PHP Free Featured

Secure PHP Contact Form Handler

A more real-world contact form endpoint for bespoke PHP builds. Includes request method enforcement, CSRF validation, anti-bot checks, sane input validation, response helpers and a clean place to wire PHPMailer or your preferred provider.

1 min read 96 lines Intermediate Updated: March 2026

Use case

Secure form processing

Best for

Lead forms, contact pages, bespoke service sites

Drop-in level

Adapt before production

Stack / dependencies

PHP 8+ Sessions PHPMailer optional

Compatibility

Shared hosting Hostinger-style PHP hosting AJAX forms Traditional form posts

Usage notes

Use this as your form action endpoint, for example /contact-submit.php. It supports both regular form posting and an AJAX flow because responses are returned in a predictable format.

Generate a CSRF token on the form page and store it in $_SESSION['contact_csrf'].
Include a hidden website field as a honeypot.
Post name, email, message and optional phone.
Swap the delivery block for PHPMailer, SMTP or API-based mail once ready.

Why this exists

Most “contact form snippets” are too toy-like for a live project. This version is designed to be small enough to understand, but structured enough to sit behind a real business site.

Integration steps

1 Add a CSRF token to the form page and include it as a hidden input.
2 Add a visually hidden honeypot input named website.
3 Point your form action to this file or call it via fetch().
4 Replace the example delivery section with PHPMailer or your mail provider.
5 Log failures server-side rather than exposing internal mail errors to users.

Code snippet

Full version with formatting intact. Use “Copy stripped version” when you want a leaner base.

<?php
declare(strict_types=1);

session_start();

/**
 * /contact-submit.php
 * Production-minded contact form handler
 */

header('Content-Type: application/json; charset=utf-8');

function respond(int $status, bool $ok, string $message, array $extra = []): never
{
    http_response_code($status);
    echo json_encode(array_merge([
        'ok'      => $ok,
        'message' => $message,
    ], $extra), JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
    exit;
}

function post(string $key): string
{
    return trim((string)($_POST[$key] ?? ''));
}

if (($_SERVER['REQUEST_METHOD'] ?? 'GET') !== 'POST') {
    respond(405, false, 'Method not allowed.');
}

$csrf = post('csrf');
if ($csrf === '' || !hash_equals((string)($_SESSION['contact_csrf'] ?? ''), $csrf)) {
    respond(400, false, 'Invalid request token.');
}

// Basic honeypot
if (post('website') !== '') {
    respond(200, true, 'Thanks.');
}

$name    = post('name');
$email   = post('email');
$phone   = post('phone');
$message = post('message');

$errors = [];

if ($name === '' || mb_strlen($name) < 2) {
    $errors['name'] = 'Please enter your name.';
}

if ($email === '' || !filter_var($email, FILTER_VALIDATE_EMAIL)) {
    $errors['email'] = 'Please enter a valid email address.';
}

if ($message === '' || mb_strlen($message) < 10) {
    $errors['message'] = 'Please enter a longer message.';
}

if ($phone !== '' && !preg_match('/^[0-9+\s().-]{7,25}$/', $phone)) {
    $errors['phone'] = 'Please enter a valid phone number.';
}

if ($errors) {
    respond(422, false, 'Please correct the highlighted fields.', [
        'errors' => $errors,
    ]);
}

// Optional: rotate token after use
unset($_SESSION['contact_csrf']);

$subject = 'New contact form enquiry';
$bodyLines = [
    'New enquiry received',
    '--------------------',
    'Name: ' . $name,
    'Email: ' . $email,
    'Phone: ' . ($phone !== '' ? $phone : 'Not provided'),
    '',
    'Message:',
    $message,
];

$body = implode("\n", $bodyLines);

// Replace this block with PHPMailer / SMTP / API delivery
$deliveryOk = true;

if (!$deliveryOk) {
    error_log('[CONTACT] Delivery failed for ' . $email);
    respond(500, false, 'Sorry, something went wrong while sending your message.');
}

respond(200, true, 'Thanks, your message has been sent successfully.');

Implementation notes

The response helper makes it easy to convert the flow to JSON-only later without rewriting all branches.

Use a rate limit upstream if you expect abuse or public traffic spikes.

Consider storing enquiry rows in MySQL before attempting email delivery so leads are never lost.

Security notes

CSRF protection stops cross-site submission attempts from other origins.
The honeypot blocks a chunk of low-grade bot traffic without adding user friction.
Inputs are trimmed and validated before any delivery logic runs.
Real mail failures should be logged server-side, not returned raw to the browser.

Performance notes

Keep the handler light and avoid expensive external API calls in the request path unless needed. If you later add CRM sync, consider queueing or logging locally first.

FAQ

Yes. The helper currently returns JSON already, so it works cleanly with fetch-based front ends.

Yes, for business-critical forms it is usually better to store the lead first, then attempt delivery.

Related snippets

View all

PHP Free

Secure PHP Contact Form Handler

Stack / dependencies

Compatibility

Usage notes

Why this exists

Integration steps

Code snippet

Implementation notes

Security notes

Performance notes

FAQ

Tags

Related snippets

PDO Bootstrap (db.php pattern)

PHP Login Rate Limiter (Session Based)

SEO + Open Graph Block for PHP Layouts

Stack / dependencies

Compatibility

Usage notes

Why this exists

Integration steps

Code snippet

Implementation notes

Security notes

Performance notes

FAQ

Tags

Related snippets

PDO Bootstrap (db.php pattern)

PHP Login Rate Limiter (Session Based)

SEO + Open Graph Block for PHP Layouts

Cookie preferences