Secure and Accessible PHP Contact Form

Secure and Accessible PHP Contact Form (Full Version)

All Forums >> [Web Development] >> Accessibility

Message

Mike Cherim -> Secure and Accessible PHP Contact Form (10/4/2006 22:23:04)
Hi guys, Hopefully this is an appropriate thread. I need some testing of a secure and accessible PHP contact form. I don't think it can get much more accessible, and from a security standpoint it should be a spammer's worst enemy, and the PHP is solid. I have a concern, though: One of the security features might make it inaccessible to AOL users. A friend of mine, Tommy Olsson, said he thinks AOL users (those with access to the web via an AOL account) generate a new IP address with each HTTP request. If this is the case the form might trigger three possible errors. Two of the 15 security measures might produce PHP undefined index warnings but the form will still submit, but one of them may cause the form to not submit at all. That would be bad. Anyway, I'm am hoping you guys can check it out, the more the merrier, but especially if you have AOL internet service. Download and information page: http://green-beast.com/blog/?page_id=71 Release introduction: http://green-beast.com/blog/?p=128 Working demo page: http://green-beast.com/gbcf/ Thank you very much. Mike

jaybee -> RE: Secure and Accessible PHP Contact Form (10/5/2006 4:52:57)
Well how spooky is that. I saw your form two days ago and thought I might try it for a client site. I've been having problems with the form on there which occasionally serves up a blocked referrer page to visitors even when they've come in via the site as normal. The AOL thing may well be the answer. Hmmmm I'll download it and if I get time I'll bolt it in at the weekend and see how it goes. I know a couple of AOL users I can throw it at.

womble -> RE: Secure and Accessible PHP Contact Form (10/5/2006 5:01:58)
That's nice Mike! Wombley likey! [:)] Just tested it out and it worked fine for me (not an AOL [:'(] user though). Nice one with the #results fragment identifier on form submit bit - that hadn't occured to me. On the security....just,wow! I particularly like the Pooh Bear heffalump style hidden spam trap. I'm just about to start the contact page on a site this morning (after I've put the kettle on, that is [:D]), so I'll try it out on there.

Mike Cherim -> RE: Secure and Accessible PHP Contact Form (10/5/2006 8:23:40)
Thanks guys. Do let me know what those AOL users say. The form does require a referrer match as well, but if that error is triggered, if offers an alternative email. I know some legit users do block referrers so I had to try and accommodate them. Mike

womble -> RE: Secure and Accessible PHP Contact Form (10/5/2006 17:28:15)
Pleased to report that it works like a dream! /Wombley does happydance around the thread [img]http://ganjataz.com/Forum/images/smiles/happydance.gif[/img] Just installed it in quarter of an hour or so - and it just works! Last week I did a contact form on a site and it took most of a day hacking at php to get it to fit in with the rest of the site and trying to get the damned thing to validate and stuff, but this is just lovely (my only complaint is that the brown and green clashes horribly with the rest of the site, but I guess I can change that [;)]) Mike, you really are The Man! [img]http://ganjataz.com/smileys/01-ebil/images/nodding-ebilthumbup.gif[/img]

Mike Cherim -> RE: Secure and Accessible PHP Contact Form (10/5/2006 18:12:25)
/And now Mike does happydance around the thread [img]http://ganjataz.com/Forum/images/smiles/happydance.gif[/img] Do check out the download page for updates within the week. I plan to add further enhancements to make it even better. But I promise, you'll have to do nothing more than drop in an updated gbcf_form.php file and all will be good. I'm going to try my best to do nothing to any file that will change anything that needs to be addressed by the form admin. Drag 'n drop is where it's at. :) Mike

womble -> RE: Secure and Accessible PHP Contact Form (10/5/2006 18:27:15)
Sounds good! Wombley likes enhancements! [:)] One thing I did wonder about is if the anti-spam q/a could be randomised - I noticed in the script the name of the variable - that one of the possible improvements? (not that it could get much better IMHO) If drag 'n' drop's coming to a secure and accessible form near me, I fear I may have to get Taz to make an ecstaticdance smiley, nevermind the happydance! /does another happydance around the thread anyhow Can I join your fan club please? [:D]

