Hey all, I have been using php to validate forms for a while now, but I'm wondering just how secure this script is that I use. I put the script together using snippets from several places, like what I learned in school, css-tricks, php.net, etc. Is there anything I can add, less of a captcha, to add some spam filtering or some extra validation?
<?php function stripcleantohtml($s){ return htmlentities(trim(strip_tags(stripslashes($s))), ENT_NOQUOTES, "UTF-8"); }
$emailbody = "<p>You have received a new message from the contact form on your website.</p> <p><strong>Name: </strong> {$name} </p> <p><strong>Email Address: </strong> {$email} </p> <p><strong>Telephone: </strong> {$phone} </p> <p><strong>Comments: </strong> {$comments} </p> <p>This message was sent from the IP Address: {$ipaddress} on {$date} at {$time}</p>";
I have had this implemented on a handful of sites for about 3-4 months now, but soon these sites will have Adwords accounts and will be posted on hundreds of blogs so that is why I want to make sure there won't be much spam.
Several of the sites are tailored to a senior citizen demographic, so that is why I am strongly against using a Captcha. I tried a honeypot, but couldn't get it to work right :/
Other than that, another simple technique to add is to rename your visible fields. E.g. call your emailfield phonenumber and visa versa. Robots are stupid, they will fill out an email in the phonenumber field and visa versa. If you check both of them strict, most robots would already fail.
One other simple technique is to check the browser of the visitor. If it isn't a real browser, you won't show a form but other contact information like a phonenumber instead. You have to keep the browserlist (not versions but engines) up-to-date though.
Thanks a lot for the tips, think I'll test some of those out probably.
Maybe a newbie question, but I don't know much about robots. When a robot fills out a form and it does not pass validation, what happens next? Do robots keep repeating (filling the form out again and again) to try to pass validation or do they just continue moving on to another site or? Got any links about robots themselves? I can't seem to find any.
Another question, I have some "selects" in this form I need to make required to make a selection before the form submits too, and due to the demographic again I cannot just use the required HTML5 attribute. Any ideas how I can do this?
Same sort of thing with the Select boxes. Just check in the PHP that there is a value entered for the $_POST['selectboxnamegoeshere']. I tend to set my select boxes up so the initial "Please Select" text has a value of -1. And then just check the value does not equal -1
Thinking out loud here, if I check if that select is empty, and I leave the first option's value attribute empty, wouldn't that force them to select another option with a value?
Sometimes it's best to check for each flaw seperately like you're doing now so you can provide very specific feedback to the user what is wrong. If you want it short you can for example combine the length check into 1 line. I guess it's really up to you and how much time you have ;)
Regarding spam I have used slightly altered field names in the past and it works best without asking too much from the user (captcha stuff). Renaming something like email to female stops 99% of the spam. it just looks stupid in the code but if you have some generic function the processes all form posts it doesn't matter (the php process function can rename the "rewritten" fields back to original names etc.)
@rolf, in most circumstances I think that makes sense so you can deliver a specific error for what is wrong in each case. In this specific situation I do not have room for descriptions, so every error is an asterisk. I was just thinking it may save some load/parse time to condense the validation?
I am thinking of coming up with a different naming solution for all my forms and then I can stick with it and never get confused. I don't care about renaming, because in the mail function I can have:
Several of the sites are tailored to a senior citizen demographic, so that is why I am strongly against using a Captcha. I tried a honeypot, but couldn't get it to work right :/
Thank for your input.
Other than that, another simple technique to add is to rename your visible fields. E.g. call your emailfield phonenumber and visa versa. Robots are stupid, they will fill out an email in the phonenumber field and visa versa. If you check both of them strict, most robots would already fail.
One other simple technique is to check the browser of the visitor. If it isn't a real browser, you won't show a form but other contact information like a phonenumber instead. You have to keep the browserlist (not versions but engines) up-to-date though.
Maybe a newbie question, but I don't know much about robots. When a robot fills out a form and it does not pass validation, what happens next? Do robots keep repeating (filling the form out again and again) to try to pass validation or do they just continue moving on to another site or? Got any links about robots themselves? I can't seem to find any.
php:
html:
Think that is decent enough?
Regarding spam I have used slightly altered field names in the past and it works best without asking too much from the user (captcha stuff). Renaming something like email to female stops 99% of the spam. it just looks stupid in the code but if you have some generic function the processes all form posts it doesn't matter (the php process function can rename the "rewritten" fields back to original names etc.)
??? or even the id should be rename? thanks
I am thinking of coming up with a different naming solution for all my forms and then I can stick with it and never get confused. I don't care about renaming, because in the mail function I can have:
or
depending on how you set your mail function up.