« AdSense and JavaScript | Main | Monitoring CPU usage with VMSTAT »

Contact Form in PHP

I thought putting up a Contact Me type of page would be easy. After many hours I've learned a little PHP, a little HTML, and have something that appears to work.

First of all, some requirements. I wanted some way for people to contact me without putting my email address up on a page and attracing even more spam. I wanted a server based form since I don't want to have to rely on Javascript.

If you Google search for this sort of thing you'll find lots of pages about using PHP and HTML forms. There's even a web site that will generate a contact us form. But it was a bit simplistic. Still, between that and a book on PHP from the library I started putting something together.

Early on in my search I had found this page on the vunerability of PHP based form processing to send email. So after getting a simple form with a simple PHP script I tried out some of the injection methods. I never got %0A characters to inject extra email headers, but I was able to inject quotes and HTML tags to mess up my pages.

I spent a long time trying to get Pear Mail class working. It's supposed to be secure from these sorts of attacks. And although I eventually figured out I have Pear installed, I couldn't get it working and I didn't want to start modifying my Plesk generated Apache configuration files to include the Pear library.

So I went back to an earlier version of the contact form and got PHP to handle quotes and HTML stuff safely. I figure this form and script will work and be reasonably safe. And if it gets abused I can always fix it or take it down.

<p>By phone: (250) 474-0520</p>
By letter: 287 ILott Place, Victoria, BC, V9C3V6, Canada
<p>Please use the following form to send me an email. Required fields are marked with a *.</p>
<form method="POST" action="contact.php">
<table border='0'>
<td>Your email id: *</td>
<td><input type='text' name='EmailFrom' size='35' maxlength='100' value='' /></td>
<td><input type='text' name='Name' size='35' maxlength='100' value='' /></td>
<td><input type='text' name='Website' size='35' maxlength='100' value='' /></td>
<td>Message: *</td>
<td><textarea name='Message' rows='10' cols='35'></textarea></td>
<p><input type='submit' name='submit' value='Send Email' /></p>
First Pass

"; show_form(); } else { ### second time, edit form, process, and redisplay ## echo "

Second Pass

"; $err = 'N'; $EmailFrom = htmlentities($_POST['EmailFrom'],ENT_QUOTES); if (empty($EmailFrom)) { echo "

Your email id is required. Please enter your email id.

"; $err = 'Y'; } $Message = htmlentities($_POST['Message'],ENT_QUOTES); if (empty($Message)) { echo "

There's no point in sending an empty message. Please enter a message.

"; $err = 'Y'; } $Name = htmlentities($_POST['Name'],ENT_QUOTES); $Website = htmlentities($_POST['Website'],ENT_QUOTES); if ($err == 'Y') { #echo "display form here..."; show_form($EmailFrom, $Name, $Website, $Message); } else { $ef = html_entity_decode($EmailFrom,ENT_QUOTES); $err = !mail('someone@somedomain.com','Email from Webmaster Mike Blog', "Name: $Name\n\nWebsite: $Website\n\nMessage:\n$Message\n", "From: $ef"); if ($err) { show_form($EmailFrom, $Name, $Website, $Message); echo "

There was an error sending your email.

"; } else { echo "

Thank you for sending me an email.

"; } } } ?>

The key section is the mail() function call where you would replace someone@somedomain.com with your own email id and your own subject line for the email note.

I stripped off the HMTL headers and footers and sidebar leaving just the PHP code and the HTML for the form.

© 2016 Mike Silversides


This page contains a single entry from the blog posted on March 13, 2007 3:49 PM.

The previous post in this blog was AdSense and JavaScript.

The next post in this blog is Monitoring CPU usage with VMSTAT.

Many more can be found on the main index page or by looking through the archives.