php contact form

[!!blue]

 

I have a PHP form that I use on my site that is very easy. My question is, is it secure?

 

Here's the code:

 

><table width="370" cellpadding="0" cellspacing="0" border="0">
 <tr>
 <td colspan="2">
 <?php
 $to = "myEMail@here.com";
 $from_header = "From: $Name <$Email>";
 if($Email != "" || $Email == "^[_\\.0-9a-z-]+@([0-9a-z][0-9a-z-]+\\.)+[a-z]{2,3}$") {
	 mail($to,"Subject","\n$Name\n$Email\n\nComments...\n$Message\n",$from_header);
	 print ("<span class=side><b>Your note has been sent!    Send another if you like!</b></span><br>");
 }
 else { 
	 echo "<span class=side><b>Send me a note!</b></span><br>";
 }
 ?>
 </td>
 <form method="POST" action="<? echo ($PHP_SELF); ?>">
 <tr align="left" valign="top">
	 <td width="75"><p class="side">Name:</p>
	 </td>
	 <td><input type="text" name="Name" size="30" maxlength="30"></td>
 </tr>
 <tr align="left" valign="top">
	 <td><p class="side">E-mail:</p></td>
	 <td><input type="text" name="Email" maxlength="30" size="30"></td>
 </tr>
 <tr align="left" valign="top">
	 <td><p class="side">Message:</p></td>
	 <td><textarea name="Message" wrap rows="5" cols="30"></textarea></td>
 </tr>                 
 <tr align="center" valign="top">
	 <td><br>
	 <input type="submit" name="submit" value="Send"><br>
	 <br>
	 </td>
	 <td><br>
	 <input type="reset" name="reset" value="Clear"><br>
	 </td>
 </tr>
 </form>
 </table>

Should I use something else? is this form susceptible to hacker/spam attacks?

 

thanks,

!!blue

 

[borfast]

I used to think that HTML forms were a relatively easy way to prevent spammers from arrasing me but recently I found out that I was wrong. Somehow I got some messages in my inbox that went there through one of the contact forms I have in one of my websites.

 

I suppose it's not that hard to create a script to look into websites, search for contact forms and fill them out.

 

From the top of my head, the only way I see to prevent this is using some kind of image authentication, like the one used by IPB when you register a new user. The page presents you with an image containing some sort of code that you must type in a text box and the e-mail only gets sent if the code you submit matches the one on the image.

 

That code can't be read by a simple script because it's in an image, making the form secure from spammers - at least until someone finds a way for scripts to read the codes, that is...

[Gmaper]

I have a PHP form that I use on my site that is very easy. My question is, is it secure?

I have heard that it is very insecure to hard code the email information directly into your page. On my site I use a package called NMS Formmail which is supposed to make the process more secure.

 

Check out the FormMail script at http://nms-cgi.sourceforge.net/scripts.shtml and if you follow the FAQ link you can find out more about the problem and why NMS is better than the previously used script.

[surefire]

I have heard that it is very insecure to hard code the email information directly into your page.

If you mean to hardcode the email address into a php, cgi, or other server side language, then I disagree.

 

If you mean to put the email address into the html that makes your form, then I agree, that's insecure.

 

Raul said:

I suppose it's not that hard to create a script to look into websites, search for contact forms and fill them out.

 

From the top of my head, the only way I see to prevent this is using some kind of image authentication, like the one used by IPB when you register a new user.

 

That's one way... another is an authentication check to prevent posted data coming from a site other than yours.

 

The image generation idea is a good one, so long as you realize you are raising the 'pain in the butt' factor and might turn away the lazy. If you're okay with that, then the image generation idea is a sound one.

 

Actually, for most sites it wouldn't have to be as complex as an image... just a random alphanumeric string that the user copies into the form. It can be read by other scripts, but a spammer would have to write one just for your site... not worth the effort.

 

But here's a link to a php class you might use for that image generation

 

ht*p://www.phpclasses.org/browse.html/package/1329.html

[borfast]

Jack's idea is good, too.

 

I did forgot to mention one problem about the code-in-image idea: you will prevent visually impaired visitors from contacting you. The random alphanumeric string idea Jack suggested does not suffer from this problem.

 

There are lots of things you could imagine to improve your form. It's just a matter of imagining stuff you'd require your visitors to do in order to prove they are not 'simple' scripts.

 

Jack, perhaps you want to improve your Ultimate Form Mail PHP script with such a feature

Edited December 29, 2003 by TCH-Raul

[boxturt]

Very clever idea indeed!

 

I gotta learn more about all this stuff. I ordered a couple of recommended php books from an outfit back at the beginning of December and they just now get back to me -'out of stock-money refunded'. grrrrr Mad!!!

[!!blue]

 

well the answer I got from the website that I downloaded the PHP form from is this:

if a spammer wants to send you (or the person with the "to" address in the script) alot of the same email,s they can do that but no spamers or bots can get any addresses out of this form. thanks -dan

i think that's enough for me

 

boxturt: I feel your pain; usually the bookstore I frequent never has a certain book

[cheapwebsolutions]

I use a form-2-email script that uses arrays so your email addresses aren't in your code for some people to steal. You setup an array with email addresses and then just use the index number in your form code.