CodingForums.com - View Single Post - please can someone take a look at my contact form and help make it secure?

LJackson · 11-06-2012, 02:26 PM

Hi All

I have a contact form which needs securing, i've added some validation but not sure if its enough. If someone would kindly check it out and help me make it more secure i'd really appreciate it. Also if anyone can suggest ways to improve it please do as i want to create a form which i can use on many projects

the code is

PHP Code:


			
<?php
$emailAddress = 'myemailaddress';

/* config end */
require "phpmailer/class.phpmailer.php";

session_start(); /* starts session to save generated random number */

if(isset($_POST['submit']))
{
    
    $input1 = $_POST['myField1'];
    $input2 = $_POST['myField2'];
    $input3 = $_POST['myField3'];
    $input4 = $_POST['comment'];
    
    if((preg_match('/[^a-zA-Z]/', $input1) || strlen($input1)<5)) 
    {
        #need to allow spaces
        $error[] = "Input1 be longer than 5 chars must not contain numbers or be left blank.";
    }
    
    if(preg_match('/[^a-zA-Z]/', $input2) || ( ( strlen( $input2 )<5 ) || ( strlen( $input2 ) >15)))
    {
        $error[] = "Input2 be longer than 5 chars but less than 15 must not contain numbers or be left blank.";
    }
    
    // Set up regular expression strings to evaluate the value of email variable against
    $regex = '/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/'; 
    // Run the preg_match() function on regex against the email address
    if (!preg_match($regex, $input3))
    {
         $error[] = "Email error";
    } 
    
    if((isset($_POST['captcha'])) && $_POST['captcha'] == $_SESSION['captcha'])
    {
        unset($_SESSION['captcha']); /* this line makes session free, we recommend you to keep it */    
    } 
    else
    {
        $error[] = 'Validation Check Incorrect';#echo "Passed!"; /* YOUR CODE GOES HERE */ 
    }
    
    if(!isset($error))
    {
        $sent = 1;
        echo "<h1>Email Sent</h1>";
        $mail = new PHPMailer();
        $mail->IsMail();
        
        $mail->AddReplyTo($input3, $input1);
        $mail->AddAddress($emailAddress);
        $mail->SetFrom($input3, $input1);
        $mail->Subject = "Test Email!";
        
        $mail->MsgHTML($input4);
        
        $mail->Send();
    }
    else
    {
        $sent = 0;
    }
    
}
?>
<html>
<head>
    <meta http-equiv="Content-type" content="text/html; charset=utf-8">
    <title>Contact</title>
    <script type="text/javascript" src="latest-jquery/jquery-1.5.1.min.js"></script>
    <script type="text/javascript" src="latest-jquery-ui/jquery-ui.min.js"></script>
    <script type="text/javascript" src="captcha/jquery.captcha.js"></script>
    <link href="captcha/captcha.css" rel="stylesheet" type="text/css" />
    <script type="text/javascript" charset="utf-8">
        $(function() {
            $(".ajax-fc-container").captcha({
                borderColor: "silver",
                text: "Verify that you are a human,<br />drag <span>scissors</span> into the circle."
            });
        });
    </script>
</head>
<body>
<?php
if (isset($error))#Display any errors
{?>
    <p class='message error'><ul><?php foreach($error as $error){echo "<li>".$error."</li>";}?></ul></p><?php
}

if($sent == 0)#IF FORM IS NOT SENT OF HAS ERRORS SHOW THE FORM ELSE HIDE THE FORM
{?>
    <form action="#" method="post" id="myForm">
        <p><label for="Input1">Input 1</label><input type="text" name="myField1" value="<?php if(isset($input1)){echo $input1;}?>"></p>
        <p><label for="Input2">Input 2</label><input type="text" name="myField2" value="<?php if(isset($input2)){echo $input2;}?>"></p>
        <p><label for="Input3">Input 3</label><input type="text" name="myField3" value="<?php if(isset($input3)){echo $input3;}?>"></p>    
        <p><label for="Input4">Input 4</label><br /><textarea name="comment" cols="36" rows="6"><?php if(isset($input4)){echo $input4;}?></textarea></p>
        <!-- Begin of captcha -->    
        <div class="ajax-fc-container">You must enable javascript to see captcha here!</div>
        <!-- End of captcha -->
        <p><input id="submit" type="submit" name="submit" value="Submit"></p>
    </form><?php
}?>

