It is up-to-date, faster, and more accurate (the ereg pattern the script uses would give quite a few false negatives—it would reject several of my email addresses, for example).
You’ll notice that anything can be entered in the name and message sections and the form will be sent …What can be done to make this secure?
There is no possible way to know if the name or message the visitor provides is legitimate. Yes, you may get some spam messages. What this (any) form is trying to prevent is automated spam (which is the much more common kind).
Validating email addresses is a similar situation: you can check that a string looks like an email address. You could even try sending a test email to see if it is a real email address*. But there is no way to be sure that the email address belongs to the visitor until you send them an email, and they send you one back confirming that it is indeed theirs.
*(though this will not always work, and never works quickly. in practice, it is usually not worthwhile to bother with.)
In practice, this will stop a lot of potential spam. The form checks for:
the correct form name
a “honeypot” field (a field hidden to human visitors, but visible to bots)
a valid-looking email address
that required fields are all filled in
As I mentioned earlier, the “honeypot” field would be much more effective if it changed every time the form was displayed. Unfortunately, this particular script would break (and would need to be completely rewritten) if we made that change.
One last item: do not allow file uploads with this script. That aspect is horribly insecure and could compromise your server. I would try changing this part of the Validate function:
From what I can tell, this shouldn’t affect the rest of the script unless someone tries to forge a file upload. Don’t make this change until the form is working properly, and then, make it separately from any other changes. If it causes problems, let me know what happens and we can troubleshoot it.
I replaced the function validate_email($email) in the fgcontactform.php file as you instructed, and after doing so and testing the form, I receive no email and the thank you page no longer shows. Instead the url indicates the page is the contact form page but the form is gone. I double checked to make sure I replaced only, and all of, the code you indicated and believe I did. I’m sure I’m missing something however.
I’m sorry for the long delay in replying. I’ve been away for two weeks due to a family medical emergency and just returned Friday last.
After reviewing what we were doing and becoming acquainted again, here is a new pastebin of the fgcontactform.php file. I changed the function validate_email($email) portion of the code, but not the //file upload validations.