Create a bullet-proof contact form

Note: This article has been marked for a quality review and will soon be updated.

Contact pages are usually one of the basic building blocks of any website, and while many simple feature an email address for spam bots to pick up and use, or even a handy ‘mailto’ link, the best ones feature a proper contact form. To make a bulletproof one we’re going to need some thick glass and a riot shield PHP and JavaScript. Having those bad-boys on our side will ensure we can create a beautiful AJAX-enabled means of contact for our users. We also need to ensure our form will work on the rare occasion that a user has JavaScript turned-off *gasp* – I know, it’s a scary thought, but I’m sure we’ll figure something out!

So we’ll start with some simple HTML to set out our fields, the following code is what we’ll be working with:

<form id="contact" class="right" method="post" action="mail.php">
	<h3 class="hidden success"><br/>Message sent!</h3>
	<label>Name: <span class="warning right"></span>
		<input type="text" name="name" />
	<label>Email: <span class="warning right"></span>
		<input type="text" name="email" />

	<label>Message: <span class="warning right"></span>
		<textarea name="message"></textarea>
	<input class="right" type="submit" value="Send" />

Aside from the obvious, the form features a few extra elements – namely the .warning elements – we’ll see what they’re for in a moment. I also assume that you have the class of .right set up to float elements to the right; if now, then you’ll need to float the affected elements individually in your CSS. Right, that’s the HTML sorted, lets take a look at the JavaScript for this puppy.

function validateEmail(email){ 
	 var re = /^(([^<>()[\]\\.,;:\s@\"]+(\.[^<>()[\]\\.,;:\s@\"]+)*)|(\".+\"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/ 
	 return email.match(re); 

	var name, email, message, errors;
	errors = 0;
	name = $('input[name=name]').val();
	email = $('input[name=email]').val();
	message = $('textarea[name=message]').val();
	if(name==''){ $('input[name=name]').siblings('.warning').text('This field is required!'); errors++; }
	if(email==''){ $('input[name=email]').siblings('.warning').text('This field is required!'); errors++; }
	if(message==''){ $('textarea[name=message]').siblings('.warning').text('This field is required!'); errors++; }
	if(!validateEmail(email)){ $('input[name=email]').siblings('.warning').text('Please enter a valid email!'); errors++; }
		var dataString = $(this).serialize() + '&js=true';
			url: 'contact-post.php',
			data: dataString,
			type: 'POST',
			success: function(data){
				$('form label, form input[type=submit]').slideUp(500, function(){
					$('form .success').hide().removeClass('hidden').slideDown(500);
	return false;

Now for the moment we’ll ignore the validateEmail() function, and take a look at the form submission code. First off we set up some variables for the values in our form, this prevents us having to use longer code snippets and querying the DOM too much. Once we’ve got them set up we give the user the benefit of the doubt and remove any warning that may have previously been set by removing any text from the elements with the class of .warning. And then we validate the fields. The first three ‘if’ statements simply check that the user has entered a value in each field – if they haven’t we tell them so, and increment our errors variable by 1. The last ‘if’ statement uses the validateEmail() function that we set earlier. There’s no reason to worry if you don’t understand how that function works, Regular Expressions are a world of their own. All we need to know, is that it tells us if the user has entered a valid email address.

Following our rather basic validation checks we then test to see if the form has passed – because we’ve been using our errors variable all along, if it’s set to ‘0’ we can rest assured nothing has gone wrong. If that’s the case we serialise the form, and use a simple AJAX request to submit the data to our server. If our server is happy, we show our users a success message. Now all we need to do is set up our contact-post.php file, like so:

function redirect($hash){
		echo 'Invalid ' . $hash;
	}else {
		echo 'Message sent!';
		echo '<meta http-equiv="refresh" content="0;url=">';

		// Validate info here
		if(empty($_POST['name'])){ redirect('name'); }
		if(empty($_POST['email'])){ redirect('email'); }
		if(empty($_POST['message'])){ redirect('message');  }
		if(filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)){ redirect('email'); }
	$sendto = '';

	$name = $_POST['name'];
	$email = $_POST['email'];
	$phone = $_POST['phone'];
	$message = $_POST['message'];
	$to = $sendto;
	$subject = "[MySiteName] Message";
	$message = "
	<title>Contact form Submission</title>
	<p style='font-family:Arial, Helvetica, sans-serif; color:black;'>The following was sent by <strong>".$name." (Email: ".$email."):</strong></p>
	<p style='font-family:Arial, Helvetica, sans-serif; color:black; font-size:16px;'>".nl2br(stripslashes($message))."</p>
	<p style='font-family:Arial, Helvetica, sans-serif; color:black;'>(Sent on: ".gmdate('d\/m\/y').")</p>
	$headers = "MIME-Version: 1.0" . "\r\n";
	$headers .= "Content-type:text/html;charset=iso-8859-1" . "\r\n";
	$headers .= 'From: ' . $name;
}else {
        redirect('submission - no data entered!');

The function at the top will be used when we want to give the user some feedback – if they entered all the correct info, they’ll be given a success message, and then redirected to your site in a timely fashion, otherwise they will be told what is wrong with their submission. Then we get to the guts of the script – we first make sure there is some data to play with – if there isn’t we tell the user off, and if there is we go on to see if the user has JavaScript running. You may have noticed the little variable ‘js’ that we added to the serialised form back in our JavaScript – that is our way of finding out if the form is being submitted via an AJAX request in JavaScript – if the variable is empty, we let PHP validate our form’s content – this is essentially identical to the JS code we used previously.

We then set up a really basic email, and send it to the address in the $sendto variable. Finally we redirect the user to the site. As a side note, do remember that this page will only be seen by users without JavaScript turned on.

And that’s it! You now have a swanky contact form that, for all intents and purposes, is bullet-proof, but having said that, I wouldn’t actually test that theory with a gun of any kind…





3 responses to “Create a bullet-proof contact form”

  1. Aaron avatar

    Thanks for this great form. I’ve got it all setup and it is running nicely, however, in testing, I’m not receiving any notifications via email that the form has been submitted (let alone the message in the submission itself.) I’m sure this is because I’m not finding anywhere to specify the send to email address other than in the contact-post.php file which, according to your post, wouldn’t be used unless js is turned off. Any help is appreciated.

    1. Tom avatar

      Hi Aaron, contact-post.php is used in every instance, the only difference is how it is accessed. If JS is on it’s done via an AJAX request, if not the form posts directly to it, otherwise we wouldn’t be able to send any emails because this functionality is only available on the server. Hope that makes sense!

  2. Aaron avatar

    Gotcha. I was receiving the success message back from the server, but not the email notification. I’ve since found another solution. Thanks for the response.