Help/suggestions with a contact form, please!

[nixnerd]

That said, we’re pretty far off topic, but I had to chime in on that comment :)

Yes, yes… back to forms. My bad… again.

[Anonymous]

Greetings Joe_Temp,

Brilliant observations, but it takes someone much smarter than I to pick up on these things. My wife catches details such as this, but I’m totally clueless except for being able to detect what country someone is from by their dialect. I can only do that because I’ve traveled to, or communicated with, most of them frequently enough to enable me to do so.

My living in Europe has caused me problems when going back to the States. I rarely spell words as is common in the States. For example, I use colour instead of color. If I go to a store in the U.s. and ask for crisps, I get the deer in the headlights look. I’ve had people tell me I can spell and question my education while they misuse their and there, your and you’re, and many others. If they are really rude and say something like I need to learn English, I tell them that that is the way it is spelled in England where English originated, that I live in Europe, and that they are in fact spelling it incorrectly, they generally shut up. I’ll not address my punctuation skills as they are atrocious! I can do it when not in a rush, but I generally don’t care unless it’s business or official.

Anyway, your post gave me a chuckle and room for thought. Much appreciated!

[Anonymous]

Greetings traq,

I assume the pastebin I submitted here was wrong and of no help. I’m sorry for that, but I’m just not familiar with these tools and have only been able to get anything I put into codepen to work once.

I’m pretty sure I have this so it will send, but I’ve yet to try it by adding my email address. I have tested it without and have received failure notices to my general inbox, though how I’m not sure since I’ve entered my email extension nowhere in the files of the form.

I am still concerned about how spam and troll proof this form is. I have read on the site it was downloaded from about “Sender Policy Framework” but I don’t know if this form uses it, or how to find out.

Best Regards.

[nixnerd]

I assume the pastebin I submitted here was wrong and of no help.

That’s not necessarily true. But… @traq is better at PHP than I am so I’ll let him take a look. BTW, if you want someone to be notified that they’ve been mentioned, you have to use the @ symbol before their name.

I tell them that that is the way it is spelled in England where English originated

Ha ha ha. My wife met a British guy one time who wrote the date like this:

20/03/2014 instead of 03/20/2014.

She questioned him on it and he explained that his way makes much more sense. I would have to agree that it’s more logical.

I think the best way to do dates would be like this:

2014/03/20

I call it ‘Deductive Dating.’

Anyway, don’t worry about people. Some people are way too myopic. Just do your thing and keep learning. Plus… you get to live in Ireland. That’s gotta be better than living some places in the US.

[Paulie_D]

20/03/2014 instead of 03/20/2014.

She questioned him on it and he explained that his way makes much more sense. I would have to agree that it’s more logical.

It’s logical based on how one normally says a date.

In the UK, we say 20th March but in the US it’s common, I believe, to say March 20th.

[nixnerd]

In the UK, we say 20th March but in the US it’s common, I believe, to say March 20th.

You are correct sir. Hey @Paulie_D, can you please explain the significance of tea in British culture to me? Why tea? Why is it loved so much? I’m an American… so I prefer coffee and don’t really drink much tea, although I have some really good loose leaf Earl Gray, I don’t really touch the stuff.

Does anyone in GB drink coffee?

[Paulie_D]

Can I explain it?

Not really, other than we, I mean England, used to basically OWN India and had, as I recall, a pretty exclusive deal with China way back when whereas coffee would have had to come from either South America &/or darkest Africa…and would, probably, have been damned expensive for the average Brit.

http://en.wikipedia.org/wiki/Tea_in_the_United_Kingdom

http://www.britainexpress.com/History/tea-in-britain.htm

amd…believe it or not…

http://www.tea.co.uk/a-social-history

[nixnerd]

Ha ha ha! That’s awesome… a tea council.

How likely am I to ever find a Brit drinking coffee? Do YOU drink coffee?

[Paulie_D]

How likely am I to ever find a Brit drinking coffee? Do YOU drink coffee?

I drink both. as do most Brits I know.

Personally, I drink tea more often because I find it more refreshing to the palate than coffee but then I don’t drink/take milk.

When I’m in the US, I drink coffee because tea is *never** done well there (at least in the tourist places I visit.

I’ve been known to take UK tea with me to the US…I’m still waiting for the day, I get pulled by ICE or the DEA regarding the brown powdery substance in my luggage.

[Anonymous]

Greetings Joe_Temp.

@traq is better at PHP than I am so I’ll let him take a look. BTW, if you want someone to be notified that they’ve been mentioned, you have to use the @ symbol before their name.

Which is better, using the @ or just clicking reply. Isn’t a notice sent to their email then?

My wife met a British guy one time who wrote the date like this:

20/03/2014 instead of 03/20/2014.

I still have trouble with that one unless the first number is higher like the example you give, then it’s simple. I still cannot tell someone my phone number unless I look at it. It’s 14 digits long including the International and country code. After 8 years you would think I would remember it, but nupe!

I think the best way to do dates would be like this:

2014/03/20

I call it ‘Deductive Dating.’

That does make sense!

Anyway, don’t worry about people. Some people are way too myopic.

