Contact Form Validation: Code to filter characters allowed in message

Question

I have a problem with spammers on my contact form. I notice that they use non standard characters in their messages so I would like to add code that only allows messages that contain standard characters 0-9 a-z A-Z !@$&'",.?/ and spaces with an error message that says, "Your message contains forbidden characters". Below is the code I use for my Process.php

<?php
if( isset($_POST) ){

//form validation vars
$formok = true;
$errors = array();

//sumbission data
$ipaddress = $_SERVER['REMOTE_ADDR'];
$date = date('d/m/Y');
$time = date('H:i:s');

//form data
$name = $_POST['name'];    
$email = $_POST['email'];
$telephone = $_POST['telephone'];
$subject = $_POST['subject'];
$message = $_POST['message'];

//form validation to go here....

}
//validate name is not empty
if(empty($name)){
$formok = false;
$errors[] = "You have not entered a name";
}

//validate email address is not empty
if(empty($email)){
$formok = false;
$errors[] = "You have not entered an email address";
//validate email address is valid
}elseif(!filter_var($email, FILTER_VALIDATE_EMAIL)){
$formok = false;
$errors[] = "You have not entered a valid email address";
}

//validate message is not empty
if(empty($message)){
$formok = false;
$errors[] = "You have not entered a message";
}
//validate message is greater than 20 charcters
elseif(strlen($message) < 20){
$formok = false;
$errors[] = "Your message must be greater than 20 characters";
}

//send email if all is ok
if($formok){
$headers = "From: [email protected]" . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";

$emailbody = "<p>You have recieved a new message from the enquiries form on your website.</p>
              <p><strong>Name: </strong> {$name} </p>
              <p><strong>Email Address: </strong> {$email} </p>
              <p><strong>Telephone: </strong> {$telephone} </p>
              <p><strong>Message: </strong> {$message} </p>
              <p>This message was sent from the IP Address: {$ipaddress} on {$date} at {$time}</p>";

mail("[email protected]","New Enquiry",$emailbody,$headers);
}
//what we need to return back to our form  
$returndata = array(  
    'posted_form_data' => array(  
        'name' => $name,  
        'email' => $email,  
        'telephone' => $telephone,  
        'message' => $message  
    ),  
    'form_ok' => $formok,  
    'errors' => $errors  
);  
//if this is not an ajax request
if(empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) !== 'xmlhttprequest'){

//set session variables
session_start();
$_SESSION['cf_returndata'] = $returndata;

//redirect back to form
header('location: ' . $_SERVER['HTTP_REFERER']);

}

Answer 1

You can use a regular expression to validate the message:

if(!preg_match('/^[0-9a-z\!@\$\&\'",\.\?\/\s]*$/i', $message))
{
    $formok = false;
    $errors[] = "You entered invalid character";
}