Contact Page Code, looks safe?

jigga

I am very very new to PHP so what I need is some critique on weather the code I had written is safe and exploit proof, its the code i use for my contact page.

<?php


$your_email = "lalal@lala.com";


$empty_fields_message = "<p>Please go back and complete all the fields in the form.</p>";


$thankyou_message = "<p>Thank You. Your message has been sent. We will reply shortly.</p>";



$name = stripslashes($_POST['txtName']);
$email = stripslashes($_POST['txtEmail']);
$subject = stripslashes($_POST['txtSubject']);
$message = stripslashes($_POST['txtMessage']);

if (!isset($_POST['txtName'])) {

?>

<form method="post" action="<?php echo $_SERVER['REQUEST_URI']; ?>">

<label for="txtName"><b>Your Name</b>:</label><br />
<input class="txtName" type="text" title="Enter your name" name="txtName" size="30" height="20"/>
<br /><br />
<label for="txtEmail"><b>Your E-mail</b>:</label><br />
<input class="txtEmail" type="text" title="Enter your email address" name="txtEmail" size="30" />
<br /><br />
<label for="txtSubject"><b>Subject</b>:</label><br />
<input class="txtSubject" type="text" title="Enter a subject" name="txtSubject" size="30" />
<br /><br />
<label for="txtMessage"><b>Message</b>:</label><br />
<textarea class="txtMessage" title="Enter your message" name="txtMessage" rows="5" cols="35"></textarea>
<br /><br />
<label title="Send your message">
<input type="submit" class="forumbutton" value="Send" /></label>&nbsp;&nbsp;<input type="reset" class="forumbutton" value="Clear" />
</p>

</form>

<?php

}

elseif (empty($name) || empty($email) || empty($subject) || empty($message)) {

echo $empty_fields_message;

}

else {


$referer = $_SERVER['HTTP_REFERER'];

$this_url = "http://".$_SERVER['HTTP_HOST'].$_SERVER["REQUEST_URI"];

if ($referer != $this_url) {
    echo "You do not have permission to use this script from another URL.";
    exit;
}

mail($your_email, $subject, $message, "From: $name <$email>");


echo $thankyou_message;

}

?>

So how does that look to you guys? All comments/concers are welcome. Thank you very much.

tony_l

Looks good for a first script. My first script was trying to connect to a database - at the time I thought I would never get it, and here it is 6 years later - I LOVE PHP!!

OK, I digress...

Something you need to know about security -

NEVER trust input from the user!

This means if the user has input some value and that value becomes a part of your script - do not trust it. Eventhough you do not have a call to any database functions here, I am going to use it as an example...

The user can then enter something sinister using a single quote, and injecting their own code in the select or insert statement and wreak havoc on your server.

This is called an SQL injection attack.

How does this apply to your script?

Well, you are trusting your users input. They may not be up to something sinister, but what if they make a mistake when entering their email address? The email will be sent, but to the wrong person! The user would then think that they have sent an email successfully, but in reality, they did not.

How to remedy the situation....

Use regular expressions to catch mistakes and to validate your users input. This does two things - it ensures that they are inputing the information in the correct format, and the user is not putting something you don't want in there.

Regular expressions are mystic little creatures, but with some taming and a whip, you will be using them alot - and enjoying it! I suggest doing a google search on "PHP regular expressions validating email". There is a regular expression out there that will check to see if the email is in the format abc@abc.abc. Regular expressions seem to be difficult at first, but they are not really. All a regular expression is is a function that matches a pattern in a given string.

Hope all that helps man.

For the most part, though - the script looks good.

sidsel

As the previous person said email validation is very important as your script can be used for sending spam by a thirdparty. Ie: [email]abc@abc.com;def@def.com;ghi@ghi.com[/email] ...

bradgrafelman

It is very common in this era of PHP mail scripts to see hackers/spammers exploiting vulnerabilities in scripts to mass-send spam to whomever they please.

As such, I would highly recommend you integrate a decent CAPTCHA into these types of scripts to help prevent the average script kiddie from abusing the form. While most of the image-based CAPTCHAs have been cracked, it's still better than nothing.