Difficult to do sometimes as my wife and I raise money for those less fortunate and/or in need of medical care. Unfortunately, we meet a lot of self absorbed people who think their lives are more important than they really are. People with more money than brains is what I call them. They wouldn’t give a dime unless it was tax deductible. Corporatist filth!

… you get to live in Ireland. That’s gotta be better than living some places in the US.

Actually, I live in Romania. When I was first here years ago I was amazed at the pristine beauty and medieval cities. I came back 4 years later and bought land here. My business interests were, and are, in Ireland so it also made sense to be closer to where I travel to a lot. I am in N. Ireland frequently, but do not live there. I’ve given it thought, but I can live here for much less money.

Best Regards.

[Anonymous]

US…I’m still waiting for the day, I get pulled by ICE or the DEA regarding the brown powdery substance in my luggage.

That would be funny if not for the realization of how easily that could happen.

It’s ironic that I live in a country which was once a communist country and I have more freedom here than in my native U.S.

[__]

I assume the pastebin I submitted here was wrong and of no help.

Not at all; I just haven’t had a chance to sit down and look at it. I am now.

edit

Well, I don’t see anything that stands out as terribly wrong. Can you post the contents of the ./include/fgcontactform.php file?

I am fairly confident that the “for better security” bit could be made much more useful, but I’d need to see how the script actually uses it.

I’m pretty sure I have this so it will send, but I’ve yet to try it by adding my email address. I have tested it without and have received failure notices to my general inbox, though how I’m not sure since I’ve entered my email extension nowhere in the files of the form.

Right… if you haven’t provided your email address anywhere, the script wouldn’t be able to send you anything. Go ahead and try so we can know what (if) problems actually exist. You can remove your email again after the test if you are too concerned about it.

edit #2

Which is better, using the @ or just clicking reply. Isn’t a notice sent to their email then?

I honestly don’t pay much attention to the notices, but I’ll see the @-reply when I browse the threads.

[Anonymous]

@traq

Greetings traq,

I’m pleased I didn’t waste your time by goofing the pastebin. Here’s one for the fgcontactform.php file.

I tested the form using the general inbox address for my site and it worked fine. However, there are obvious signs for potential abuse. I’ve added a screen grab of the header of my control panel to illustrate. You’ll notice that anything can be entered in the name and message sections and the form will be sent. I didn’t try to use an arbitrary email address, but suspect anything with an @ in it will send. What can be done to make this secure?

I appreciate the help you are providing.

Best Regards.

[__]

eregi has been deprecated for quite some time. You could replace this

function validate_email($email)
{
    return eregi("^[_\.0-9a-zA-Z-]+@([0-9a-zA-Z][0-9a-zA-Z-]+\.)+[a-zA-Z]{2,6}$", $email);
}

With this

function validate_email( $email ){
    return (
        filter_var( $email,FILTER_VALIDATE_EMAIL )
        && preg_match( '~\.[a-z][\w]+$~i',$email )
    );
}

It is up-to-date, faster, and more accurate (the ereg pattern the script uses would give quite a few false negatives—it would reject several of my email addresses, for example).

You’ll notice that anything can be entered in the name and message sections and the form will be sent …What can be done to make this secure?

There is no possible way to know if the name or message the visitor provides is legitimate. Yes, you may get some spam messages. What this (any) form is trying to prevent is automated spam (which is the much more common kind).

Validating email addresses is a similar situation: you can check that a string looks like an email address. You could even try sending a test email to see if it is a real email address*. But there is no way to be sure that the email address belongs to the visitor until you send them an email, and they send you one back confirming that it is indeed theirs.

* (though this will not always work, and never works quickly. in practice, it is usually not worthwhile to bother with.)

In practice, this will stop a lot of potential spam. The form checks for:

• the correct form name
• a “honeypot” field (a field hidden to human visitors, but visible to bots)
• a valid-looking email address
• that required fields are all filled in

As I mentioned earlier, the “honeypot” field would be much more effective if it changed every time the form was displayed. Unfortunately, this particular script would break (and would need to be completely rewritten) if we made that change.

One last item: do not allow file uploads with this script. That aspect is horribly insecure and could compromise your server. I would try changing this part of the Validate function:

    //file upload validations
    if(!empty($this->fileupload_fields))
    {
     if(!$this->ValidateFileUploads())
     {
        $ret = false;
     }
    }

To this:

    //file upload validations
    //if(!empty($this->fileupload_fields))
    //{
    //if(!$this->ValidateFileUploads())
    //{
    //   $ret = false;
    //}
    //}

    if(!empty($this->fileupload_fields))
    {
        exit(1);
    }

From what I can tell, this shouldn’t affect the rest of the script unless someone tries to forge a file upload. Don’t make this change until the form is working properly, and then, make it separately from any other changes. If it causes problems, let me know what happens and we can troubleshoot it.

[Anonymous]

Greetings traq,

I replaced the function validate_email($email) in the fgcontactform.php file as you instructed, and after doing so and testing the form, I receive no email and the thank you page no longer shows. Instead the url indicates the page is the contact form page but the form is gone. I double checked to make sure I replaced only, and all of, the code you indicated and believe I did. I’m sure I’m missing something however.

Best Regards.

[Author]

Posts