contact form blank submits

[eddytheflow]

Hello, I've looked around at some previous posts and can't seem to get them to work for me.

I'm occasionally receiving blank emails from my contact form,

i.e.

Name:

Email:

Subject:

Message:

with no fields filled out.

No doubt the cause is my form.

It has validation, and I'm aware that with JS turned off, the validation won't work, but I find it hard to believe that people are just submitting blank forms, I'm confused, and am worried that I'm getting emails and not realizing it!

 

My code is below, if you can point me in the right direction or point out the problem area that would be great!

website is:    www.ed-yu.com

 

    	<div id="contact_box">
		<h3>Questions?<br />Comments?<br />Just get in touch.</h3><p>(use the form below, or email edward@ed-yu.com)</p>
		<form id="contact" method="post" class="form" action="js/contactengine.php">
			<p class="name">
			<input type="text" name="Name" id="Name" />
                <label for="Name">Name</label>
			</p>
                <p class="email">
			<input type="text" name="Email" id="Email" />
			<label for="Email">Email</label>
			</p>
                <p class="Subject">
    		    <select name="Subject" id="Subject">
                <option value="000" selected="selected"> - Choose -</option>
                <option value="General Question">General Question</option>
                <option value="Photography Inquiry">Photography Inquiry</option>
                <option value="Web-design Inquiry">Web-design Inquiry</option>
                <option value="Love Letter">Love Letter</option>
                <option value="Hate Mail">Hate Mail</option>
                <option value="Website Feedback">Website Feedback</option>
	        </select>
                <label for="Subject">Subject</label>
			</p>
                <p class="Message">
			<label for="Message"> </label><br />
			<textarea name="Message" rows="20" cols="20" id="Message"></textarea>
			</p>
                <p class="Submit">
			<input type="Submit" name="Submit" value="Send Email" class="submit-button" />
                </p>
		</form>
	</div><!--contact_box-->

 

<?php

$EmailFrom = "ED-YU.com";
$EmailTo = "eddytheflow@gmail.com";
$Subject = "A new ".mb_strtolower($_POST['Subject'])." from ".$_POST['Name']." ";
$Name = Trim(stripslashes($_POST['Name'])); 
$Tel = Trim(stripslashes($_POST['Tel'])); 
$Email = Trim(stripslashes($_POST['Email'])); 
$Message = Trim(stripslashes($_POST['Message'])); 


// validation
$validationOK=true;
if (!$validationOK) {
  print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">";
  exit;
}

// prepare email body text
$Body = "";
$Body .= "Name: ";
$Body .= $Name;
$Body .= "\n";
$Body .= "Email: ";
$Body .= $Email;
$Body .= "\n";
$Body .= "Subject: ";
$Body .= $Subject;
$Body .= "\n";
$Body .= "Message: ";
$Body .= $Message;
$Body .= "\n";

// send email 
$success = mail($EmailTo, $Subject, $Body, "From: <$EmailFrom>");

// redirect to success page 
if ($success){
  print "<meta http-equiv=\"refresh\" content=\"0;URL=contactthanks.php\">";
}
else{
  print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">";
}
?>

 

 

[fugix]

it looks to me like you don't have any code set up to actually check to make sire that the user has filled out all required fields before sending the email.

[Zane]

If you just recently received a bunch of blank emails, it's because all someone has to do, to do that, is navigate to your mail script.  Then they can hit F5 to their hearts content and you'll get an email for everyone one.

 

I didn't receive any errors when i went to your script and I don't understand why not.  You're calling a $_POST variable without even checking to see if it exists first.  Meanwhile, you're sending the email without even checking if the form's submit button was clicked.  I'd say that is the reason

[fugix]

yeah...definitely need to validate your forms and protect again sql injection etc.

[eddytheflow]

Thanks for the responses guys.

