View Full Version : Is this contact form secure?

02-21-2012, 03:07 PM
I have made a simple contact form using validations and so on.. I want to get your feedback if it is secure or if anything has to be implemented. The form codes are:

The HTML codes:

<form action="#" method="post">
<p>Your full name (Required):</p>
<p><input type="text" size="35" placeholder="Your name here..." name="name"/></p>
<p>Subject (Required):</p>
<p><input type="text" size="35" placeholder="Your subject..." name="subject"/></p>
<p>Your email address (Required):</p>
<p><input type="text" size="35" placeholder="Your email address..." name="email"/></p>
<p>Your message (Required):</p>
<p><textarea cols="72" rows="8" name="comments" class="text"></textarea></p>
<p>Are you human? 2 + 5 = ? (Required):</p>
<input type="text" size="15" placeholder="Your answer..." name="capcha"/>
<input class="submit" type="submit" value="Send" name="submit"/>
<input class="submit" type="reset" value="Reset"/>

The PHP codes with validation are:

$fname = htmlentities($_POST['name']);
$subj = htmlentities($_POST['subject']);
$emailaddr = htmlentities($_POST['email']);
$message = htmlentities($_POST['comments']);
$cap = htmlentities($_POST['capcha']);
//Check if the form is submitted
if (isset($_POST['submit'])) {
if (empty($fname) || empty($emailaddr) || empty($subj)|| empty($message) || empty($cap)) {
echo '<p class="error">All fields must be filled!</p>';
return false;
elseif (filter_var($fname, FILTER_VALIDATE_INT)) {
echo '<p class="error">Name must not be numbers!</p>';
return false;
elseif (!filter_var($emailaddr, FILTER_VALIDATE_EMAIL)){
echo '<p class="error">Invalid email!</p>';
return false;
elseif (!($cap === '7')){
echo '<p class="error">You seem a robot, try again!</p>';
return false;
else {
$body = "From: $fname \n E-Mail: $emailaddr \n Message:\n $message";
mail("alithebestofall2010@gmail.com", "$subj",
$body, "From:" .$emailaddr);
echo '<p class="thank">Thank you for using our mail form! You will be redirected to the homepage in 5 seconds!</p>';
header( 'refresh:5; url= index.php' );

02-21-2012, 03:52 PM
It looks good. I woudn't use PHP to send anything like password or valuable data through email, but if its jutst some feedback it should be fine.

02-21-2012, 04:12 PM
No need for the return false; They're to be used in functions only.

02-21-2012, 04:33 PM
But is it bad if I leave it? I have this habit each time I work with form LOL putting Return False! :)

02-21-2012, 04:48 PM
It isn't going to harm anything, but there not needed. There is nothing to return too.