I saw somewhere on here that it helps reduce spam by adding a dummy input field that you hide with
display: none
, and like if it's filled out, then it's obviously a bot sending the message. Well, I did something kind of like that but initially set it to= 0
. So if it's not0
then it doesn't send the form, since a bot would have changed the value to something else. I don't know if that will really work effectively or not. If you have a better way to do something like that, please share.I don't know if my token validation stuff is anywhere close to how it should be. Please let me know if what I'm doing with that is even adding any security or not.
After the user submits the form, I put some echo's in so that what they entered is still shown in the form fields, in case there was an error so they don't lose what they typed. Is my use of
htmlspecialcharacters
needed there?
Please share any other comments, recommendations, improvements, etc, etc that you see with my code, because I really want to get better at this and your answers almost always help me understand things better. You know, the manual can be kind of confusing at times when your new so having a master coder review your code and explain things helps so much for me.
<?php
session_start();
function getIp() {
if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
$ip = $_SERVER['HTTP_CLIENT_IP'];
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
else {
$ip = $_SERVER['REMOTE_ADDR'];
}
return $ip;
}
if($_POST['yourlastname'] === '0') {
if ($_SESSION['token1'] == $_POST['token']) {
echo "<p>checker: " . $_SESSION['token1'] . " and the post token " . $_POST['token'] ."</p>";
if(filter_var($_POST['youremail'], FILTER_VALIDATE_EMAIL)) {
$name = htmlspecialchars($_POST['yourname']);
$email = htmlspecialchars($_POST['youremail']);
$from = $name . ' - ' . $email;
$ip = getIp();
$message = htmlspecialchars($_POST['yourmessage']) . "\r\n" .
'Name : ' . $name . "\r\n" .
'Email : ' . $email . "\r\n" .
'User IP: ' . htmlspecialchars($ip);
$message = wordwrap($message, 60, "\r\n");
$headers = 'From: ' . $from . "\r\n" .
'Reply-To: ' . $email;
mail('[email protected]', 'Static Subject', $message, $headers);
}
}
}
$token1 = md5(microtime(true));
$_SESSION['token1'] = $token1;
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Tittle</title>
</head>
<body>
<?php $token2 = md5(microtime(true)); ?>
<form method="post" name="form" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>">
<input name="token" type="hidden" value="<?php echo htmlspecialchars($token2); ?>">
<label for="yourname">Your Name:</label>
<input class="required" id="yourname" name="yourname" type="text" value="<?php if(isset($_POST['yourname'])) { echo htmlspecialchars($_POST['yourname']); } ?>">
<label for="yourlastname" style="display: none;">Your Last Name:</label>
<input class="required" id="yourlastname" name="yourlastname" type="text" style="display: none;" value="0">
<label for="youremail">Your Email:</label>
<input class="required" id="youremail" name="youremail" type="text" value="<?php if(isset($_POST['youremail'])) { echo htmlspecialchars($_POST['youremail']); } ?>">
<label for="yourmessage">Your Message:</label>
<textarea class="required" id="yourmessage" name="yourmessage" cols="30" rows="8"><?php if(isset($_POST['yourmessage'])) { echo htmlspecialchars($_POST['yourmessage']); } ?></textarea>
<input type="submit" id="send" value="Send">
</form>
</body>
</html>