Location: PHPKode > scripts > AI_ContactForm > aicontactform/AI_ContactForm_doc.htm
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <title>AI_ContactForm documentation</title>
  <meta name="author" content="Paul Postuma, Ars Informatica">
  <meta name="language" content="english">
  
  <style type="text/css">
	a.generic:link {color: #0000FF;}
	a.generic:visited {color: #800080;text-decoration:underline;}
	a.generic:active {color: #FF0000;text-decoration:underline;}
	a.generic:hover {color: #0000FF;text-decoration:underline;}
	
	.main_text {font:8pt Verdana}
	.code {width:580px;color:#006699}
  </style>
</head>

<body>
<a href="http://www.ars-informatica.ca" target="_top"><img src="resources/AI_logo_med.gif" style="position:absolute;left:56px;top:31px;z-index:1" border="0" alt="Ars Informatica"></a>

<div style="position:absolute;left:38px;top:91px">
<table style="width:920px;z-index:0;border-color:#bbbbbb;vertical-align:top;text-align:left" border="6" cellpadding="0" cellspacing="0">
    <tr style="height:24px;background-color:#515c9a;font:bold 10pt Verdana;color:#ffffff;text-align:right;width:160px;padding-right:20px">
      <td>November 23, 2006</td>
    </tr>
    <tr>
      <td valign="top"><div style="position:relative;width:870px;padding:20px">Contact forms aren't hard to code, and the PHP mail() function is pretty simple - and yet, implementing such a form, handling the POSTed information, error-checking, and providing basic security, can quickly seem a daunting task.

<p>Many people still provide their e-mail addresses directly on their web pages. There are still occasions where this is necessary. Still, the approach is and looks dated, and malicious web-scouring spambots are getting better and better at plucking e-mail addresses from a page. You have disguised or munged the e-mail address, you have it encrypted via javascript and decrypt-and-launch your e-mail client on the fly, or provided it in image format - so your users must type out what they read, but most bots can't read it, or you use a Captcha image to confirm that the form was submitted by a Real Live Human ...

<p>And still, sometimes, the spambots win.

<p>PHP provides a simple solution: the HTML code, i.e. the web page code that your browser sees, <i>does not contain your e-mail address</i>. 

<p>Your target e-mail address is handled behind the scenes; PHP creates the mail message from the form contents, and sends it on, without ever exposing the address to a bot.

<p>There can be downsides. First, you need to write the code: code for the HTML form, form handling, return e-mail validation, etc. Our script makes it easy. Reference the script from a PHP page:

<pre class="code"><p>include 'contact.php';</pre>

<p>Which produces the following form:

<style>h1 { font:bold 14pt verdana }
</style>
<p><h1>Contact Us</h1>

<p>

Please send us your feedback:<p><form action="/ars/contact.php" method="post" style="font:bold;line-height:24px">
<table style="border:0;padding:0;text-align:left;font:bold;line-height:24px" class="input_text"><tr><td style="padding:0 15px 0 0">Name:<br>
<input name="sender_name" type="text" maxlength="50" value="" style="height:24px;width:190px;font:8pt Verdana;padding:4px"></td>

<td>E-mail Address:<br>
<input name="sender" type="text" maxlength="50" value="" style="height:24px;width:190px;font:8pt Verdana;padding:4px"></td></tr>

<tr><td colspan=2><p>Subject:<br>
<input name="subject" type="text" maxlength="50" value="" style="height:24px;width:400px;font:8pt Verdana;padding:4px">

<p>Comments:<br>
<textarea name="message" rows="30" class="input_text" style="width:400px"></textarea>

<p><input type="button" name="submit" value="Submit" style="font:8pt Verdana;padding:2px">
</td></tr></table>
</form>

<p>&nbsp;

<p>You will need to change <i>one</i> line of code:

<p><pre class="code">$mail_target = 'hide@address.com';</pre>

<p>to whatever e-mail address you wish your messages directed to.

<p>Tip: do not use your primary e-mail address. It's easier to manage your e-mail if it's directed to a mailbox dedicated only to site feedback. If this e-mail address ever becomes compromised, it's easier to change without mucking up your personal and other lives as well ... Most web site hosting companies give you 100 e-mail name aliases or more; most plain-vanilla web accounts give you five or more e-mail addresses.

<p>Web contact forms are vulnerable to a particular kind of abuse known as e-mail insertion attacks - as <a href="http://www.securephpwiki.com/index.php/Email_Injection">described very well elsewhere</a>.

<p>In brief, some malicious entity - usually a spambot, not a person, since one site, one form, offer little return for the effort involved - inserts e-mail header code into the Name or E-mail address input fields, i.e.

<p><input type="text" value="Fake Name%0Abcc:hide@address.com" style="height:24px;width:190px;font:8pt Verdana;padding:4px;width:400px">

<p>The %0A is code for a line feed, and Bcc: specifies a header for a blind carbon copy, i.e. another person who will be spammed with the message attached. Worse, the Content-Type: header can be used to attach malicious file content to these messages.

<p>The contact.php script looks for such attacks. If you would like to be informed of such attacks, leave the line

<p><pre class="code">$notify_injections = true;</pre>

<p>set to true. To turn off these notifications, change 'true' to 'false'. E-mail injections will still be detected and stopped, but you won't be mailed with the results.

<p>The form is easily customized to appear however you want - just adapt the Cascading Style Sheet definitions between the &lt;STYLE&gt; tags in the form.

<p>As is, the form also requires that anyone submitting feedback enter both a name, a return e-mail address, and a message. If any of these are blank, the script presents a message requesting the required data. The e-mail address is validated, i.e. checked that it matches proper e-mail address syntax. If it doesn't, the script returns a request for a valid address.

<p>The e-mail validation script is our own, and is described in detail <a href="http://www.ars-informatica.ca/article.php?article=46">in another article</a>. If you care, or if you're interested in learning about Regular Expression matching, follow the link.

<p>Finally, Wikipedia has a good <a href="http://en.wikipedia.org/wiki/Address_munging">article on e-mail address munging</a>, as well as one on <a href="http://en.wikipedia.org/wiki/Captcha">Captcha form validation</a>.

<p>Hope this helps.

<p>This PHP script is released under the terms of the GNU General Public License, i.e. free for you to use, modify, and even redistribute under the terms of this license - see <a href="http://www.gnu.org/copyleft/gpl.html">http://www.gnu.org/copyleft/gpl.html</a> for further details.

<p><a title="AI_ContactForm source code" href="AI_ContactForm_source_code.htm"><img style="margin-bottom:-10px" alt="magnifier icon" hspace="10" src="resources/magnifier.gif" align="left" border="0"></a>view <a title="AI_ContactForm source code" href="AI_ContactForm_source_code.htm">AI_ContactForm source code</a>
<br clear="all" />
<p>&nbsp;
      </td>
    </tr>
</table>

<p>Find the most recent version of this documentation at <a href="http://www.ars-informatica.ca/article.php?article=47">http://www.ars-informatica.ca/article.php?article=47</a>.<br>
Copyright &copy; 2006 <a href="http://www.ars-informatica.ca" target="_top">Ars Informatica</a>. All Rights Reserved.

<p>&nbsp;</div>

<div style="position:absolute;top:87px;left:80px;width:720px;z-index:1;color:#FDEC2D;font:bold italic 20pt "times new roman",times,serif">AI_ContactForm Documentation</div>
Return current item: AI_ContactForm