</body>    
</html>

many thanks
Luke

11-06-2012, 02:26 PM	PM User \| #1
LJackson Senior Coder Join Date: Jun 2008 Location: Cornwall Posts: 1,973 Thanks: 289 Thanked 12 Times in 12 Posts	please can someone take a look at my contact form and help make it secure? Hi All I have a contact form which needs securing, i've added some validation but not sure if its enough. If someone would kindly check it out and help me make it more secure i'd really appreciate it. Also if anyone can suggest ways to improve it please do as i want to create a form which i can use on many projects the code is PHP Code: <?php $emailAddress = 'myemailaddress'; /* config end / require "phpmailer/class.phpmailer.php"; session_start(); / starts session to save generated random number / if(isset($_POST['submit'])) { $input1 = $_POST['myField1']; $input2 = $_POST['myField2']; $input3 = $_POST['myField3']; $input4 = $_POST['comment']; if((preg_match('/[^a-zA-Z]/', $input1) \|\| strlen($input1)<5)) { #need to allow spaces $error[] = "Input1 be longer than 5 chars must not contain numbers or be left blank."; } if(preg_match('/[^a-zA-Z]/', $input2) \|\| ( ( strlen( $input2 )<5 ) \|\| ( strlen( $input2 ) >15))) { $error[] = "Input2 be longer than 5 chars but less than 15 must not contain numbers or be left blank."; } // Set up regular expression strings to evaluate the value of email variable against $regex = '/^[_a-z0-9-]+(\.[_a-z0-9-]+)@[a-z0-9-]+(\.[a-z0-9-]+)(\.[a-z]{2,3})$/'; // Run the preg_match() function on regex against the email address if (!preg_match($regex, $input3)) { $error[] = "Email error"; } if((isset($_POST['captcha'])) && $_POST['captcha'] == $_SESSION['captcha']) { unset($_SESSION['captcha']); / this line makes session free, we recommend you to keep it / } else { $error[] = 'Validation Check Incorrect';#echo "Passed!"; / YOUR CODE GOES HERE / } if(!isset($error)) { $sent = 1; echo "<h1>Email Sent</h1>"; $mail = new PHPMailer(); $mail->IsMail(); $mail->AddReplyTo($input3, $input1); $mail->AddAddress($emailAddress); $mail->SetFrom($input3, $input1); $mail->Subject = "Test Email!"; $mail->MsgHTML($input4); $mail->Send(); } else { $sent = 0; } } ?> <html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <title>Contact</title> <script type="text/javascript" src="latest-jquery/jquery-1.5.1.min.js"></script> <script type="text/javascript" src="latest-jquery-ui/jquery-ui.min.js"></script> <script type="text/javascript" src="captcha/jquery.captcha.js"></script> <link href="captcha/captcha.css" rel="stylesheet" type="text/css" /> <script type="text/javascript" charset="utf-8"> $(function() { $(".ajax-fc-container").captcha({ borderColor: "silver", text: "Verify that you are a human,<br />drag <span>scissors</span> into the circle." }); }); </script> </head> <body> <?php if (isset($error))#Display any errors {?> <p class='message error'><ul><?php foreach($error as $error){echo "<li>".$error."</li>";}?></ul></p><?php } if($sent == 0)#IF FORM IS NOT SENT OF HAS ERRORS SHOW THE FORM ELSE HIDE THE FORM {?> <form action="#" method="post" id="myForm"> <p><label for="Input1">Input 1</label><input type="text" name="myField1" value="<?php if(isset($input1)){echo $input1;}?>"></p> <p><label for="Input2">Input 2</label><input type="text" name="myField2" value="<?php if(isset($input2)){echo $input2;}?>"></p> <p><label for="Input3">Input 3</label><input type="text" name="myField3" value="<?php if(isset($input3)){echo $input3;}?>"></p> <p><label for="Input4">Input 4</label><br /><textarea name="comment" cols="36" rows="6"><?php if(isset($input4)){echo $input4;}?></textarea></p> <!-- Begin of captcha --> <div class="ajax-fc-container">You must enable javascript to see captcha here!</div> <!-- End of captcha --> <p><input id="submit" type="submit" name="submit" value="Submit"></p> </form><?php }?> </body> </html> many thanks Luke __________________ Kernow Connect:* Online Shopping, Price Comparison, Maximum Savings On Top UK Stores Follow Us On: Twitter \| Facebook Last edited by LJackson; 11-06-2012 at 02:30 PM..