secure php contact form

contact.php

<!DOCTYPE html>
<?php error_reporting(0); ?>
<html lang="en">
  <head>
    <title>Secure contact form</title>
    <meta charset="utf-8">
    <style>
      p {
        margin: 0;
        color: red;
      }
    </style>
  </head>
  <body>
    
    <?php
      if(isset($_POST['submit'])){
        $name = htmlspecialchars(stripslashes(trim($_POST['name'])));
        $subject = htmlspecialchars(stripslashes(trim($_POST['subject'])));
        $email = htmlspecialchars(stripslashes(trim($_POST['email'])));
        $message = htmlspecialchars(stripslashes(trim($_POST['message'])));
        if(!preg_match("/^[A-Za-z .'-]+$/", $name)){
          $name_error = 'Invalid name';
        }
        if(!preg_match("/^[A-Za-z .'-]+$/", $subject)){
          $subject_error = 'Invalid subject';
        }
        if(!preg_match("/^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}$/", $email)){
          $email_error = 'Invalid email';
        }
        if(strlen($message) === 0){
          $message_error = 'Your message should not be empty';
        }
      }
    ?>
    
    <form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>" method="POST">
      <label for="name">Name:</label><br>
      <input type="text" name="name">
      <p><?php if(isset($name_error)) echo $name_error; ?></p>
      <label for="subject">Subject:</label><br>
      <input type="text" name="subject">
      <p><?php if(isset($subject_error)) echo $subject_error; ?></p>
      <label for="email">Email:</label><br>
      <input type="text" name="email">
      <p><?php if(isset($email_error)) echo $email_error; ?></p>
      <label for="message">Message:</label><br>
      <textarea name="message"></textarea>
      <p><?php if(isset($message_error)) echo $message_error; ?></p>
      <input type="submit" name="submit" value="Submit">
      <?php 
        if(isset($_POST['submit']) && !isset($name_error) && !isset($subject_error) && !isset($email_error) && !isset($message_error)){
          $to = 'youremail@addres.com'; // edit here
          $body = " Name: $name\n E-mail: $email\n Message:\n $message";
          if(mail($to, $subject, $body)){
            echo '<p style="color: green">Message sent</p>';
          }else{
            echo '<p>Error occurred, please try again later</p>';
          }
        }
      ?>
    </form>
  
  </body>
</html>

ContactForm.md

Secured PHP Contact Form

<?php
  if(isset($_POST['submit'])){
    $name = htmlspecialchars(stripslashes(trim($_POST['name'])));
    $subject = htmlspecialchars(stripslashes(trim($_POST['subject'])));
    $email = htmlspecialchars(stripslashes(trim($_POST['email'])));
    $message = htmlspecialchars(stripslashes(trim($_POST['message'])));
    if(!preg_match("/^[A-Za-z .'-]+$/", $name)){
      $name_error = 'Invalid name';
    }
    if(!preg_match("/^[A-Za-z .'-]+$/", $subject)){
      $subject_error = 'Invalid subject';
    }
    if(!preg_match("/^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}$/", $email)){
      $email_error = 'Invalid email';
    }
    if(strlen($message) === 0){
      $message_error = 'Your message should not be empty';
    }
  }
?>

<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>" method="POST">
  <label for="name">Name:</label><br>
  <input type="text" name="name">
  <p><?php if(isset($name_error)) echo $name_error; ?></p>
  <label for="subject">Subject:</label><br>
  <input type="text" name="subject">
  <p><?php if(isset($subject_error)) echo $subject_error; ?></p>
  <label for="email">Email:</label><br>
  <input type="text" name="email">
  <p><?php if(isset($email_error)) echo $email_error; ?></p>
  <label for="message">Message:</label><br>
  <textarea name="message"></textarea>
  <p><?php if(isset($message_error)) echo $message_error; ?></p>
  <input type="submit" name="submit" value="Submit">
  <?php 
    if(isset($_POST['submit']) && !isset($name_error) && !isset($subject_error) && !isset($email_error) && !isset($message_error)){
      $to = 'youremail@addres.com'; // edit here
      $body = " Name: $name\n E-mail: $email\n Message:\n $message";
      if(mail($to, $subject, $body)){
        echo '<p style="color: green">Message sent</p>';
      }else{
        echo '<p>Error occurred, please try again later</p>';
      }
    }
  ?>
</form>

How to use:

• Download contact.php file or just copy the code above to your *.php file.
• Put the file to your website directory.
• Change: $to = 'youremail@addres.com'; to your email address.

Feel free to modify code to suit your needs.

If you have any questions or innovations please leave me a comment.

patriktoma.studenthosting.sk

Hi! Thanks so much for sharing this code. I would love to use it on my personal website, but am running into a couple problems. If I save the code as a stand-alone page , it works like a charm. But if I incorporate it into my one-page scrolling website, it no longer works. Specifically, it (1) provides no error messages for invalid entries, and (2) then after submitting, instead of the "message sent" message and an email in my inbox, it tries to redirect me to a non-existent webpage: www....com/<?php%20echo%20htmlspecialchars($_SERVER[
I can share my index.html file if you'd like to have a look. Thanks in advance for any insight you can share.

I actually seem to have solved the problem myself. I didn't realize until minutes ago that any page with php code had to use the .php file extension. I made that change and now it works! Thanks again!

Your form isn't sending emails to the email addresses like xxx@domain i.e., business emails.

Thanks for sharing this. I have a suggestion though. Purely for tidier code; you can eliminate the empty paragraph tags where errors would be displayed, below each input like this...

<?php if(isset($name_error)) echo '<p>' . $name_error . '</p>'; ?>

Thanks again :)

Hi there,

what about if i want only to use PHP code and embed it to my own Template will it work?

Thanks i love this 100%

Thank you for sharing, it's been the perfect base to build from.

Hello everybody,

I'm new to GitHub and I have very little experience. Can you tell me how this contact form is secure?
It seems to me, that it requires all fields to be filled out with appropriate data (like an email-address [A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+.[A-Za-z]{2,4}) but I don't see, how bots should be stopped. Thank you for your assistance!

I cannot get the email to be delivered to my email address I entered. I checked the email and it is correct.

Wouldn't it be safer to use <form action="">?

i add another input of phone but it is not display in url