Web Application Security, A Beginner's Guide

Author: Bryan Sullivan, Vincent Liu
4.0
This Month Stack Overflow 1

Comments

by anonymous   2017-08-20

Your form is generated via JavaScript, but starting out with a plain HTML form will help you figure the steps out faster. Client side validation via JavaScript is good, but you need server side PHP validation too. You need to beef up on form processing (don't worry, so do I!). You'll catch flack on this site about injection attacks and such. If you can, you may want to investigate some books on web application security. Here are some books that can get you started.

PHP Security

Web Application Security

You need a <form> tag that has the following inside it somewhere.

<form method="post" action="contact.php">

I found your opening <form> tag. Interesting.

<form class="contactform" role="form" method="post" action="#/email.php">

You may want to investigate your action="#/email.php" attribute a bit more. Is that what it's supposed to be?

I usually do something like this (HTML 4.01 inside of PHP. You are using HTML5) (where this line is generated via PHP). Note: Incomplete example.

<form id="contactForm" name="contactForm" enctype="application/x-www-form-urlencoded" accept-charset="UTF-8" action="contact.php" method="post">

</form>

In order for the following code to work, code similar to email.php must be called first so that the values are extracted from the $_POST superglobal array and stored in the variables that you use in contact.php ($name, $email, $human, $to, $subject, $body, $from). Otherwise, your form will, like you say, fail to contact you. This is a logic error, but you can fix it in no time if you find a good example.

No promises, but try this:

<?php

    require('email.php');  //Assuming it is in the same directory as your contact.php

    if ($_POST['submit']) {
        if ($name !== '' && $email !== '') {  //Variables have not been extracted from $_POST yet, as in email.php
            if ($human === '4') {                 
                if (mail ($to, $subject, $body, $from)) { 
                    echo '<p>Your message has been sent!</p>';
            } else { 
                    echo '<p>Something went wrong, go back and try again!</p>'; 
            } 
        } elseif ($_POST['submit'] && $human !== '4') {
            echo '<p>You answered the anti-spam question incorrectly!</p>';
        } else {
            echo '<p>You need to fill in all required fields!!</p>';
        }
    }
?>

I might suggest a few resources to beef up on form processing.

PHP Programming, 3rd Edition

Beginning PHP

PHP, MySQL, & Apache: 5th Edition

PHP Cookbook, 2nd Edition

PHP and MySQL Web Development: 4th Edition

Learning PHP, MySQL, JavaScript, and CSS: Second Edition

Also, there are plenty of free tutorials on the web!