• Search for:

• About

  Welcome to the Phurix research and development labs. Here you'll find our experiments and findings as part of our on going Internet engineering.

• Projects

  • Bitcoin eWallet
  • Domain Name Whois
  • Down Or Me
  • Eggdrop TCL
  • PageRank Viewer
  • TrackJacker
  • URL Shortner
  • Validate an email address
  • What is my IP?

• Recent Comments

  • James Wade on Parts inside your printer are at the end of their service life
  • Marcel on Parts inside your printer are at the end of their service life
  • James Wade on PHP OpenSRS Client
  • Jon on PHP OpenSRS Client
  • James Wade on Google PageRank Script

• Subscribe to our newsletter

  Email Address :

← Windows Genuine Advantage Removal Mounting an ISO image →

How to correctly make a PHP contact form

Posted on February 5, 2007 by admin

I use contact forms on many websites, and over the years I have discovered many problems with using them, including hijacking, mail injection, server hacks, XSS and platform issues.

The main cause of this is simply due to lack of validation and error checking.

Firstly you must fully understand how forms work with PHP. When you set the form “method” to POST, it sends the data to PHP as a super global variable called “$_POST”. In the HTML each “input” has a “name”, that is used to identify the related data.

For example, there is an input field named “message”, to retrieve this in PHP you simply use “$_POST['message']“, we will be using this method to pass the data between the form and PHP for processing.

This is a fine example of how NOT to do it, so what is wrong with this method you may ask?

Here are some of the issues we need to overcome:

• Data directly input into the mail() function without processing
• Does data from input fields contain malicious code
• Check user input is not empty
• Validation on user inputs
• If the email address the user entered is real
• Whether the email successfully sent or not
• Ensure the correct data is processed
• Which website the form was sent from
• The IP address of the sender
• Display the form at appropriate times
• Append additional fields to the end of the message

Download here: PHP Contact Form by HM2K v1.0.1

The comments I have made within the code explains the reason what it does, and why it is included.

I hope this solves some of the problems people experience with contact forms.

Additional Notes:

• phpro.com offers further details on User Input Validation, ideal for more advanced forms.
• In this example I have not used tableless CSS friendly forms, just keep the focus on the PHP.
• You may also wish to add a captcha security code for added anti-spam protection.

Related posts:

1. Contact There are a number of ways to contact us: Find...
2. Don’t forget to run make test! During my install of PHP5 on FreeBSD… Build complete. Don’t...
3. exim on another port for smtp When a business I know had trouble with their broadband...
4. How to Minimize Microsoft Office Outlook to the System Tray Open your registry and find or create the key below....
5. No Message Alerts Problem on Nokia N95 A couple of weeks ago I noticed that the alerts...

About admin

The author formerly known as HM2K is now the Phurix Labs administrator.