Contact Form text area is limiting and the form wont center

funny you should say that- I was working on using a PHP mailer after I sent that earlier- this is where I landed:

<?php
use PHPMailer\PHPMailer\PHPMailer;
use PHPMailer\PHPMailer\Exception;

require 'PHPMailer/src/Exception.php';
require 'PHPMailer/src/PHPMailer.php';
require 'PHPMailer/src/SMTP.php';

session_start();

if ($_SERVER["REQUEST_METHOD"] === "POST") {
// CSRF protection
if (!hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
http_response_code(403);
echo 'Invalid CSRF token.';
exit;
}

// Honeytrap spam filter
if (!empty($_POST['website'])) {
http_response_code(400);
echo 'Spam detected.';
exit;
}

// Sanitize inputs
$name = htmlspecialchars(trim($_POST["name"]));
$email = filter_var(trim($_POST["email"]), FILTER_VALIDATE_EMAIL);
$message = htmlspecialchars(trim($_POST["message"]));

if (!$email) {
http_response_code(400);
echo 'Invalid email.';
exit;
}

// Setup mailer
$mail = new PHPMailer(true);
try {
// SMTP Settings (Bluehost)
$mail->isSMTP();
$mail->Host = 'mail.pitchlab.net'; // or use 'smtp.bluehost.com'
$mail->SMTPAuth = true;
$mail->Username = 'inquiries@pitchlab.net'; // your email
$mail->Password = 'PW'; // use App Password if 2FA is on
$mail->SMTPSecure = 'tls';
$mail->Port = 587;

// Email to YOU (the site owner)
$mail->setFrom('inquiries@pitchlab.net', 'Pitchlab ');
$mail->addAddress('inquiries@pitchlab.net');
$mail->Subject = 'Pitchlab Inquiry';
$mail->Body = "From: $name <$email>\n\n$message";

$mail->send();

// Auto-Responder to the User
$mail->clearAddresses();
$mail->addAddress($email);
$mail->Subject = 'Thanks for contacting Pitchlab';
$mail->Body = "Hi $name,\n\nThanks for reaching out. We received your message and will get back to you ASAP.\n\n The Pitchlab Team";
$mail->send();

echo "Success";
} catch (Exception $e) {
http_response_code(500);
echo "Mailer Error: " . $mail->ErrorInfo;
}
}
?>

**should i remove the echo?

Conversations can sometimes be surprising; we write... and we read between the lines... the internet is fast... 🙂

How do you use this script? It seems to be from AJAX? The echo will be useful for tracking, debugging, etc. You are free to keep them or not.

The key question is, does it work as you wanted ?

As you must know by now, Im not a natural coder - Im a film director who stubbornly knew what he wanted and then went and dove in to figuring it out.. So forgive my piecemeal approach to everything..

I am using AJAX - i dropped the PHP mailer in the contact directory and the process_form3.php accesses it from there..

it works in the sense that i wanted to a) have the form function and send me the inquiry b) send an autoresponse to the sender c) not reload the page but have a nice elegant "Thanks. Message received" fade on. As far if it is protecting me from spam, that remains to be seen, but I believe implementing all your suggestions in that article as well as the PHP mailer should to the trick- anything specific I should look for?

Hi Lena - so I started getting a lot of spam again despite all the additional protection I learned from your article - what am I doing wrong?

CONTACT FORM PAGE:

Nothing stops human spammers. 

I hear you but this looked pretty robotic to me.. 

I want to at least make sure Im doing everything I can

Robotic in what sense? 

If the hidden honeypot field contains data, the form sending script should abort.

That's how honeypots are supposed to work. 

Did i get the honeypot right? does my code look ok? bc Theres no way someone is pasting this into my form by hand - the names arent even consitent-  it screams of bot:

I don't know if it works. Did you test it?

Turn off CSS in your browser & try submitting spam through your form. If the script aborts as it's supposed to, you should not receive anything in your email inbox.

FYI, just having an email address attached to your website makes you a spam target. There's literally nothing you can do to stop it except terminate that email account & create new ones.  Once an email address gets out in the wild, it will be exploited by humans as well as bots.

thanks nancy I might create a new email for it - but when I removed the css and filled it out it didnt even submit..and i didnt get an email - so it seems its working.. t

BINGO!  It's not originating from your form.

Your email address is tainted.

Kill it and create a new one that nobody on the planet has access to.

Good luck!

Done! 

Thank you Nancy.. fingers crossed no one gets it - or Ill have to get mercenary (Im not even sure what that means!)

Cheers!

Don't be tempted to post your new email address in public view. You should be fine. 

unfortunately I'm already getting spam with the contact form subject line - definitely bots -  I can do a different email again but I have to figure out out why this honeytrap and all my other protection is not working before IU do.. its only going to accelerate

Rename your contact page and delete the old one from your server.

Change something in your new contact form/script to differentiate it from your old one.

done. Does it matter what I change? can it be the order? phrases in the email?

It doesn't matter.  Just make it different in some way so you can tell which form it's coming from, the old one or the new one.

Copy that. ok done.

When contact forms are above your pay grade, use a 3rd party form service like Jot Forms, Wufoo.com or Mailchimp. They do all the heavy lifting on their servers so you don't have to.

Its all above my pay grade Nancy..yet alas..here we are.

