4
\$\begingroup\$

Please advise if the form validation script below is secure enough to avoid most types (all types?) of contact form exploits? I ahve found this script online, added some extra php finctions in hope to make it safer, but not complitely sure if it is good for the purpose.

if ($_SERVER["REQUEST_METHOD"] == "POST" && !empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
 // Get the form fields and remove whitespace.
 $name = strip_tags(trim($_POST["name"]));
 $name = str_replace(array("\r","\n"),array(" "," "),$name);
 $email = filter_var(trim($_POST["email"]), FILTER_SANITIZE_EMAIL);
 $message = strip_tags(trim($_POST["message"]));
 // Check that data was sent to the mailer.
 if ( empty($name) OR empty($message) OR !filter_var($email, FILTER_VALIDATE_EMAIL)) {
 // Set a 400 (bad request) response code and exit.
 //http_response_code(400);
 echo "Oops! There was a problem with your submission. Please complete the form and try again.";
 exit;
 }
 // Set the recipient email address.
 // FIXME: Update this to your desired email address.
 $recipient = "email_here";
 // Set the email subject.
 $subject = "New contact from $name";
 // Build the email content.
 $email_content = "Name: $name\n";
 $email_content .= "Email: $email\n\n";
 $email_content .= "Message:\n$message\n";
 // Build the email headers.
 $email_headers = "MIME-Version: 1.0\r\n";
 $email_headers .= "Content-type: text/html; charset=utf-8\r\n"; 
 $email_headers .= "From: $name <$email>\r\n";
 $email_headers .= "Reply-To: $email\r\n";
 $email_headers .= "Return-Path: $email\r\n";
 $email_headers .= "Organization: Bilingual Counselling\r\n"; 
 // Send the email.
 if (mail($recipient, $subject, $email_content, $email_headers)) {
 // Set a 200 (okay) response code.
 //http_response_code(200);
 echo "Thank You! Your message has been sent.";
 } else {
 // Set a 500 (internal server error) response code.
 //http_response_code(500);
 echo "Oops! Something went wrong and we couldn't send your message.";
 }
}
Alex L
5,7832 gold badges26 silver badges69 bronze badges
asked Sep 30, 2014 at 16:09
\$\endgroup\$

1 Answer 1

3
\$\begingroup\$

I think it looks ok - though someone might want to add on if they notice any issues I may have missed. However, a bit of cleanup goes a long way: 

# Set a 500 (internal server error) response code.
function outputResponse($override = "", $code = 500){
 # http_response_code($code);
 echo $override ?: "Oops! Something went wrong and we couldn't send your message.";
 exit;
}
# Exit early while doing negative checks
if(empty($_SERVER['HTTP_X_REQUESTED_WITH'] || 
 strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) != 'xmlhttprequest' || 
 $_SERVER["REQUEST_METHOD"] != "POST"){
 outputResponse();
}
# Get the form fields and remove whitespace.
$name = strip_tags(trim($_POST["name"]));
$name = str_replace(array("\r","\n"),array(" "," "),$name);
$email = filter_var(trim($_POST["email"]), FILTER_SANITIZE_EMAIL);
$message = strip_tags(trim($_POST["message"]));
# Check that data was sent to the mailer.
if ( empty($name) OR empty($message) OR !filter_var($email, FILTER_VALIDATE_EMAIL)) {
 # Set a 400 (bad request) response code and exit.
 outputResponse("Oops! There was a problem with your submission. Please complete the form and try again.", 400);
}
# Set the recipient email address.
$recipient = "email_here";
# Set the email subject.
$subject = "New contact from $name";
# Build the email content.
$email_content = "Name: $name\n";
$email_content .= "Email: $email\n\n";
$email_content .= "Message:\n$message\n";
# Build the email headers.
$email_headers = "MIME-Version: 1.0\r\n";
$email_headers .= "Content-type: text/html; charset=utf-8\r\n"; 
$email_headers .= "From: $name <$email>\r\n";
$email_headers .= "Reply-To: $email\r\n";
$email_headers .= "Return-Path: $email\r\n";
$email_headers .= "Organization: Bilingual Counselling\r\n"; 
# Send the email.
if (mail($recipient, $subject, $email_content, $email_headers)) {
 # Set a 200 (okay) response code.
 outputResponse("Thank you! Your message has beent sent.", 200)
} else {
 outputResponse();
}
answered Sep 30, 2014 at 16:20
\$\endgroup\$

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.