Generally a random hash matched to the session is sufficient for MOST forms. Captcha I'd add if it were a forum or open posting system, but if it's for contact mails and the like
Now that said... that's EXACTLY the type of code I'm often talking about where it's the pinnacle of bad practices, often out of some noodle-doodle "template" nonsense that forgets PHP is a template system.
1) Just echo the bloody thing instead of wasting memory on a variable for nothing.
2) If you used single quotes for the string, you wouldn't need to escape all your doubles.
3) if you echo'd you'd be able to comma delimit which would be faster than string additions.
4) It would also mean axing all those painfully slow and memory/cpu wasting regex.
5) It's highly unlikely you're at H1 depth from a logical document structure standpoint.
6)
PLACEHOLDER IS NOT A LABEL!!! I don't care how many artsy-fartsy types cream their shorts over it, USE BLOODY LABELS!!! That is
NOT what placeholder is for!!!
7) Likewise where's your fieldset? You know, the marker of which fields are user-interactable as a group?
8) What the blazes makes a single INPUT tag a
grammatical paragraph?
9) you didn't htmlspecialchars your $_POST, opening the door to hackers doing script injections.
If I were writing that form, the markup would go something more like this:
function contact_postValue($index) {
return empty($_POST[$index]) ? '' : '
value="' . htmlspecialchars($_POST[$index]) . '"';
}
function contact_ShowForm() {
echo '
<form method="post" action="?module=Contact" id="contact">
<h2>Contact Us</h2>
<p>
So you want to drop us a line - then please just fill out the form below and we will get back to you...
</p>
<fieldset>
<label for="contact_name">Your Name</label><br>
<input
type="text"
name="name"
id="contact_name"',
contact_postValue('name'), '
><br>
<label for="contact_mail">Your E-Mail</label><br>
<input
type="email"
name="email"
id="contact_mail"',
contact_postValue('email'), '
><br>
<label for="contact_message">Your Message</label><br>
<textarea
name="message"
id="contact_message"
rows="4" cols="50"
>', empty($_POST['message']) ? '' : htmlspecialchars($_POST['message']), '</textarea><br>
<input
type="checkbox"
name="privacy"
id="contact_privacy"
value="1"
>
<label for="contact_privacy">
I agree for my personal information to be process so that they can carry out the request I made.
</label>
</fieldset>
<div class="submitsAndHiddens">
<button>Send Message</button>
<input type="hidden" name="contactHash" value="', session_hash('contact'), '">
<!-- .submitsAndHiddens --></div>
</form>';
} // contact_ShowForm
Fixing the broken semantics and nonsensical structure, ditching that garbage "let's add everything to a string so we can regex it" rubbish, and showing where I'd apply the random hash.
session_hash is a function I have that just generates a random hash, stores it in $_SESSION via the name passed as an argument to the function, and returns said hash. I have a second routine session_verify that you pass the same name and it checks if $_POST[$name] == $_SESSION[$name], that it's not blank. If true delete the hash from $_SESSION and return true.