Is it safe to add a php form to your website?

By Anonymous (not verified) on 6 May 2008 at 18:46 UTC

Comments

php form?

marcvangend

he/him

Dutch

Amsterdam

commented 6 May 2008 at 19:03

What do you call a php form? Forms are written in HTML, the processing is done by php. If it is safe depends completely on your php code. It's easy to write a script which allows anyone to run queries on your database, or send spam, but that doesn't mean that all forms aren't safe. Why don't you tell us what you want to do, and why you think safety is a concern here?

Thank you for your reply.

Anonymous (not verified) commented 6 May 2008 at 19:42

Thank you for your reply. :-)

I am developing my site in 6.x. I am calling the form through a taxonomy term so ideally I would just like to add a form in a page.

A simple solution would be to add a standard php form in a page. I just want to make sure that the code won't conflict with the php in Drupal. I hope I was able to explain it a bit more clearly?

You really should consider

nevets commented 6 May 2008 at 19:59

You really should consider using to Forms API.

Thank you.

Anonymous (not verified) commented 6 May 2008 at 20:08

Thank you.

o.k. I looked at the example

Anonymous (not verified) commented 6 May 2008 at 21:29

o.k. I looked at the example in the API Handbook Forms_api.html:
http://api.drupal.org/api/file/developer/topics/forms_api.html/6

But that didn't work. (When you add print drupal_get_form('contactform', $form); and change test_form to contactform it does work. It prints out a log printout form(?) so don't place in a live site unless you know what you are doing.)

I then found this example at http://drupal.org/node/68265.
But that gave me an error.

I looked at the code and reshuffled the code. But I get the following error:
Fatal error: Cannot use string offset as an array in /url_path/includes/form.inc on line 965

<?php

print drupal_get_form('contactform', $form);

function contactform($form){
  $form['name'] = array(
      '#type' => 'textfield',
      '#title' => t('your name'),
      '#default_value' => $object['name'],
      '#size' => 30,
      '#maxlength' => 128,
      '#required' => TRUE,
  );

  $form['eMail'] = array(
      '#type' => 'textfield',
      '#title' => t('your email-adress'),
      '#default_value' => $object['eMail'],
      '#size' => 30,
      '#maxlength' => 128,
      '#required' => TRUE,
  );

  $form['subject'] = array(
      '#type' => 'textfield',
      '#title' => t('subject'),
      '#default_value' => $object['subject'],
      '#size' => 30,
      '#maxlength' => 128,
      '#required' => TRUE,
  );

  $form['message'] = array(
      '#type' => 'textarea',
      '#title' => t('your message'),
      '#default_value' => $object['message'],
      '#size' => 30,
      '#maxlength' => 128,
      '#rows'    => 7,
      '#required' => TRUE,
  );

   $form['submit'] = array(
      '#type' => 'submit',
      '#value' => t('send email'),
  );

  $form['#attributes'] = array(
    'enctype' => 'multipart/form-data',
    'id' => 'contactform',
  );

  return $form;
 
}

// validation function for the contact form
function contactform_validate($form_id, $form_values) {
    // first we validate if there is a email injection
    $finds = array("/bcc:/i",
            "/Content-Type:/i",
            "/Mime-Type:/i",
            "/MIME-Version:/i",
            "/multipart\/mixed/i",
            "/boundary=/i",
            "/subject:/i",
            "/cc:/i",
            "/to:/i");
    foreach($form_values as $value)
          foreach($finds as $find)
                if(preg_match($find,$value))
                    form_set_error('', '<h2 class="red center">Stop spamming</h2>');

    // then we validate the email-adress
    if (!valid_email_address($form_values['eMail']) && !empty($form_values['eMail']))
        form_set_error('', t('Please check the spelling of your email-adress.'));
}

// submit function for the contact form
function contactform_submit($form_id, $form_values) {

  $headers   = array();
  $mailkey   = 'contact-with-attachment';
  $from      = $form_values['name'].' <'.$form_values['eMail'].'>';
  $recipient = 'Feedback <your@mail.com>';
  $subject   = $form_values['subject'];
  $body      = wordwrap($form_values['message']);
  $reply     = 'Thank you for your message.';
  $goto      = '<front>';

  if (!flood_is_allowed('contact', variable_get('contact_hourly_threshold', 3))) {
      $output = t("You cannot send more than %number messages per hour. Please try again later.", array('%number' => variable_get('contact_hourly_threshold', 3)));
      drupal_set_message('<h3 class="red center">'.$output.'</h3>');
      drupal_goto($goto);  }else{
      $message = $body;
    }

    // send mail
    drupal_mail($mailkey, $recipient, $subject, $message, $from, $headers);

    // Reply
    drupal_mail($mailkey, $from, $subject, wordwrap($reply), $recipient);

    // Log the operation:
    flood_register_event('contact');
    watchdog('mail', t('%name-from use contact form', array('%name-from' => theme('placeholder', $form_values['name'] ." <$from>"),)));

    drupal_set_message('Your message has been sent to us.');
    drupal_goto($goto);
  }

?>

Would anyone be so kind as to help me solve this?

Solved

Anonymous (not verified) commented 7 May 2008 at 07:06

I looked at the contact module and then tried to build a form from there, but I kept getting errors. So this is something I will have to look at the long term.

The following code snippet adds the normal contact form in a node (page/ story) in 5.x and 6.x:

http://drupal.org/node/236997