Public Forms

Public forms, like contact or newsletter subscription forms, are a common requirement for websites, but often a hassle for developers. Typemill makes your life much easier, because all you need is a plugin with some form definitions in YAML, and business logic in PHP. All the complicated stuff like generating the front end forms, validating, form-data, and adding spam security or CSRF-protection is done by Typemill automatically.

Form Definitions

Public forms are defined in a separate block of the YAML-configuration-file of your plugin. Public forms can use the exact same field definitions as theme- and plugin-forms. Look at this example:

      type: text
      label: 'I am a textfield'
      required: true
      type: text
      label: 'I am a textfield'
      required: true

You probably want to customize the labels and text hints of your public forms, so that the admin can localize them for example. This can be done by a simple reference like this:

      type: text
      label: 'Label of Mail-Input-Field'
      placeholder: 'Localize label here'
      required: true
      type: text
      label: mail_label
      required: true

The label of the public mail field has a reference to the mail_label field of the admin forms. This way, the admin can overwrite the label for the mail-field of the public form in the plugin-settings. You can add references like this for three fieldtypes:

  • label
  • help
  • description

Business Logic

Typemill has a pretty straight-forward approach to logic for public forms: If a user sends data with a public form, then Typemill will check the data and redirect the user back to the original page. If the data is valid, then Typemill will store the data before it redirects the user. If the data is not valid, and contains errors, then Typemill will add error messages before it redirects the user.

In your plugin, you can handle both the frontend form AND the incoming form data with two handy methods. Both methods expect the name of the plugin as a variable:

  • $this->getFormdata('pluginName'): Checks and returns input data from a form.
  • $this->generateForm('pluginName'): Generates the frontend-form.

If the user has submitted a form and if the form data is valid, then the method $this->getFormdata will return the data, and you can process the data. You always have to check for existing form data first. If no form data exists, then you can generate the frontend form and display it to the user. So your code will always look similar to this:

# check if form data have been stored
$formdata = $this->getFormdata('contactform');
    # process the formdata here, e.g. store them or send a mail
    # get the public forms for the plugin
    $contactform = $this->generateForm('contactform');              


Public forms have a lot of security implications. To make your forms as secure as possible, Typemill provides some build-in security features. At the same time a plugin developer and a website administrator should do everything on their own to protect their page.


It is generally recommended to use HTTPS connections for websites. If you use public forms, then it is also often required by law (e.g. contact forms and dsgvo).

Input Validation

Typemill will validate all incoming data against the original form definition, so no additional data can be posted. Incoming data is validated with common rules; no HTML or other code characters will pass the validation. All error messages are added automatically, so you do not have to worry about it.

You can also add a regular expression to each field. The input data will be validated against this regular expression before the data is stored.

CSRF Protection

Typemill automatically adds a csrf-protection to all forms, public and non-public. A csrf-protection makes sure that


Typemill will automatically add a honeypot field to all public forms. A honeypot field is a input field (text) that is visually hidden in frontend. If a bot fills it out (because it does not notice that it is hidden), then the bot will automatically redirected to the startpage after submitting the form.


Typemill will automatically add a traditional captcha field with a text-image to all public forms. A user can only submit a form if he fills out the captcha correctly. If the captcha is incorrect, then the user will be redirected too the form again and the data are not stored. This is a standard measure to protect forms from spam-bots and other techniques.

In your plugin you can integrate the option to:

  • disable the captcha completely
  • to show the captcha only after a wrong initial input.

To do so, please add the following radio-buttons in your plugin settings:

      type: radio
      label: Configure the captcha
        standard: Show directly (standard)
        aftererror: Show after first wrong input
        disabled: Disable

You can change the field label and the description of each option. But you have to keep the fieldname captchaoptions and the option-names standard, aftererror and disabled. Otherwise it will be ignored and the captcha will always show directly.

Google Re-Captcha

The traditional captcha field that ships with typemill (gregwar php captcha) does not rely on any external service and is a perfect solution without any privacy concerns. However, it is a bit difficult to read and solve and thus might lower the conversion of your forms. Also the protection might be lower because an image captcha can be solved by KI machines today.

As an alternative you can also provide a google recaptcha where the user only has to check a checkbox in most cases. Be aware that it might have some privacy implications when you add it to a website.

To add an option for google re-captcha in your plugin settings, please add the following fields:

      type: checkbox
      label: Google Recaptcha
      checkboxlabel: Activate Recaptcha
      type: text
      label: Recaptcha Website Key
      help: Add the recaptcha website key here. You can get the key from the recaptcha website.
      description: The website key is mandatory if you activate the recaptcha field
      type: text
      label: Recaptcha Secret Key
      help: Add the recaptcha secret key here. You can get the key from the recaptcha website.
      description: The secret key is mandatory if you activate the recaptcha field

If you add google recaptcha to your plugin, you also have to add the standard php-captcha option so the admin can disable it in the plugin settings. Otherwise you get two captchas.

Track Suspicious Actions

In the developer settings of the admin area you can activate a feature that logs all (or most) actions that might result from attacks or spam bots. The log contains the IP address, the time and the action (like wrong captcha, wrong password, and more). You can activate and deactivate the log and you can delete the log with the button "recreate cache".


This feature is not implemented yet, but it is planned for a future release of typemill.

Individual Security Features for Plugins

If you develop a plugin, then think about additional security features. For example, if you create a registration feature, then you can block all registration attempts with so called burner mails. This is implemented with the existing register plugin. Another security feature from that plugin is the double opt in method.

© by Sebastian Schürmanns, 2017 - 2021. All Rights Reserved. Built with Typemill.