What's the best-practice way to process a contact form?

Question

It seems I'm coding contact forms for someone or another every week. I've developed a validate/mail client/mail thankyou/save to DB/thankspage process that's fairly robust but I was wondering what lessons others have for performing this most common of website tasks?

Answer 1

1. Make sure it works without Javascript (or fails gracefully)
2. Strip out any nasty characters before sending the email
3. Use parameterized queries when writing to the database
4. Be sure the From or Reply-to header is set to the sender's email address
5. Read this article on form validation.

Answer 2

the best hint I would give you is to come up with a good way to prevent spam. We use a honeypot technique which we find very effective and is also very simple to implement. It involves the addition of two extra text fields to each form, hidden by CSS. One of these fields (lets call in input1) will have a set value which you can check for on your processing page, the other field (input2) will have its value left empty. A lot of automated spam will use a bot that will detect the presence of a form and autofill all form fields. With our technique, simply by checking that input1 still has its initial value and that input2 still has a value of "" we can guess the form was not autofilled by a bot or similar. We do have more advanced techniques for checking the content of each field but as a simple trick this one is a real winner and has almost completely eradicated automated contact form spam.