Mike Cherim -> RE: Secure and Accessible PHP Contact Form (10/5/2006 19:08:05)
quote: ORIGINAL: womble Sounds good! Wombley likes enhancements! [:)] One thing I did wonder about is if the anti-spam q/a could be randomised - I noticed in the script the name of the variable - that one of the possible improvements? (not that it could get much better IMHO) If drag 'n' drop's coming to a secure and accessible form near me, I fear I may have to get Taz to make an ecstaticdance smiley, nevermind the happydance! /does another happydance around the thread anyhow Can I join your fan club please? [:D] I tried and tried to make that Q/A a random array (which was fine doing that much) but it seemed the only way I could get it to work was to use a session cookie. The form is loaded which generates the random Q/A, but on submit it's a separate request so the Q/A was being regenerated. The obvious answer was a session, but if people don't accept cookies they wouldn't be able to use the form so I opted not to go that route in favor of greater usability. The variable could be stored another way I suppose, like in a text file, but I thought that might lead to problems if there were multiple simultaneous users. It added a wicked layer of complexity. I'm not positive it's really necessary, either. I sort of suspect the owners of spam bots never actually go to these forms to negotiate the variable and response then specifically program the bots. I think the bots just go out and fill inputs with their garbage, possibly looking for specific field value like email, etc. There are so many insecure forms out there I wouldn't think they'd see the need to bother. Fan club indeed... hehe, I'm blushing. Mike

womble -> RE: Secure and Accessible PHP Contact Form (10/5/2006 19:26:31)
Sounds fair enough to me. I suppose with the variable name I was just wondering if randomness was what was planned. I did think I'd hit an accessibility problem...but then discovered I hadn't! [:D] I've been tweaking the CSS (the brown and green clashed horribly) and trying to get rid of the form heading. I suppose for screen readers it's necessary so their users know what's coming up, but for visual users, on the page I've put it on it's kinda superfluous cos there's a rather large heading on the page announcing it already. Of course my first thought was display: none or visibility: hidden, then I slapped myself and remembered that screen readers won't read it then. No problem though - I've just slapped a humungous negative text-indent on it, and it's nicely out of the way now. It leaves a bit of a space, and I suppose I could tweak the padding and margin and pull it up a little, but on this particular page actually I think the extra white space helps, so I'm leaving it as it is.

Mike Cherim -> RE: Secure and Accessible PHP Contact Form (10/5/2006 20:10:26)
You can try this too (what I normally do): .formhead { position : absolute; top : -9000px; left : -9000px; } The advantage to this is that the positioning takes it out of the document's flow so it doesn't affect anything else if, say, the text is enlarged. I think with a negative text indent if you enlarge the text -- because to element stays in the document's flow, albeit out of sight, the elements which follow might seem to move downward. Not sure, though. That said, if you do have it in a heading already, display:none; is probably fine because it'd just be redundant anyway. Mike

womble -> RE: Secure and Accessible PHP Contact Form (10/5/2006 20:37:59)
Good points. Just tried it out and it does move downward slightly, though it's not too noticeable. A problem I have just spotted though while trying it out is that taking that out of the flow also takes out the form results heading as well, which I do still want there. Problem solved though - I've just renamed the class "formhead" to "formhead_results" in that section of the include and used the original CSS for the "formhead" class for it. That sorted I can now go to bed a happy Wombley. [:)]

Mike Cherim -> RE: Secure and Accessible PHP Contact Form (10/5/2006 20:50:34)
Good point, I didn't even think of that. Mike

womble -> RE: Secure and Accessible PHP Contact Form (10/5/2006 21:07:22)
I have just spotted a teeny tiny typo (couldn't resist a little more CSS tweaking) - on line 8 on the div#gb_form_dv - should be div#gb_form_div - it doesn't affect the demo form because it's not styled. That's really it now - I really am going to bed this time! [;)]

