Reputation: 153
How to validate contact form when form is coded in html document?
I have a contact form that I wrote in the html document and this then is executed by an external php file. How do I validate it? All tutorials that I've looked at have shown the validation and the html form in the actual php file and so how can my validation be accomplished?
HTML5:
<form id="form-area" action="email-processor.php" method="POST">
<div id="name-area"><p>Name (required)</p><input class="form-input" type="text" name="name"></div>
<div id="email-area"><p>Email (required)</p> <input class="form-input" type="text" name="email"></div>
<div id="phone-area"><p>Telephone</p> <input class="form-input" type="text" name="phone"></div>
<div id="msg-area"><p>Message</p><textarea id="msg-input" name="message" rows="6" cols="25"></textarea><br /></div>
<input id="sendbtn" type="submit" value="Send">
</form>
PHP:
<?php
$name = $_POST['name'];
$email = $_POST['email'];
$phone = $_POST['phone'];
$message = $_POST['message'];
$formcontent="From: $name \n Phone Number: $phone \n \n Message: \n \n$message";
$recipient = "[email protected]"
$subject = "Contact Form";
$mailheader = "From: $email \r\n";
mail($recipient, $subject, $formcontent, $mailheader) or die("Error!");
echo "Thank You!";
?>
Upvotes: 1
Views: 251
Answers (2)
Reputation: 2512
As has already been pointed out, for client-side validation, you can use the required attribute, which will trigger appearance changes in most web browsers.
However, you MUST do server-side validation as well. Failure to do so will result in vulnerabilities in your application code. For example, your mail() call currently allows unsanitized input for the additional_headers parameter. That means that malicious actors can easily inject whatever headers they want to - e.g. injecting an additional To: or CC: header can turn your server into an open mail relay (i.e. that's bad). Attackers are ALWAYS looking for incorrect usage of the PHP mail() function such as demonstrated by your code.
Because of the poor design of the PHP mail() function, my view is that no one should directly call it. The function is actually much more complicated to use correctly since it is only a basic layer over sendmail and, without significant effort, ignores all sorts of IETF RFCs that govern e-mail. You should use a library such as Ultimate E-mail Toolkit, PHP Mailer, etc. that offer a nicer layer over mail() and/or SMTP to do the actual sending of the e-mail and avoid turning your server into an open relay.
The server is the final authority on what is and is not allowed. For this reason, I use CubicleSoft FlexForms, which aids me in generating HTML forms and processing user input server-side. How you handle things server-side is far more critical than client-side validation, which can and will be ignored by malicious users. You can't control what a client will send and there are plenty of malicious actors out there. So you have to make the unfortunate assumption that all users will attack your software. You should always start with server-side validation and then add client-side validation afterwards.
In addition, your code won't work as you expect. Most mail servers are configured to deny spoofing attempts. You can't assume that you can send e-mail From: someone whose e-mail servers you don't control. The messaging will bounce back and if you send enough spoofed mail messages your server will eventually be added to a global blacklist (via DNSRBL) and denied sending e-mail to anyone else. You can only send "From" an address that you have control over AND have set up things such as a SPF record or DMARC for. Sending e-mail is hard thanks to spammers and the lack of direction by the Internet Engineering Task Force (IETF) to solve the problem.
You can, however, use the Reply-To: header with any sanitized e-mail address that you want to use. Most e-mail clients respect the Reply-To header and will use it instead of the From header when it exists.
Upvotes: 1
Reputation: 425
You need to put required behind the input fields. If you want to make an email required as the standard format [email protected] instead simple text use type="email". For the telephone number you can use type="number" to allow numbers only, otherwise simply use text.
NEW HTML
<form id="form-area" action="email-processor.php" method="POST">
<div id="name-area"><p>Name (required)</p><input type="text" class="form-input" type="text" name="name" required></div>
<div id="email-area"><p>Email (required)</p> <input class="form-input" type="email" name="email" required></div>
<div id="phone-area"><p>Telephone</p> <input class="form-input" type="number" name="phone" required></div>
<div id="msg-area"><p>Message</p><textarea id="msg-input" name="message" rows="6" cols="25" required></textarea><br /></div>
<input id="sendbtn" type="submit" value="Send">
</form>Upvotes: 1
Related Questions
- Contact form validation in php
- how to set validation in contact form
- Php contact form with validation not working
- Validate a HTML Contact Form
- Validating contact form in PHP
- Creating a contact form which displays error when not filled in? (validation)
- PHP Contact Form with Validatation Script?
- Submitting a Contact form and using validate.js
- Contact Form not Validating
- PHP contact form with validation