Comments on: Making a Secure Contact Form with PHP and jQuery

By: pligg.com

pligg.com — Sun, 05 Jul 2009 10:27:47 +0000

How to Make a Secure Contact Form with PHP and jQuery…

You should always give your users the opportunity to contact the webmaster, when you are building a website. One way to do it is to give out the email address. Unfortunately, putting your email address up on a website makes it a target for the spam bot…

By: IceGhost

IceGhost — Sun, 05 Jul 2009 08:21:14 +0000

This is the most unsecure form
There is no input sanitizing/filters nothing

By: Steve Love

Steve Love — Sat, 04 Jul 2009 22:35:18 +0000

Nice post. This is a great start to get people thinking about vulnerabilities in their contact forms.

I realize you probably just intended this as a simple example, but for anyone planning to use this code, it should be noted that it’s still wide open for exploits. The main issue is that the random key is not deleted after use. I can simply sit on the form and click the submit button (or write a script to do it) to send successful messages all day long. Or, if I really wanted to, I could visit the form to grab the hidden key and insert it into my own form to spam contact.php. Unset the session variable after validating it and you’ll get a little extra mileage out of this script.

And just as a side note, while we’re talking about giving users an opportunity to contact you, keep in mind that this example will not work for the users who have JavaScript disabled in their browser. In fact, the way this script is written they’ll get no error message at all.

By: Tim

Tim — Sat, 04 Jul 2009 21:39:15 +0000

You should check the POST['contact_key'] with !empty() rather than using isset().

A bot could post an empty contact key and since they didn’t originate for the form, the SESSION['contact_key'] would also be empty.

That would pass the test above and allow the bot to spam your form.

It’s a minor but important change.

By: alfred westerveld

alfred westerveld — Sat, 04 Jul 2009 18:08:26 +0000

Good tutorial. Have couple tips for javasript jquery. First of all I think it should be wrapped in $(document).ready(function() {});

Second I would use var contactform = $(‘form#contact’); because otherwise global namespace will be polluted.

$(document).ready(function() {
contactform = $(‘form#contact’);
contactform.submit(function() {
$.post(‘/contact.php’, $(this).serialize(), function(data) {
$(‘form#contact’).append(“”+data);
});
return false;
});
});

By: Kendall

Kendall — Sat, 04 Jul 2009 17:55:20 +0000

This doesn’t stop many spambots. Most that I’ve seen that visit my site first get the page and can see all the form fields and pick up a session. They then use this session to send a message with all form fields filled out, and they also share the sessions with others so a “valid” sessions gets used multiple times, usually about 4 attempts. What you’ve shown here wouldn’t phase these spambots.

Using a honeypot alone would be more effective. A honeypot being a form field that’s visually hidden (not using the type=”hidden”, but rather CSS) and the PHP script expects to be empty. Spambots will fill it out blindly and thus you’ll know it’s spam. There’s a number of other effective techniques, but the one given in the article does nothing really.

By: Chris

Chris — Thu, 02 Jul 2009 16:14:24 +0000

FYI…this isn’t secure at all. Your form is still easily hijacked as you do no request var validation/filtering. Your concatenated header strings can be easily spoofed and spam messages CC’d and BCC’d with no sweat. Based on how your PHP code operates, comparing session tokens is pretty worthless and isn’t “protecting” much at all. Any spammer can sit there all day long BCCing spam messages right under your nose.

Web Programming 101: Don’t trust user inputs.