PHP Contact form help

[MidOhioIT]

Can someone please help me?  I keep getting blank forms being mailed to me or bots (spam) being put into my forms.  I checked and there is no way that I can see you can do this becasue I put in code to prevent the blank form anyways using the form.  it looks as if maybe my form is being bypassed.  any solutions would be nice...  Here is an example of one that is coming in blank:

 

Form:

<form name="form1" action="mail.php"  enctype="multipart/form-data" onSubmit="return checker()">
                      <table width="364"  border="0" cellspacing="0" cellpadding="0">
                        <tr align="left" valign="middle" class="style2">
                          <td width="89" height="22">Your first name:</td>
                          <td height="22"><input type="text" name="textfield" style="width:275px; height:20px; font-family:tahoma; font-size:11px; border:1px solid #BEC0C2 "></td>
                        </tr>
                        <tr align="left" valign="middle" class="style2">
                          <td width="89" height="22">Your last name:</td>
                          <td height="22"><input type="text" name="textfield2" style="width:275px; height:20px; font-family:tahoma; font-size:11px; border:1px solid #BEC0C2 "></td>
                        </tr>
                        <tr align="left" valign="middle" class="style2">
                          <td width="89" height="22">E-mail address:</td>
                          <td height="22"><input type="text" name="textfield3" style="width:275px; height:20px; font-family:tahoma; font-size:11px; border:1px solid #BEC0C2 "></td>
                        </tr>
                        <tr align="left" valign="middle" class="style2">
                          <td width="89" height="22">Your telephone:</td>
                          <td height="22"><input type="text" name="textfield4" style="width:275px; height:20px; font-family:tahoma; font-size:11px; border:1px solid #BEC0C2 "></td>
                        </tr>
                        <tr align="left" valign="top" class="style2">
                          <td width="89"><div style="padding-left:0px; padding-top:5px">Your message:</div></td>
                          <td><textarea name="textarea" style="width:275px; height:123px; font-family:tahoma; font-size:11px; border:1px solid #BEC0C2; overflow:auto "></textarea></td>
                        </tr>
                        <tr align="left" valign="middle" class="style2">
                          <td width="89" height="34"> </td>
                          <td height="34" align="right" valign="bottom">
                            <input name="Submit" type="submit" class="style5" value="Submit">
                            <input name="Reset" type="reset" class="style5" value="Reset">
                          </td>
                        </tr>
                      </table>
                                        <label></label>
                    </form>

 

Here is the java script that tried to stop the empty fields:

 

<script Language="JavaScript" type="text/javascript">

function checker()
{

  if ( (form1.textfield.value.length == 0 ) || (form1.textfield2.value.length == 0 ) ||(form1.textfield4.value.length == 0 )   ) 
  {
// If there were less then selections made display an alert box
alert("Please fill in all Required fields - First name, Last name and Telephone")
return (false);
form1.name.focus();
  }

return (true);
} // end function checkbox_checker()

</script>

 

mail.php:

<?php
//get all the variables from the form


require_once ('class.phpmailer.php');

$mail = new PHPMailer();

$mail->IsSMTP();                                   // send via SMTP
$mail->Host     = "localhost"; // SMTP servers
$mail->SMTPAuth = true;     // turn on SMTP authentication
$mail->Username = "****";  // SMTP username
$mail->Password = "***"; // SMTP password

$mail->From     = "info@****.com";
$mail->FromName = "****";
$mail->AddAddress("***@ohio.com"); 
$mail->AddAddress("designteam@***.com"); 
$mail->AddReplyTo("$email");


$mail->WordWrap = 50;                              // set word wrap
//$mail->AddAttachment("/var/tmp/file.tar.gz");      // attachment
//$mail->AddAttachment("/tmp/image.jpg", "new.jpg"); 
$mail->IsHTML(true);                               // send as HTML


$mail->Subject  ="Website form";
$mail->Body     =  "<b>-- Clients Information from Contact page --</b> </br></br>
                    <b>Name:</b> $textfield $textfield2 </br>
				<b>Phone:</b> $textfield4</br>
		        <b>Email:</b> $textfield3 </br>
		        <b>Comments:</b> $textarea " ;

$mail->AltBody  =  "This is the text-only body";

if(!$mail->Send())
{
   echo "Message was not sent, please try again. <p>";
   echo "Mailer Error: " . $mail->ErrorInfo;
   exit;
}

// message is sent!

echo "<center><meta http-equiv='refresh' content='7; url=http://www.***.com'></center>";

echo "<center><br><h5>Thank you for contacting us.</h5></center>";

?>

[tarlejh]

A bot - or anyone who wanted to - can easily get around your javascript validation.  If validating client side was effective, there would be no need for captchas, etc.

 

To answer your inquiry, how they are getting around your javascript is beside the point.  Any time you put a form on the net you should:

 

a. validate server-side

b. filter input

c. escape output

 

Google or read the php manual for some techniques.

[PFMaBiSmAd]

I'll second what tarlejh has stated.

 

Bot scripts don't have javascript and even if they did, it would be possible for them to disable it.

 

You must validate all external data when it reaches the server.

 

Also, your form processing code is not checking that the form's submit button is set, so anything, like a search engine, that requests your mail.php page will cause an email to be sent.