I have a site in which users upload pictures and then people can comment about other people's photos. I also have a contact section where users may contact individuals of the site.
The problem is when the form is submitted the data gets sent to that user's email address stored in the db. Right now I have a Captcha in the form to prevent bots and other garbage from using that script to send out their own emails.
Is this one of the most secure and most practical ways of using a contact form without wanting people using it to send their own email?
There are others things I do as well such as create an encryption key and store it in a session to make sure the user is submitting on my site and not from an external script.
How far should I got before telling myself that this is secure and to move on. The last thing I want is users telling me that they are getting spam because the form wasn't secure enough.
Thanks guys.
