PDA

Click to See Complete Forum and Search --> : New to forms. Validating a form which sends an email. Security.

Swerve
February 23rd, 2009, 01:45 PM
Hi,

I am creating a contactus form, which when submitted sends an email to the sites admin.

As the form is not placing data into the database, but simply sending an email containing the submitted data to the admin's email, do I need to do any PHP validation? Or can I just use the client side JavaScript?

If a hacker disables JavaScript, I'm worried that they may use it for malicious purposes.

Thanks for any help!
PeejAvery
February 23rd, 2009, 03:19 PM
If security is an issue in any way, shape, or form, then use the server-side to process the form. However, since you are sending an e-mail, which requires the server-side, why not just validate it on the server side as well?
Swerve
February 23rd, 2009, 03:41 PM
Thanks for helping PeejAvery, appreciated.

So from reading your explanation, I DO have to use some server-side validation due to the fact that it is PHP which will be sending the form, yes?

Also, I must ask, on my form, Home Address is not a required field, so should I look to have:

a) If field is empty, accept
b) If not empty, should only contain alpha-numeric characters and spaces.

Any advice is great,

again, thanks! :)
PeejAvery
February 23rd, 2009, 04:59 PM
You never have to use server-side validation, but it is secure. JavaScript is never secure. But, in this case, since you have to use server-side code in order to send an e-mail, it would be foolish not do do the validation on the server-side as well. It would only be a little more work.

a) If field is empty, accept
http://us.php.net/empty

b) If not empty, should only contain alpha-numeric characters and spaces.
http://www.google.com/search?source=ig&hl=en&rlz=&q=php+alphanumeric&btnG=Google+Search&aq=0&oq=php+alpha
Xeel
February 24th, 2009, 12:27 PM
If you need to validate something for sure, always use both client side and server side validation. Client side validation is achieved with javascript while server side with the preferred language you use for the app (in your case php).

Modern frameworks simplify this job for you generating the javascript for every validation you define in related configuration files (usually xmls).

BTW if you just need an email form, do you really care what people would put inside?