Is this contact form secure?

I have the following contact form, using PHP, JS and a bit of Ajax. I want to make sure that it is secure.

```
Success!" : "Error! There was a problem with sending.";

echo $response;
}
}
else
{
echo "Form data error!";
}
ob_flush();
die();
}
?>


Contact us | Website Name
































" />


Your Name




Email Address




Message



Send



$("#contactForm").submit(function(event) {

/ stop form from submitting normally /
event.preventDefault();

/ get some values from elements on the page: /
var $form = $(this),
$submit = $form.find('button[id="submit"]'),
token_value = $form.find('input[id="token"]').val(),
name_value = $form.find('input[id="name"]').val(),
email_value = $form.find('input[id="email"]').val(),
message_value = $form.find('textarea[id="message"]').val(),
url = $form.attr('action');

/ send the data using post /

No, I've noticed several issues.

Make sure the stuff in assets/includes/ isn't world readable.

e.g. is it possible to view this code by going to www.example.com/assets/includes/second-header.inc (substituting in your domain name of course)?

Also, don't use rand() to generate tokens for secure use. rand() will generate predictable values that can be guessed by an attacker.

The manual states:

Caution
This function does not generate cryptographically secure values, and should not be used for cryptographic purposes. If you need a cryptographically secure value, consider using openssl_random_pseudo_bytes() instead.

You need cryptographically secure values for use as tokens.

Also, make sure that the email you are entering in the headers

$headers .= 'From: '.$email . "\r\n";

has new lines and carriage return characters stripped from it to prevent Email Header Injection.

Otherwise you're good to go.

StackExchange Code Review Q#39455, answer score: 3