ContactUsMailFunction

Submitted by chris on Tue, 03/16/2010 - 13:05

Safe PHP Contact Form using the PHP mail function

It is good practice to allow people to contact you from your website. The simplest way is to use a mailto link, but the problem with this is that the spammers will soon find your email address from this link and you wil recieve loads of spam. A better approach is to use a Contact form on you website, - this is a form that the user fills in with a message, and then your Web Server emails the content of the form to you. This way your email address is on your not on your website and so it is not available to spammers.

But there is a problem with this approach, PHP's mail function is vulnerable to attack by spammers, this time the spammers are not trying to send spam to you, they are trying to use your server to send spam to other people. Potentially this is more serious as most ISPs monitor what your server is doing and if lots of spam emenates from a server they will shut it down, taking your website offline.

The code below cleansup the user input before passing it to the PHP Mail Function. See ContactUsFile for an even safer solution.

The code is split into two files to aid readability.

Add the javascript below to the <HEAD> section of your HTML

ContactUs page. This javascript is not strictly necessary but it validates the user input to ensure, as far as possible, that the user enters reasonable data in the form fields.

<script language="javascript" type="text/javascript">
var DHTML = (document.getElementById || document.all || document.layers);
function validateForm()
{                      
   valid = true;
   msg = "";
   var email = new getObj('email');
   var subject = new getObj('subject');
   var umsg = new getObj('msg');
   
   changeCol('semail', '#000000');
   changeCol('ssubject', '#000000');
   changeCol('smsg', '#000000');
   
   if(!checkMail(email.obj.value))
   {
      msg = msg + "Please enter a valid email address\r\n";
      changeCol('semail', '#ff2040');
      valid = false;
   }
   if(subject.obj.value.length == 0)
   {
      msg = msg + "Please enter a subject\r\n";
      changeCol('ssubject', '#ff2040');
      valid = false;
   }
   if(umsg.obj.value.length == 0)
   {
      msg = msg + "Please enter a message\r\n";
      changeCol('smsg', '#ff2040');
      valid = false;
   }
     
   
   if(msg.length > 0)
   {
      alert(msg);
   }
   else
   {
	   subject.obj.disabled=false;  
	}
	   return valid;
}
   

function checkMail(email)
{
	
	var filter  = /^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$/;
	if (filter.test(email)) return true;
	else return false;
}


function getObj(name)
{
  if (document.getElementById)
  {
  	this.obj = document.getElementById(name);
	this.style = document.getElementById(name).style;
  }
  else if (document.all)
  {
	this.obj = document.all[name];
	this.style = document.all[name].style;
  }
  else if (document.layers)
  {
   	this.obj = document.layers[name];
   	this.style = document.layers[name];
  }
}

function changeCol(name , col)
{
	if (!DHTML) return;
	var x = new getObj(name);
	x.style.color = col;
}
	

var loc=window.location.pathname;

</script>

Add the HTML Form below to the <body> section of your HTML

ContactUs page This is the form that the user fills in, put it in an appropriate place on your page

<form method='POST' name="frmContact" action='ContactResponse.php'
			onsubmit='return validateForm();' class='bodyMain'>
		<h2>Please complete the form below</h2>
			<table class='bodyMain'>
				<tr>
					<td><span id='semail'>Your Email Address* </span></td>
					<td><input size="50" name='email' id='email' />
					</td>
				</tr>
				<tr>
					<td><span id='sname'>Name </span></td>
					<td><input size="50" name='name' id='name' />
					</td>
				</tr>
				<tr>
					<td><span id='ssubject'>Subject* </span></td>
					<td><input size="50" name='subject' id='subject' value='Web site feedback'/></td>
				</tr>
				<tr>
					<td><span id='smsg'>Message* </span></td>
					<td><textarea cols="50" rows="10" name='msg' id='msg'></textarea>
					</td>
				</tr>
				<tr>
					<td> </td>
					<td align="right"><input type="submit" name="submit" value="Send" />
					</td>
				</tr>
			</table>
		</form>

Create a new PHP page called

ContactResponse and add the following PHP code. The name of this PHP page must match the name used in the <form ... action='ContactResponse.php' in the HTML above. Change the $mailTo = "your.email@your.domain"; to the email address to which you want messages sent.

<?php
############### change this email address #####################
$mailTo = "your.email@your.domain";
$politeGoAway = "Something in your message leads us to think you are trying to use this page to send spam. Message NOT sent";
$spamText = "Content Removed";
###############################################################


if(isset($_REQUEST["submit"]) )   {

   $email   = $_POST['email'];
   $name    = $_POST['name'];
   $subject = $_POST['subject'];
   $message = $_POST['msg'];
    #################################################
    # Check for spammers
    #################################################
    // Block urls 
    if (preg_match("/http/i", $name)) {echo "$politeGoAway"; exit();}
    if (preg_match("/http/i", $email)) {echo "$politeGoAway"; exit();}
    if (preg_match("/http/i", $subject)) {echo "$politeGoAway"; exit();}
    if (preg_match("/http/i", $message)) {echo "$politeGoAway"; exit();}
    
    // block html tags and unusual characters
    $pattern = '/[;\|`><&^\n\r{}]/i'; // build the pattern match string    
    $name = preg_replace($pattern, $spamText, $name);
    $email = preg_replace($pattern, $spamText, $email);
    $subject = preg_replace($pattern, $spamText, $subject);
    $message = preg_replace($pattern, $spamText, $message);
    
    // Check bcc, etc injected into the headers
    $find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");
    $email = preg_replace($find, $spamText, $email);
    $name = preg_replace($find, $spamText, $name);
    $message = preg_replace($find, $spamText, $message);
    
    // Check to see if the fields are now blocked
    if(stristr($name, $spamText) !== FALSE) {echo $politeGoAway; exit();}
    if(stristr($message, $spamText) !== FALSE) {echo $politeGoAway; exit();}
    if(stristr($email, $spamText) !== FALSE) {echo $politeGoAway; exit();}
    if(stristr($subject, $spamText) !== FALSE) {echo $politeGoAway; exit();}

    $headers = "From: $email \r\n" .
           "Reply-To: $email \r\n" .
           'X-Mailer: PHP/' . phpversion();

    $msg = "Web site message\nFrom: $name ($email) \n$message";
    
    //echo "$mailTo, $subject, $msg,  $headers";

    //send the email
    mail( $mailTo, $headers, $subject, $msg  );

?>
        Thankyou for your message, we will respond shortly.<a href="index.php">home</a>
<?PHP
}
else { 
    echo "Oops! You have arrived at this page accidently, Please <a href='Contact.html'>Click Here</a>";
}
	
   ?>

ContactUsMailFunction

Safe PHP Contact Form using the PHP mail function

Add the javascript below to the <HEAD> section of your HTML

Add the HTML Form below to the <body> section of your HTML

Create a new PHP page called

Search