Iris is the best PHP contact form available online. It enables you to create a simple, secure and beautiful contact form that ensures better communication. Iris allows your users to communicate with you seamlessly and becomes the first step in converting the users to your customers.
Contact form is the key entry point for most of the small businesses. No matter how beautiful a website is, the contact form is the page that converts a visitor into a customer. So, we need to put maximum effort in the contact form page and make it good for greater conversion and Iris is created with this point in mind.
The best contact form should fade away between the user and the receiver. It should be instrumental for communication and should not highlight itself. If you are thinking about an effective contact form, then you should seriously consider Iris.
Of course, the UI/UX should be simple but do not underestimate the implementation part. No matter how we are designing forms to get user input. There are always more things to learn while working with forms. HTML forms are the medium to get user input with a web client to be processed in the web server.
As the web is a vast infinite medium, we have to be aware of the user input, the way that the requests are sent, the frequency on which the requests are sent and many other aspects.
With straightforward transparent HTML form usages, the server request can be predictable. It will cause many serious problems like non-human access simulating the form request, frequent accesses between a short time interval which will increase server load and DoS issues.
So, it is essential to take care of handing form requests from the malicious attacks to protect our server, data and other information. Following are the key aspects Iris focuses on
Cross-Site Request Forgery (CSRF) attacks are serious vulnerabilities for a web application. This type of attack will target the genuine users to raise the state changing request to the server. For example, the CSRF attackers will simulate the form submission to some other PHP code as the attacker wish to execute.
In Iris, a session based AntiCSRF token is generated and inserted into the HTML form. This token is hashed with the IP address and stored in PHP session. When the user submits the contact form, this token is validated with the hashed token stored in the PHP session. If match found then the request will be considered as a valid request, otherwise will be prevented.
The contact form fields are not static and they are created at run-time for each request. The dynamically created random names are changed once the session expires. This randomness reduces the transparency of the contact form data structure. Thereby, it avoids the predictability and improper attempts to simulate the form submit.
Iris contact form has a session-based 32 digit key and encrypted the plain text with this key. The encrypted text is used as the name of the contact form fields. This mechanism ensures that the attacker cannot guess the name of the form fields.
The honeypot is a security mechanism used in computer web networks. It will make the malicious users get into the trap and thereby we can block such users from accessing our web application.
Irish has few fields as the Honeypot as part of the simple contact form. These fields are validated in the server side on the form submit. The attackers who attempted to compromise the contact form execution flow will be stuck with this trap.
For the human, there must be some reasonable time to be taken to enter the form data and submit it to the web server. So, we can apply logical reasoning to measure the time interval between successive request.
In Iris there is a time set which will be taken at the max to enter the data and submit the form manually. In PHP, the interval between the successive requests are measured and used to find the abnormality and counteract based on it.
This is usual input filtering that can be done with the PHP in-built functions. Using those functions, we can perform the sanitization of the user input posted via the form.
As the contact form usually contains the input fields for the user to enter their name, email, comments and more, I have used FILTER_SANITIZE_EMAIL and FILTER_SANITIZE_STRING filter ID to sanitize the contact form data.
Irish uses both both client and the server-side validation to check the state and the format of the contact form data posted by the user. Added to this client-side validation, in PHP code the captcha validation is also done. Google reCaptcha is integrated and that is configurable with the application config file, that is it can be enabled or disabled as per your preference.