you have heard us?: <span class="required">*</span></p>
    <p><select name="heard" value="<?=$heard?>">
    <?php
    if($heard){
    echo 
    "<option value=\"$heard\">$heard</option>\n";
    }
    ?>
    <option value="Internet">Internet</option>
    <option value="Newspapers">Newspapers</option>
    <option value="Friends or Relatives">Friends or relatives</option>
    <option value="Others">Others</option>
    </select></p>
    <?php
    if($flag7==1){
    echo 
    '<p class="error">Field Required!</p>';
    }
    ?>

    <p>Your message: <span class="required">*</span></p>
    <p><textarea cols="75" rows="20" name="message"><?=$comment?></textarea></p>
    <?php
    if($flag4==1){
    echo 
    '<p class="error">Field Required!</p>';
    }
    ?>

    <p>Are you human? Sum this please: 5 + 7 = ?: <span class="required">*</span></p></p>
    <p><input type="text" name="captcha" size="10"/ value="<?=$cap?>" ></p>
    <?php
    if($flag8==1){
    echo 
    '<p class="error">Invalid Captcha!</p>';
    }
    ?>

    <p><input type="submit" name="submit" value="Send" class="button"/>
    <input type="reset" value="Reset" class="button"/></p>
    </form>

  • #11
    Regular Coder
    Join Date
    Sep 2011
    Posts
    348
    Thanks
    39
    Thanked 0 Times in 0 Posts
    LOL, I appreciate your patience on my problem, you are helping me very much but I am getting this notices now:

    Notice: Undefined index: first in C:\xampp\htdocs\contact\index.php on line 15

    Notice: Undefined index: last in C:\xampp\htdocs\contact\index.php on line 16

    Notice: Undefined index: subject in C:\xampp\htdocs\contact\index.php on line 17

    Notice: Undefined index: email in C:\xampp\htdocs\contact\index.php on line 18

    Notice: Undefined index: website in C:\xampp\htdocs\contact\index.php on line 19

    Notice: Undefined index: heard in C:\xampp\htdocs\contact\index.php on line 20

    Notice: Undefined index: message in C:\xampp\htdocs\contact\index.php on line 21

    Notice: Undefined index: captcha in C:\xampp\htdocs\contact\index.php on line 22


    Have you tested it? I think, I will change the form presentation if I do not get a solution. On all websites, they are teaching the way I did! If I have used JQuery to validate it on client side, it would be ok, as JQuery has "hide" and "show" and works great with CSS. But in PHP, there is no hide and show even it works with CSS.

  • #12
    Regular Coder
    Join Date
    Sep 2011
    Posts
    348
    Thanks
    39
    Thanked 0 Times in 0 Posts
    I forgot to say, the scrip works great, only these NOTICES remain now... If these notices are correctly gone, I can learn a lot with your method..

  • #13
    Regular Coder
    Join Date
    Sep 2011
    Posts
    348
    Thanks
    39
    Thanked 0 Times in 0 Posts
    The notices are on the variables I created:

    $first = htmlentities($_POST['first']);
    $last = htmlentities($_POST['last']);
    $sub = htmlentities($_POST['subject']);
    $email = htmlentities($_POST['email']);
    $web = htmlentities($_POST['website']);
    $heard = htmlentities($_POST['heard']);
    $comment = htmlentities($_POST['message']);
    $cap = htmlentities($_POST['captcha']);

  • #14
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,472
    Thanks
    8
    Thanked 1,085 Times in 1,076 Posts
    Let's just do this ...


    error_reporting (E_ALL ^ E_NOTICE);
    $first = htmlentities($_POST['first']);
    $last = htmlentities($_POST['last']);
    $sub = htmlentities($_POST['subject']);
    $email = htmlentities($_POST['email']);
    $web = htmlentities($_POST['website']);
    $heard = htmlentities($_POST['heard']);
    $comment = htmlentities($_POST['message']);
    $cap = htmlentities($_POST['captcha']);


    You know that the variables are OK,
    so suppress the notice messages.


    .

  • #15
    Regular Coder
    Join Date
    Sep 2011
    Posts
    348
    Thanks
    39
    Thanked 0 Times in 0 Posts
    You are making me laugh...lol.. No, there must be a solution, right? Because your script is so great, I am new in PHP, since 3 days I am learning it after mastering myself on client side languages. I will use your script to learn...so, there must be a solution to eradicate these notices!.

    Using this error reporting, seems bad principles for me, I mean its like we lost a battle. I like to fight when something weird happens in codes..

    I thank you so much for your patience for helping me, and also you have responded with good manners..but..if possible, let's try to fight this...if you don't mind please...


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •