'', 'email' => '', 'message' => '']; $spamGuard = new SpamGuard(); if ($_SERVER['REQUEST_METHOD'] === 'POST') { if (!Csrf::verify(Input::post('csrf_token'))) { return Response::redirect('/contact?error=security'); } $old = [ 'name' => Input::post('name', ''), 'email' => Input::post('email', ''), 'message' => Input::post('message', ''), ]; $validator = (new FormValidator()) ->required($old['name'], 'name', 'Name is required.') ->email($old['email'], 'email', 'A valid email is required.') ->required($old['message'], 'message', 'Message is required.'); if ($validator->passes()) { // $spamGuard checks the honeypot field + submission timing (see // Lib\SpamGuard and index.twig's hidden fields) — a bot gets the // exact same redirect a human would either way, with nothing in // the response revealing which check it tripped, or that a check // exists at all. Only Mailer::send() is skipped for spam. if (!$spamGuard->isSpam(Input::post())) { (new Mailer())->send($old['name'], $old['email'], $old['message']); } return Response::redirect('/contact?sent=1'); } $errors = $validator->errors(); } return [ 'errors' => $errors, 'old' => $old, 'sent' => Input::get('sent') !== null, 'securityError' => Input::get('error') === 'security', 'renderedAt' => $spamGuard->renderedAt(), 'csrfField' => Csrf::fieldName(), 'csrfToken' => Csrf::token(), ];