Mike Cherim -> RE: Secure and Accessible PHP Contact Form (10/5/2006 21:22:42)
Thank you very much. 'twill fix it up :)

jaybee -> RE: Secure and Accessible PHP Contact Form (10/6/2006 6:46:51)
One AOL user down. He's got so fed up with them he's switching to NTL and refusing to use his machine until it's done. But I have another, just got to get hold of them as they aren't getting their emails. [&:]

Mike Cherim -> RE: Secure and Accessible PHP Contact Form (10/6/2006 8:21:23)
Thanks jaybee!

jaybee -> RE: Secure and Accessible PHP Contact Form (10/6/2006 8:28:46)
I posted a help request in the lounge for AOL users so hopefully you'll get a decent test running.

Mike Cherim -> RE: Secure and Accessible PHP Contact Form (10/6/2006 9:38:37)
Awesome. Thank you very much. AOL has, what, billions of users, right? ;)

treetopsranch -> RE: Secure and Accessible PHP Contact Form (10/6/2006 15:56:47)
AOL produces a 505 error for www.green-beast.com/gbcf

jaybee -> RE: Secure and Accessible PHP Contact Form (10/6/2006 16:33:48)
quote: ORIGINAL: Mike Cherim Awesome. Thank you very much. AOL has, what, billions of users, right? ;) You only need one. [8\|] Thanks Don.

Mike Cherim -> RE: Secure and Accessible PHP Contact Form (10/6/2006 16:39:39)
A 505 error is an Internal Server Error. That doesn't seem that it would have to do with the form or AOL, but thanks anyway. Care to try it again per chance? I updated the file. Mike

treetopsranch -> RE: Secure and Accessible PHP Contact Form (10/6/2006 23:13:53)
I PM'd jaybee, at her request, the results of looking again using AOL. If you didn't get her message, here is the info: Form ran this time but had a SCRIPT ERROR Line 11 Char 2 Expected identifier, string or number ------------------------- Please note the test was run using AOL version 4 which is pretty old.

Mike Cherim -> RE: Secure and Accessible PHP Contact Form (10/7/2006 0:32:11)
That is extremely bizarre. Any "Script" error it seems would refer to JavaScript, but the form itself is PHP. I don't understand why or how someone with an AOL connection would detect or record a serverside PHP error (which there are no errors in the script). My concern before was the form not submitting because it was using the IP address as part of the form ID, and if AOL generates a new IP with each HTTP request then there wouldn't be a match and the script would echo a PHP error that I wrote. But I took that out of the form ID completely so it'd no longer be an issue at all. If it was a referrer issue, that too would generate an error but would provide an email option. It still uses host data for the form ID but that should be static unless unavailable in which case it would just leave it out and continue to process. No errors generated; it's not a requrired variable, but much match on submit if present, but again, you'd get a PHP error that I wrote. Now there is Javascript used just for form focus in an IE conditional comment because IE offers support for focus (as active) on anchors only, but that wouldn't have a bearing on whether the form submitted or not. I'm at a complete loss as to the why. Thanks. A mystified Mike

jaybee -> RE: Secure and Accessible PHP Contact Form (10/7/2006 5:54:16)
Mike as far as I'm aware, AOL on the PC uses a barstardised version of IE so it could be that IE hack that's the problem. AOL on Mac uses a similarly hacked about version of Netscape. There may be something around somewhere that tells you exactly what they changed but I haven't found it.

jaybee -> RE: Secure and Accessible PHP Contact Form (10/7/2006 6:25:38)
Clutching at straws here but in the js file you have several blank lines. The first two are just returns but line 11 is the the first one that has something in it, either a space or a non printable character. Try removing all the blank lines and see if that helps.

Mike Cherim -> RE: Secure and Accessible PHP Contact Form (10/7/2006 10:14:19)
Sounds like a plan. I will remove the blank lines. When I read "script error" I did perform one test on Firefox. I took out the conditional comment so FF would read the Jscript file, but it didn't report any errors in my JavaScript console when I ran the test. Will try that though right now. Thanks. Mike

Page: [1]

Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI

9.399414E-02