Grow your CSS skills. Land your dream job.

Help/suggestions with a contact form, please!

  • __
    # March 21, 2014 at 11:54 am

    eregi has been deprecated for quite some time. You could replace this

    function validate_email($email)
    {
        return eregi("^[_\.0-9a-zA-Z-]+@([0-9a-zA-Z][0-9a-zA-Z-]+\.)+[a-zA-Z]{2,6}$", $email);
    }
    

    With this

    function validate_email( $email ){
        return (
            filter_var( $email,FILTER_VALIDATE_EMAIL )
            && preg_match( '~\.[a-z][\w]+$~i',$email )
        );
    }
    

    It is up-to-date, faster, and more accurate (the ereg pattern the script uses would give quite a few false negatives—it would reject several of my email addresses, for example).

    You’ll notice that anything can be entered in the name and message sections and the form will be sent …What can be done to make this secure?

    There is no possible way to know if the name or message the visitor provides is legitimate. Yes, you may get some spam messages. What this (any) form is trying to prevent is automated spam (which is the much more common kind).

    Validating email addresses is a similar situation: you can check that a string looks like an email address. You could even try sending a test email to see if it is a real email address*. But there is no way to be sure that the email address belongs to the visitor until you send them an email, and they send you one back confirming that it is indeed theirs.

    * (though this will not always work, and never works quickly. in practice, it is usually not worthwhile to bother with.)

    In practice, this will stop a lot of potential spam. The form checks for:

    • the correct form name
    • a “honeypot” field (a field hidden to human visitors, but visible to bots)
    • a valid-looking email address
    • that required fields are all filled in

    As I mentioned earlier, the “honeypot” field would be much more effective if it changed every time the form was displayed. Unfortunately, this particular script would break (and would need to be completely rewritten) if we made that change.

    One last item: do not allow file uploads with this script. That aspect is horribly insecure and could compromise your server. I would try changing this part of the Validate function:

        //file upload validations
        if(!empty($this->fileupload_fields))
        {
         if(!$this->ValidateFileUploads())
         {
            $ret = false;
         }
        }
    

    To this:

        //file upload validations
        //if(!empty($this->fileupload_fields))
        //{
        //if(!$this->ValidateFileUploads())
        //{
        //   $ret = false;
        //}
        //}
    
        if(!empty($this->fileupload_fields))
        {
            exit(1);
        }
    

    From what I can tell, this shouldn’t affect the rest of the script unless someone tries to forge a file upload. Don’t make this change until the form is working properly, and then, make it separately from any other changes. If it causes problems, let me know what happens and we can troubleshoot it.

    # March 23, 2014 at 12:33 am

    Greetings traq,

    I replaced the function validate_email($email) in the fgcontactform.php file as you instructed, and after doing so and testing the form, I receive no email and the thank you page no longer shows. Instead the url indicates the page is the contact form page but the form is gone. I double checked to make sure I replaced only, and all of, the code you indicated and believe I did. I’m sure I’m missing something however.

    Best Regards.

    __
    # March 23, 2014 at 11:39 am

    You replaced only the validate_email function? I have tested the function and it works as expected. Can you update your pastebin to show the exact code you’re currently working with?

    # April 6, 2014 at 12:46 am

    Greetings traq,

    I’m sorry for the long delay in replying. I’ve been away for two weeks due to a family medical emergency and just returned Friday last.

    After reviewing what we were doing and becoming acquainted again, here is a new pastebin of the fgcontactform.php file. I changed the function validate_email($email) portion of the code, but not the //file upload validations.

    Best Regards.

    __
    # April 6, 2014 at 11:07 am

    Let me get caught up on this again. I’ll do some testing later today.

    # April 9, 2014 at 10:15 pm

    Greetings traq,

    Just curious if you discovered where I’m goofing this up?

    Best Regards.

    # April 13, 2014 at 8:13 pm

    @traq

    Greetings traq,

    Just curious if I have upset you in some way? It certainly wasn’t intentional if so.

    Best Regards.

    # April 22, 2014 at 7:56 am

    @traq

    Let me get caught up on this again. I’ll do some testing later today.

    If there isn’t a solution to this I understand, but would appreciate knowing so I can move on with at least a direct link to email address, warts and all.

    I asked for a contact form elsewhere and seems to be a dead end too as it’s fraught with problems and no example/demo.

    Best Regards.

    # April 23, 2014 at 6:36 am

    @traq

    Here’s a new pastebin for the fgcontactform.php

    Best Regards.

Viewing 9 posts - 31 through 39 (of 39 total)

You must be logged in to reply to this topic.

*May or may not contain any actual "CSS" or "Tricks".