I am adding a page to my site that allows doctors to send me referrals. Some of the data will be highly sensitive, so I need to be sure that it is handled as securely as possible. The data doesn't get stored in a database. It is simply emailed directly to me. The PHP script is below.

I use the str_replace function to filter out URLs. I'm not too concerned about that. I really, though, need to be sure that bad guys cannot intercept what's being sent. The lawsuit may be a little more than ugly. How does it look? Does anyone think I need to add or remove anything to keep the bad guys at bay? I plan on adding a Captcha before I publish the page. Thanks in advance.

if(isset($_POST['submit'])) {


			$domains = array('.com', '.org', '.net', '.gov', '.edu', '.mil', '.int');

			$replacement = array('/*com*', '/*org*', '/*net*', '/*gov*', '/*edu*', '/*mil*', '/*int*');

			$to = "email@place.com";

			$subject = "**** (Referral)";

			$physican_field = strip_tags($_POST['physician']);

			$name_field = strip_tags($_POST['patient']);

			$insurance_field = strip_tags($_POST['primary']);

			$insurancenumber_field = strip_tags($_POST['insurance#']);

			$phone_field = strip_tags($_POST['phone']);

			$address = strip_tags($_POST['address']);

			$address = str_replace($domains, $replacement, $address);


			$body = "Physician: $physican_field\n Patient: $name_field\n Phone: $phone_field\n Primary Insurance: $insurance_field\n Insurance/Medicare#: $insurancenumber_field\n File: $file_uploaded\n Address: $message\n";


			mail($to, $subject, $body);


		} else {

			die("We apologize, but your form was not submitted succesfully");


If you want to make interception more difficult, use an SSL connection. Then it will at least be sent encrypted.

Or let those doctors e-mail it to you directly, without using the webpage.

I was thinking about an SSL, but I don't want to pay for it. And they could email it, but they invariably leave out important info that patients never want to give out over the phone. With the form, I make each field required, and then I know I have it. I guess an SSL maybe the safest bet, though.

Thanks for the reply

Imo, CAPTCHA will not serve your purpose much. SSL is the best way. Find it expensive? I guess if so, there's the alternative of making your own SSL (but then users viewing a warning may be a downside).

Thanks for the reply. I guess a private SSL isn't too bad. I checked and it's less expensive than I thought. Why don't you think CAPTHCA will serve the purpose?

Capthcha is used to avoid spam generated by bots, it can not defeat or restrict a human.