How robust are the form validations lessons here?

There's two things to really consider, there's validation, and security.

Validation can be from simple string tests, to regular expressions to the over-the-top-complex i.e. looking to see if the domain is a valid domain doing a look up or something. Depending on you're application you know if it's important to have a valid email (in terms of a contact form it may not matter, whereas login credentials are).

Security can be an issues with Email Header Injection where exploiters can use your web form to send unlimited amounts of emails by hijacking your contact form – PHP doesn't support protection for this out of the box right Randy Hoyt? The other issue is MySQL injection. If your form is somehow connected to a database hackers could "inject" SQL to take over your database.

Thanks Andrew Chalkley.

My concern is more with security. The validation side of it I for the most part can grasp, at least enough to use a quality validation script.

It's the security side that scares me because I don't even really know what can happen, or how it happens, let alone protect from it.

Which was the reason for this thread. Introducing forms on the wild wild web scares me a tad just because it's the unknown. For now I'll only be using a form that accepts a name, valid email, and message which will then email the contents of that form to me. I certainly need to and would like to learn more; since a ways down the road I would like to build applications that can do much more.

Btw, I enjoy your personality. Just today you inspired me to use google map's API to customize an embedded map and add a map image for non-javascript users, and I was successful at doing so. I would have copied and pasted the embed iframe before. Thanks!

Thanks!

I understand how you feel, and it can be a little daunting. And it can be scary, you're publishing a site to be accessed by billions. There are protective measures for security but it isn't always a water tight thing. Any system designed by a human can be exploited by a human. Security deals with pre-emptive measures and reactive measures (when something has been compromised). Making sure you're hosting provider stays up to date is important. Sometimes there's issues with Apache or PHP itself that can be exploited. Just keep up to date following projects on social networks, reading things like theregister and hacker news.

I'm not up to date with pre-emptive measures in PHP, I'm spoilt with Rails having some of these security features built in so Randy Hoyt may be able to help you out with that.

Andrew's right: it can be scary publishing a site that can be accessed by billions of people. It's definitely good to be thinking about security.

I feel very confident about the security measures I cover in the PHP videos for creating a contact form that will sends an email to the same recipient(s) every time; those are the techniques I use when I launch a new form for a personal site or a client project. We have code that blocks message trying email header injections, and we have a spam honeypot in place to help reduce computer-automated spam. I think the worst thing that can happen with that form is that someone could use it to send me millions of email, which would be incredibly annoying. :~)

When form submissions do more than just send an email to (a) specific recipient(s), that opens up more possible vulnerabilities. Does information submitted through the form get displayed anywhere? (If so, you'll need to escape the output.) Does it get inserted into a database? (If so, you'll need to sanitize and validate the input.) Does is it charge a credit card? Does it transfer money from one bank account to another? Does it create a new account of some kind? Does it launch a nuclear missile?

Here's one personal example: I was involved with a form that allowed a site visitor to enter a credit card number, submit the form, and then the credit card would be charged a small amount. (Just about any ecommerce checkout form works like that.) It appeared someone had a stolen a huge list of credit card numbers, and they had written an automated script that would run them all through this form to make a small purchase. We guessed they were using the form to test if the credit cards were valid or not; we guessed they were then using the valid ones to make large purchases elsewhere. A form like that would need more security measures in place than our simple contact form.

Does that help?

It definitely does Randy Hoyt, and I actually just spent this morning going through your contact form lessons from start to finish again, building my form as you built yours. All I need is exactly what you built; name, email, and message sent to one recipient. Watching your videos a second time really helped the pieces begin to click for me.

I also started to see this morning more about the security issues, and how the form is being protected. I feel pretty confident about the php validation and security this form has.

And....I got my form completely functioning this morning, without trouble, escaping out and all! So thank you for those lessons. I've struggled with contact forms.

I think I'll wait a little longer before I start getting into the bigger stuff! I at least know enough to know there are steps that need to be taken.

Now it's time for the javascript validation for better UX!

Hey guys, I had one more quick question.

Captchas, or some form of......

Are they necessary with with a honeypot field that will reject the submission? Are they even going to be targeted much by spam crawlers?

The spam honeypot is not a fail safe method. If someone wants to hack your specific form, they can easily get around that: that measure usually works for automated attacks that target large amounts of forms.

CAPTCHAs aren't usually worth the burden they put on users. Google uses one on their "Create a Gmail account" form, and I suppose that makes sense because that form is a big target.

Thanks Randy! My concern is more with spam...the site is so specific and business related, I can't imagine it'll be on the radar for someone with malicious intent. I know it always still could.

I've really enjoyed this contact form project with you and Andrew. I've played with a lot of various open source free contact forms, and building it myself this way made it so much easier to give it an attractive appearance.

Plus, I know what code is doing what, so if I ever need to expand our form to include more fields, I'll know how to add that in.

Thanks again!

Awesome. Glad to hear it!