$now - $t < 3600); if (count($_SESSION[$key]) >= 3) { if ($this_is_ajax()) { http_response_code(429); echo json_encode(['form_ok' => false, 'errors' => ['Too many submissions. Please try again later.']]); } else { header('Location: /'); exit; } } function this_is_ajax(): bool { return !empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest'; } function h(string $str): string { return htmlspecialchars($str, ENT_QUOTES | ENT_HTML5, 'UTF-8'); } $formok = true; $errors = []; $date = date('d/m/Y'); $time = date('H:i:s'); // Read and sanitise inputs $name = trim($_POST['Name'] ?? ''); $email = trim($_POST['Email'] ?? ''); $telephone = trim($_POST['Phone'] ?? ''); $message = trim($_POST['message'] ?? ''); // Validate name if ($name === '') { $formok = false; $errors[] = 'You have not entered a name'; } // Validate email if ($email === '') { $formok = false; $errors[] = 'You have not entered an email address'; } elseif (!filter_var($email, FILTER_VALIDATE_EMAIL)) { $formok = false; $errors[] = 'You have not entered a valid email address'; } // Validate message if ($message === '') { $formok = false; $errors[] = 'You have not entered a message'; } elseif (strlen($message) < 20) { $formok = false; $errors[] = 'Your message must be at least 20 characters'; } // Strip newlines from header-injectable fields (mail header injection defence) $name = str_replace(["\r", "\n"], ' ', $name); $email = str_replace(["\r", "\n"], ' ', $email); $telephone = str_replace(["\r", "\n"], ' ', $telephone); if ($formok) { // Record this submission in the rate-limit bucket $_SESSION[$key][] = $now; $to = 'info@provoc.ug'; $subject = 'New Enquiry from Website'; $headers = "From: noreply@provocgroup.com\r\n"; $headers .= "Reply-To: " . h($email) . "\r\n"; $headers .= "Content-Type: text/html; charset=UTF-8\r\n"; $headers .= "X-Mailer: PHP/" . phpversion() . "\r\n"; $emailbody = "

You have received a new enquiry from the website contact form.

Name:" . h($name) . "
Email:" . h($email) . "
Phone:" . h($telephone) . "
Message:" . nl2br(h($message)) . "
IP:" . h($ip) . "
Date/Time:" . h($date) . " " . h($time) . "
"; mail($to, $subject, $emailbody, $headers); } $returndata = [ 'posted_form_data' => [ 'name' => $name, 'email' => $email, 'phone' => $telephone, 'message' => $message, ], 'form_ok' => $formok, 'errors' => $errors, ]; if (this_is_ajax()) { header('Content-Type: application/json'); echo json_encode($returndata); exit; } // Non-AJAX: redirect back to homepage (never to user-supplied Referer) $_SESSION['cf_returndata'] = $returndata; header('Location: /'); exit;