my domain is BFdesigns | Freelance Website Designer | Bromsgrove Worcestershire should anyone wish to test it for themselves.
Someone can easily just view the html source and get the url of the form processing script from the form's action attribute. They can then send whatever data they like to the form processing script, as a GET or POST, without even opening the page containing the html form.
The real validation of the form always needs to be done on the server as if you don't validate the data when you first receive it on the server you have no way of telling what it contains (as it need not have even come from your form).
You need to run the validation in your php code as well. If it does not validate, let the user know just like you do with the redirect to the thanks page.
Just sorted the issue and now put in place the following, which now stops the user from submitting the form when JS has been disabled: (domain to try out for yourself and prove me wrong is www.bfdesigns.co.uk )
/*Redirects the user to the error page if JS is disabled and the form is submitted*/
/* Redirects the visitor to the thanks page */
What if something other than the first name is missed out?
Server-side validation MUST be mandatory, and client-side validation SHOULD be used too.
First and foremost has to be the server-side PHP validation. Without that, people can cause any strange types of things to happen with your server-server-side script.
Im getting somewhat confused as to what level of security regarding validation of specific fields in contact forms I should be implementing.
As a minimum, with my simple contact form, what validation checks should be put in place in order to not receive spam or abuse from a naughty hacker ?
I look forward to hearing from you on this matter or anybody else should they wish to chip in.
Nothing can stop all spam or abuse, but you can make it more difficult for automatic abuse to occur.
At a minimum, you should ensure that required values are present, and that values are within range of how they're going to be stored. That means that the inputs need to be sanitized, and then validated. You can read more about this side of things in the PHP tips article about Handling Input and Output
To deal with spammers, there are some easy Captcha's (Completely Automatic Public Turing test to tell Computers and Humans Apart)
One of my favorites is reCaptcha
Thankyou for your wise tips.
I must admit Im not a fan of reCaptcha as I do sometimes struggle to read the words you have to type in whenever I come across these on sites.
From that I try to put myself in the shoes of an everyday user, who probably wouldnt stick around to submit a form and move on to the next site.
Another layer of protection you can use is an API that checks through all the currently logged spams and bots in the world which is updated daily, a friend and I made a mod for this and so far it has proven to be a 100% success against fighting spammers and bots.
Cheers to Sgtlegend for the link, do you want all my blocked email address`s from my hotmail account, must have close on 700
Also thankyou to Paul for the book links, will definately make sure I got through them all and blow some hard earned cash.
Im in a need to grasp the basics of both as quickly as possible.
Even better might be to employ someone to do parts of the job for you who already knows about what dangers to protect against, but that's a different topic.