 

Here is the JS I'm using as a validator:

http://www.javascript-coder.com/html-form/javascript-form-validation.phtml#download

 

and the code at the bottom of my page:

	<script type="text/javascript">
     var frmvalidator  = new Validator("contact");
     frmvalidator.addValidation("Name","req","Name required!");
     frmvalidator.addValidation("Email","req","Email required!");
     frmvalidator.addValidation("Email","email","Please use a valid Email address!");
     frmvalidator.addValidation("subject", "dontselect=000","Please select a subject!");
     frmvalidator.addValidation("Message","req","Please enter a message!");
     frmvalidator.addValidation("Message","minlen=20","Your message is too short!");
    </script><!--end validation-->

 

Should I use a non-JS based validation? Definitely understand the weakness here.

 

[Pikachu2000]

Javascript is not validation. Data must be validated server-side.

[eddytheflow]

Thanks pikachu, I guess the JS is more of a UI function?

 

I just added the following code to my php, is this right:

 

// validation
$validationOK=true;
if (Trim($Name)=="") $validationOK=false;
if (Trim($Subject)=="") $validationOK=false;
if (Trim($Email)=="") $validationOK=false;
if (Trim($Message)=="") $validationOK=false;
if (!$validationOK) {
  print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">";
  exit;
}

[eddytheflow]

So i haven't quite figured out why I was getting blank emails; either my code was wrong or I was getting terrorized.

I suspect Pikachu was right, I need server side validation, which I think I've solved by adding the above lines to the php script.

I've also now added a few lines that report the senders ip address, the browser used, and the referrer (last link clicked).

 

Hopefully this gives me some insight if the validation wasn't the problem.

 

My code now looks like this:

 

<?php

$EmailFrom = "ED-YU.com";
$EmailTo = "eddytheflow@gmail.com";
$Subject = "A ".($_POST['Topic'])." from ".$_POST['Name']." ";
$Name = Trim(stripslashes($_POST['Name'])); 
$Email = Trim(stripslashes($_POST['Email'])); 
$Message = Trim(stripslashes($_POST['Message'])); 
$Topic = Trim(stripslashes($_POST['Topic'])); 
$ip = $_SERVER['REMOTE_ADDR'];
$hostaddress = gethostbyaddr($ip);
$browser = $_SERVER['HTTP_USER_AGENT'];
$referred = $_SERVER['HTTP_REFERER'];

// validation
$validationOK=true;
if (Trim($Name)=="") $validationOK=false;
if (Trim($Topic)=="") $validationOK=false;
if (Trim($Email)=="") $validationOK=false;
if (Trim($Message)=="") $validationOK=false;
if (!$validationOK) {
  print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">";
  exit;
}

// prepare email body text
$Body = "";
$Body .= "Name: ";
$Body .= $Name;
$Body .= "\n";
$Body .= "Topic: ";
$Body .= $Topic;
$Body .= "\n";
$Body .= "Email: ";
$Body .= $Email;
$Body .= "\n";
$Body .= "Message: ";
$Body .= $Message;
$Body .= "\n";
$Body .= "\n";

$Body .= "ip: ";
$Body .= $ip;
$Body .= "\n";
$Body .= "Detailed IP: ";
$Body .= $hostaddress;
$Body .= "\n";
$Body .= "Browser: ";
$Body .= $browser;
$Body .= "\n";
$Body .= "referred: ";
$Body .= $referred;
$Body .= "\n";


// send email 
$success = mail($EmailTo, $Subject, $Body, "From: <$EmailFrom>");

// redirect to success page 
if ($success){
  print "<meta http-equiv=\"refresh\" content=\"0;URL=contactthanks.php\">";
}
else{
  print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">";
}
?>

[Pikachu2000]

Since that script has no reason to be accessed unless the form has been submitted, I'd check for that, and if there is no submission, redirect to the form.

 

if( strtolower($_SERVER['REQUEST_METHOD']) != 'post' ) {
     header('Location: your_mail_form.php');
     exit();
}

 

As far as validation, you can go as tight or as loose as you need to. At a minimum, I'd validate that the email address supplied is a valid address, any required fields are at least not empty, and that any attempts to inject any XSS code is countered with htmlentities().