[l008com]

Turns out that the contact forms on almost all of my web sites were being used by spammers to send out thousands of junk mails. These are forms that have a hard coded "To:" address. So I had to learn how they were hacking them, then I had to learn how to stop them. I documented my efforts here:
http://www.whatsmyip.org/forum/viewtopic.php?p=303
Let me know if you have any comments etc. I am now unable to send spams via my forms but one can never be sure that they have patched ALL holes. Read it and weep... or don't weep.

[clam2000]

as always, data validation is key.

whenever you can, it's good to go for something which specifically allows good cases, and blocks others, instead of ruling out specific bad things.

the email checking function i found somewhere is:
[PHP]
function email_check($data) {
return eregi("^[a-zA-Z0-9]+[_a-zA-Z0-9-]*(\.[_a-z0-9-]+)*@[a-z??0-9]+(-[a-z??0-9]+)*(\.[a-z??0-9-]+)*(\.[a-z]{2,4})$", trim($data));
}
[/PHP]

for all of those other fields that you are taking from post data, do a couple extra checks to make sure they arn't trying anything tricky:

[PHP]
function text_check($data) {
return eregi('^(\.[a-zA-Z0-9+=/:!@_-^()?,|{} ]*)*$',trim($data));
}
[/PHP]

--Will

[moodymonster]

I run the email checker thing to verify that's a valid email address as above- you can also query the server to see if the email address actually exists, but I've never had that need.

I did need to send attachments a while ago and used this:

http://phpmailer.sourceforge.net/

I think it's good and can handle a variety of different things. I still validate the email though as mentioned above.

You can also do client side validation:

http://developer.apple.com/internet/...alidation.html

although you should always back that up with PHP (or similar) 'cause client side can be tricked.