Ars Informatica
September 28, 2020
Health Care Informatics
Web-based MySQL/PHP Databasing
Web Development
Favourite Software
Hardware for the Frugal Fanatic
Graphic Design and Image Processing
Free Scripts and Software
About Us
Contact Us

 Article Feed for this site

AI_ContactForm to E-mail script; validates e-mails and checks against e-mail header injection

November 23, 2006

Contact forms aren't hard to code, and the PHP mail() function is pretty simple - and yet, implementing such a form, handling the POSTed information, error-checking, and providing basic security, can quickly seem a daunting task.

Many people still provide their e-mail addresses directly on their web pages. There are still occasions where this is necessary. Still, the approach is and looks dated, and malicious web-scouring spambots are getting better and better at plucking e-mail addresses from a page. You have disguised or munged the e-mail address, you have it encrypted via javascript and decrypt-and-launch your e-mail client on the fly, or provided it in image format - so your users must type out what they read, but most bots can't read it, or you use a Captcha image to confirm that the form was submitted by a Real Live Human ...

And still, sometimes, the spambots win.

PHP provides a simple solution: the HTML code, i.e. the web page code that your browser sees, does not contain your e-mail address.

Your target e-mail address is handled behind the scenes; PHP creates the mail message from the form contents, and sends it on, without ever exposing the address to a bot.

There can be downsides. First, you need to write the code: code for the HTML form, form handling, return e-mail validation, etc. Our script makes it easy. Reference the script from a PHP page:

include 'contact.php';

Which produces the following form:

Contact Us

Please send us your feedback:

E-mail Address:




You will need to change one line of code:

$mail_target = '';

to whatever e-mail address you wish your messages directed to.

Tip: do not use your primary e-mail address. It's easier to manage your e-mail if it's directed to a mailbox dedicated only to site feedback. If this e-mail address ever becomes compromised, it's easier to change without mucking up your personal and other lives as well ... Most web site hosting companies give you 100 e-mail name aliases or more; most plain-vanilla web accounts give you five or more e-mail addresses.

Web contact forms are vulnerable to a particular kind of abuse known as e-mail insertion attacks - as described very well elsewhere.

In brief, some malicious entity - usually a spambot, not a person, since one site, one form, offer little return for the effort involved - inserts e-mail header code into the Name or E-mail address input fields, i.e.

The %0A is code for a line feed, and Bcc: specifies a header for a blind carbon copy, i.e. another person who will be spammed with the message attached. Worse, the Content-Type: header can be used to attach malicious file content to these messages.

The contact.php script looks for such attacks. If you would like to be informed of such attacks, leave the line

$notify_injections = true;

set to true. To turn off these notifications, change 'true' to 'false'. E-mail injections will still be detected and stopped, but you won't be mailed with the results.

The form is easily customized to appear however you want - just adapt the Cascading Style Sheet definitions between the <STYLE> tags in the form.

As is, the form also requires that anyone submitting feedback enter both a name, a return e-mail address, and a message. If any of these are blank, the script presents a message requesting the required data. The e-mail address is validated, i.e. checked that it matches proper e-mail address syntax. If it doesn't, the script returns a request for a valid address.

The e-mail validation script is our own, and is described in detail in another article. If you care, or if you're interested in learning about Regular Expression matching, follow the link.

Finally, Wikipedia has a good article on e-mail address munging, as well as one on Captcha form validation.

Hope this helps.

This PHP script is released under the terms of the GNU General Public License, i.e. free for you to use, modify, and even redistribute under the terms of this license - see for further details.

magnifier iconview AI_ContactForm source code

download icondownload -
code and documentation

Copyright © 2020 Ars Informatica. All Rights Reserved.