Treehouse: Grow your CSS skills. Land your dream job.

PHP form validation example. Secure or not secure?

  • # October 17, 2011 at 5:47 pm

    Hey all, I have been using php to validate forms for a while now, but I’m wondering just how secure this script is that I use. I put the script together using snippets from several places, like what I learned in school, css-tricks,, etc. Is there anything I can add, less of a captcha, to add some spam filtering or some extra validation?

    < ?php
    function stripcleantohtml($s){
    return htmlentities(trim(strip_tags(stripslashes($s))), ENT_NOQUOTES, "UTF-8");


    $ipaddress = $_SERVER;
    $date = date('d/m/Y');
    $time = date('H:i:s');
    $name = stripcleantohtml($_POST);
    $email = stripcleantohtml($_POST);
    $phone = stripcleantohtml($_POST);
    $comments = stripcleantohtml($_POST);

    $errors = array();

    //Check the form fields
    $errors = 'Enter your name.';
    $errors = 'Enter your phone number.';
    $errors = 'Enter your email.';
    } else {
    if (!ereg("^[^@]{1,64}@[^@]{1,255}$", $email)) {
    $errors = 'Invalid email';

    $email_array = explode("@", $email);
    $local_array = explode(".", $email_array[0]);
    for ($i = 0; $i < sizeof($local_array); $i++) {

    $local_array[$i])) {
    $errors = 'Invalid email';
    if (!ereg("^[?[0-9.]+]?$", $email_array[1])) {

    $domain_array = explode(".", $email_array[1]);

    if (sizeof($domain_array) < 2) {
    $errors = 'Invalid email';

    for ($i = 0; $i < sizeof($domain_array); $i++) {

    $domain_array[$i])) {
    $errors = 'Invalid email';

    //Do nothing
    } else {
    $headers = "From: {$email}" . "rn";
    $headers .= 'Content-type: text/html; charset=iso-8859-1' . "rn";

    $emailbody = "

    You have received a new message from the contact form on your website.

    Name: {$name}

    Email Address: {$email}

    Telephone: {$phone}

    Comments: {$comments}

    This message was sent from the IP Address: {$ipaddress} on {$date} at {$time}


    mail("","Email Subject Here",$emailbody,$headers);

    $success = 'Thank You For Your Submission.';


    # October 20, 2011 at 11:34 am

    Seems safe to me! You could add Captcha or anything like that, but the spam you’ll receive trough this form won’t be much.

    # October 20, 2011 at 1:30 pm

    I have had this implemented on a handful of sites for about 3-4 months now, but soon these sites will have Adwords accounts and will be posted on hundreds of blogs so that is why I want to make sure there won’t be much spam.

    Several of the sites are tailored to a senior citizen demographic, so that is why I am strongly against using a Captcha. I tried a honeypot, but couldn’t get it to work right :/

    Thank for your input.

    # October 20, 2011 at 5:58 pm

    Honeypots can be really simple. For example:

    Other than that, another simple technique to add is to rename your visible fields. E.g. call your emailfield phonenumber and visa versa. Robots are stupid, they will fill out an email in the phonenumber field and visa versa. If you check both of them strict, most robots would already fail.

    One other simple technique is to check the browser of the visitor. If it isn’t a real browser, you won’t show a form but other contact information like a phonenumber instead. You have to keep the browserlist (not versions but engines) up-to-date though.

    # October 20, 2011 at 7:22 pm

    Thanks a lot for the tips, think I’ll test some of those out probably.

    Maybe a newbie question, but I don’t know much about robots. When a robot fills out a form and it does not pass validation, what happens next? Do robots keep repeating (filling the form out again and again) to try to pass validation or do they just continue moving on to another site or? Got any links about robots themselves? I can’t seem to find any.

    # October 25, 2011 at 3:43 pm

    Another question, I have some “selects” in this form I need to make required to make a selection before the form submits too, and due to the demographic again I cannot just use the required HTML5 attribute. Any ideas how I can do this?

    # October 25, 2011 at 6:01 pm

    Same sort of thing with the Select boxes. Just check in the PHP that there is a value entered for the $_POST. I tend to set my select boxes up so the initial “Please Select” text has a value of -1. And then just check the value does not equal -1

    # October 25, 2011 at 6:39 pm

    Thinking out loud here, if I check if that select is empty, and I leave the first option’s value attribute empty, wouldn’t that force them to select another option with a value?

    # October 25, 2011 at 6:48 pm

    Well I was able to get it doing this:


    $errors = 'Select an option';


    Think that is decent enough?

    # October 25, 2011 at 6:57 pm

    Yeah, don’t see why not

    # November 29, 2011 at 12:59 pm

    Is there a way to condense this validation? I can’t find any examples…

    $errors = '*';
    } else {
    if ($phone == "Phone") {
    $errors = '*';
    } else {
    if (strlen($phone) < 10 ) {
    $errors = '*';
    } else {
    if (strlen($phone) > 15 ) {
    $errors = '*';
    } else {
    if (is_numeric($phone)){
    //do nothing
    } else {
    $errors = '*';

    # December 6, 2011 at 3:44 pm

    Sometimes it’s best to check for each flaw seperately like you’re doing now so you can provide very specific feedback to the user what is wrong. If you want it short you can for example combine the length check into 1 line. I guess it’s really up to you and how much time you have ;)

    Regarding spam I have used slightly altered field names in the past and it works best without asking too much from the user (captcha stuff). Renaming something like email to female stops 99% of the spam. it just looks stupid in the code but if you have some generic function the processes all form posts it doesn’t matter (the php process function can rename the “rewritten” fields back to original names etc.)

    # December 6, 2011 at 6:40 pm

    Just a newbie question here. How do you do the renaming stuff?

    ??? or even the id should be rename? thanks

    # December 6, 2011 at 7:55 pm

    @rolf, in most circumstances I think that makes sense so you can deliver a specific error for what is wrong in each case. In this specific situation I do not have room for descriptions, so every error is an asterisk. I was just thinking it may save some load/parse time to condense the validation?

    I am thinking of coming up with a different naming solution for all my forms and then I can stick with it and never get confused. I don’t care about renaming, because in the mail function I can have:

    $body = "Name: $random1 n";
    $body .= "Email: $random2 n";


    $emailbody = "

    Name: {$random1}

    Email Address: {$random2}


    depending on how you set your mail function up.

Viewing 14 posts - 1 through 14 (of 14 total)

You must be logged in to reply to this topic.