You must know me by now - I am nothing if not resolute !

No spam in a few days.. fingers crossed.

Hello @REELHERO , I'm sorry, the work here at the studio, with many files to prepare, made me forget this talk.

To complete what @Nancy OShea said, I think filtering robot is somehow play cat and mouse... and the important is not the form HTML itself, but in the server code processed by process_form3.php.

Did you set a log as mentioned in the article ?

This is very important. The log show who send, how it send, or how they eventualy pass the rules. If you need to change the form and have doubt about who send, you can use an hidden field (placed in the form itself, you don't need to change the file) :

<input type="hidden" name="session_marker" value="alpha42">
then change the value to fit your tests
<input type="hidden" name="session_marker" value="alpha43">

you will catch this information at the server, and knows about the senders... If you use CSRF, the server script should not be able to be invoked other than through the form.

The honeypot's technic is often good, but don't write name in code that say “honeypot” { in clear... avoid me... 🙂 }. In the article I use this word for teaching purpose, but better use a name that look normal, example:

<input type="text" name="profile_tag" autocomplete="off">

And in CSS:

input[name="profile_tag"] {
    display: none;
}

Please tell what check you do in process_form3.php, and what the log give you, or not.

Hi Lena - no worries!

spam is still happening frequently even with the changes above (new page) its coming from the new PHP I can tell by the subject..

this is my form I dont call the form honeypot but I do have it commented out but I will change the name completely:

the form on the contact page:

<!-- Honeypot -->
<div style="display:none;">
<label for="website">Website</label>
<input type="text" name="website" id="website" autocomplete="off">
</div>

<!-- Hidden CSRF Token -->
<input type="hidden" name="csrf_token" value="<?php echo htmlspecialchars($_SESSION['csrf_token']); ?>">
<input type="hidden" name="form_load_time" id="form_load_time">

does the same apply for the csrf? should I not call it that?

here is what appears on the process_form_new.php

both honeypot and csrf are commented out.. should i remove or change the name on here? I guess a bot can see code thats commented out?

if ($_SERVER["REQUEST_METHOD"] === "POST") {
// CSRF protection
if (!hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
http_response_code(403);
echo 'Invalid CSRF token.';
exit;
}

// Honeytrap spam filter
if (!empty($_POST['website'])) {
http_response_code(400);
echo 'Spam detected.';
exit;
}

I did not include a log- so youre saying I should inlude this in the form:

<input type="hidden" name="session_marker" value="alpha42"> then change the value to fit your tests <input type="hidden" name="session_marker" value="alpha43">

and this is going to seem like a silly question but where on the server side would I see a log? i connect through FTP (using dreamweaver obviously) does the server auto-create a log?

If you don't mind, I suggest that we take a step back and go one by one, calm and clean.

First of all, use the article as a guide — https://www.puce-et-media.com/protection-de-base-pour-un-formulaire/ it's made to be read in order.  So, before going further, do you have any issue reading the article in English? If yes, let me know, I will help you go through it step by step differently.

Well, so far, everything starts with your HTML form (contact.php) and your server-side script (process_form3.php) that receives the data.

You already have this basics, and you should start by cleaning them. That means that you have to keep only what’s needed for you : name, email, message and submit button. Remove eveything else... in both files.

Then you will have to follow the article step by step, you'll find the approrpiate code for each parts :

Starting with the referer.

Well, as explained, some browsers, don’t send it, but that’s not a big deal. The point is to start logging suspicious attempts.

for that , just define the log file and locate it where ever you want, usually in the same folder as your server script is fine. Call it as you like... atempts.log, log.log, journal.log.... 

$logFile = 'attempts.log';
or
$logFile = '../attempts.log';

Then you can download and read it via FTP to see what’s going on.

Now, continue to add one by one each traps... so, the next following step... and for that you can use a witness, an invisible one, added to your form...

<input type="hidden" name="my_version_or_trap" value="alpha01">

and on each step, on each new implementation, you just change the value that will help you to track your attempt.... alpha01, alpha02, alpha03... and so on...

well... that said...

The next point is to add a CSRF protection. In fact , the goal is to generate a token on the server and inject it into the form when the page loads. If a bot tries to send the form without loading it first, there will be no token, as a matter of fact, the server can refuse... do you get the point ?

if you read in the code, you'll see that logAttempt() will track that kind of try.

Still reading the article, the following will place a honeypot. 

Then, next step, is to check the submit time. If someone fills and submits the form in 1 second, either in 10 seconds...  it’s probably a bot. Human speed is always a bit slower 🙂

We can also, limit the number of tries. A real user may retry 2 or 3 times. But a bot will insist. After 5 attempts, you can slow down the script or ignore the request. And again, log it.

As you can see, the log is the key. It keeps track of what happened, when, how  and it will help you understand who’s trying to bypass the form. 

For sure, this script is not perfect, but it is somehow already very useful.

If spam keeps coming, we can go further: checking the IP address of the sender, blocking bad patterns… and so on... 
But first, let’s set up those initial protections, nice and clean and we’ll see later.

Does this plan work for you?

Hi Lena-

That is the article I used to build the contact form and the Process form.PHP but ill start again from scratch.. and include the log.. Its late in Los Angeles so Ill do it in the morning ..

thank you!

Todd