I'm building a contact form (PHP file, design has been already made) which will communicate with the PHP via AJAX. I need to secure the contact form to deny any spam, for the client side, I'll be using ReCaptcha for the validation on client side ... But, how can I secure the script from being tampered with or sending arbitrary codes?
I mean, if the spammer/hacker uses the form and submits a PHP code that could affect the server, how can I prevent this from happening?
The text that has been entered in your contact form should never be executed, only passed along in an e-mail message. So, whatever a hacker would submit, the worst it should be able to do is show up in the mailbox behind the form.
It's also always a good idea to use htmlentities on the content sent from your contact form, so if any HTML characters are used, they can't do any harm.