I would like to start a discussion more then posting a question about a problem and an idea I have. Sorry for the long post!
Its about securing a contact form when you must stick with html instead of creating a contact.php page which would be much easier though.
It would be nice if someone can give some advice about the idea I have.
I’m not a pro so hopefully the idea doesn’t sound too silly to you.
So the problem is:
**Probably spam prevention and securing the contact submit method itself.**
My idea as following:
We create two php files lets call the first one **generate.php** and the second **process.php**
This file is used to generate a csrf token which will be send back as json.
An jquery script receives that token and inserts it in a hidden form field.
Maybe I could do this while the contact.html is loading ormaybe in document ready.
I guess I need to make sure in generate.php if the request is an ajax request before returning the json which its containing token.
When someone hits submit the same jquery script will:
1. Change form fields and submit button to enabled.
2. Check if all required fields aren’t empty.
3. Validate user input.
4. Send the user input + csrf token to **process.php**
Again check if the request was an ajax request.
Validate the csrf token.
Escape everything we’ve got.
Maybe validate a second time the user input.
Send back notifications as json e.g. (an error occurred or your data has been send successfully…)
Send out the mail.
**The questions are:**
How to validate the csrf token in process.php which is generated from generate.php?
What about header injections which I’ve heard of is that a big problem too?
Any other security risks you’ve in mind?
Well but this is basically the idea I’ve had in mind.
Maybe someone have a much better solution to that problem!