Contact forms are a great way for visitors of your site to contact you, this article will explain how to quickly implement a simple and secure PHP contact form.

Create a page called contact.php and copy and paste the following code into it:


<?php
$to='[email protected]';
$messageSubject='Message subject';
$name='';
$email='';
$body='';
$displayForm=true;

if ($_POST)
{
  $email=stripslashes($_POST['email']);
  $body=stripslashes($_POST['body']);
  $name=stripslashes($_POST['name']):
  $valid=eregi('^([0-9a-z]+[-._+&])*[0-9a-z]+@([-0-9a-z]+[.])+[a-z]{2,6}$',$email);
  $spam=eregi("(\r|\n)(to:|from:|cc:|bcc:)",$body);
  if ($email && $body && $valid && !$spam)
  {
    if (mail($to,$messageSubject,$body,'From: ' .$name ' <' .$email. ">\r\n")
    {
      echo '<p>Thank you, Your message has been successfully sent.</p>';
      $displayForm=false;
    }
    else
    {
      echo '<p>There was a problem with the server, please try again later.</p>';
    }
  }
  else if ($spam)
  {
    echo '<p>Your message contained e-mail headers within the message body. The message has not been sent.</p>';
  }
  else 
  {
    echo '<p>Your message could not be sent. You must include both a valid e-mail address and a message.</p>';
  }
  if ($displayForm)
  {
  ?>
  <form action="contact.php" method="post">
    <label for="name">Name:</label>
    <input type="text" name="name" id="name"><br>
    <label for="email">Email:</label>
    <input type="text" name="email" id="email" value="<?php echo htmlspecialchars($email); ?>"><br>
    <label for="body">Your message</label><br>
    <textarea name="body" id="body" cols="70" rows="5">
      <?php echo htmlspecialchars($body); ?>
    </textarea><br>
    <input type="submit" value="Send">
  </form>
  <?php
  }
}
?>


You will then need to edit the variables highlighted in red, entering your email address and the subject you want to use for the email. The form can then be uploaded to your website and will be ready to use.

When the form is submitted it will first remove backslashes ('\') using the stripslashes() function from the submitted data to prevent escape codes being sent to hijack the mail script by a spammer.

This script has 2 simple validation routines that make use of regular expressions to look for special patterns in the submitted data. Firstly $valid=eregi('^([0-9a-z]+[-._+&])*[0-9a-z]+@([-0-9a-z]+[.])+[a-z]{2,6}$',$email); checks to see that a valid email address has been submitted. Then $spam=eregi("(\r|\n)(to:|from:|cc:|bcc:)",$body); is checking that no additional message headers have been injected into the message body which would allow a spammer to hijack the mail script and send unsolicited mail to email addresses of his choosing.

If the submitted data passes the criteria, it is emailed to the email address you have specified, the form is removed and a success message is displayed. Otherwise it will display one of three errors: a server problem, detection of injected email headers or that the user has failed to enter a valid email address and/or message.