Simple Secure Spam-Free Contact Form in PHP – Iris

Last modified on December 4th, 2018 by Vincy.

Iris is the best PHP contact form available online. It enables you to create a simple, secure and beautiful contact form that ensures better communication. Iris allows your users to communicate with you seamlessly and becomes the first step in converting the users to your customers.


simple secure spam free contact form in php iris

Rating: Five Stars

Get Iris

Contact Form Should Fade Away

Contact form is the key entry point for most of the small businesses. No matter how beautiful a website is, the contact form is the page that converts a visitor into a customer. So, we need to put maximum effort in the contact form page and make it good for greater conversion and Iris is created with this point in mind.

The best contact form should fade away between the user and the receiver. It should be instrumental for communication and should not highlight itself. If you are thinking about an effective contact form, then you should seriously consider Iris.

The Engine Of the Contact Form

Of course, the UI/UX should be simple but do not underestimate the implementation part. No matter how we are designing forms to get user input. There are always more things to learn while working with forms. HTML forms are the medium to get user input with a web client to be processed in the web server.

As the web is a vast infinite medium, we have to be aware of the user input, the way that the requests are sent, the frequency on which the requests are sent and many other aspects.

With straightforward transparent HTML form usages, the server request can be predictable. It will cause many serious problems like non-human access simulating the form request, frequent accesses between a short time interval which will increase server load and DoS issues.

So, it is essential to take care of handing form requests from the malicious attacks to protect our server, data and other information. Following are the key aspects Iris focuses on

  • Preventing Cross-Site Request Forgery (CSRF) attacks
  • Automatic bots submission prevention
  • Baiting attackers with Honeypot
  • Default PHP input filtering
  • Both client-side and server-side form validation

Preventing Cross-Site Request Forgery (CSRF) attacks

Cross-Site Request Forgery (CSRF) attacks are serious vulnerabilities for a web application. This type of attack will target the genuine users to raise the state changing request to the server. For example, the CSRF attackers will simulate the form submission to some other PHP code as the attacker wish to execute.

In Iris, a session based AntiCSRF token is generated and inserted into the HTML form. This token is hashed with the IP address and stored in PHP session. When the user submits the contact form, this token is validated with the hashed token stored in the PHP session. If match found then the request will be considered as a valid request, otherwise will be prevented.

Creating dynamic random names for the form fields

The contact form fields are not static and they are created at run-time for each request. The dynamically created random names are changed once the session expires. This randomness reduces the transparency of the contact form data structure. Thereby, it avoids the predictability and improper attempts to simulate the form submit.

Iris contact form has a session-based 32 digit key and encrypted the plain text with this key. The encrypted text is used as the name of the contact form fields. This mechanism ensures that the attacker cannot guess the name of the form fields. 

Baiting attackers with Honeypot

The honeypot is a security mechanism used in computer web networks. It will make the malicious users get into the trap and thereby we can block such users from accessing our web application.


Irish has few fields as the Honeypot as part of the simple contact form. These fields are validated in the server side on the form submit. The attackers who attempted to compromise the contact form execution flow will be stuck with this trap.

Logical reasoning to measure the time interval between successive requests

For the human, there must be some reasonable time to be taken to enter the form data and submit it to the web server. So, we can apply logical reasoning to measure the time interval between successive request.

In Iris there is a time set which will be taken at the max to enter the data and submit the form manually. In PHP, the interval between the successive requests are measured and used to find the abnormality and counteract based on it.

Default PHP input filtering

This is usual input filtering that can be done with the PHP in-built functions. Using those functions, we can perform the sanitization of the user input posted via the form.

As the contact form usually contains the input fields for the user to enter their name, email, comments and more, I have used FILTER_SANITIZE_EMAIL and FILTER_SANITIZE_STRING filter ID to sanitize the contact form data.

Client-side and Server-side form validation

Irish uses both both client and the server-side validation to check the state and the format of the contact form data posted by the user. Added to this client-side validation, in PHP code the captcha validation is also done. Google reCaptcha is integrated and that is configurable with the application config file, that is it can be enabled or disabled as per your preference.

What you will get with Iris

  • AJAX based seamless UI/UX.
  • Support for multiple attachments with the contact form (configurable: attachment can be enabled or disabled).
  • Responsive design (will work smoothly on mobile, tablet, laptop and desktop devices).
  • Captcha less SPAM protection from automatic submissions.
  • Brute force submission protection.
  • Google reCAPTCHA integrated (configurable: can be enabled or disabled).
  • Strong security, minimal code, easy customization.

Irish is the best secure contact form available

Rating: Five Stars

Get Iris

↑ Back to Top

Share this Article