stjonesMSI Posted June 5, 2015 Share Posted June 5, 2015 Thanks to this group, I am getting my first PHP script set up and running. It is an online job application form for my employer that just emails the fields of the form to an email account - pretty basic for now. In the past 24 hours I have received TWO of the submitted forms to my inbox. They are mostly blank - as if someone went to the page and clicked SUBMIT without filling anything out (I have not yet added any code to stop blank forms). I thought maybe someone had stumbled on the simple unpublished form or that one of the two other folks here that know where the form is located had been testing it. They said they had not and I changed the URL of the form to one much more obscure. That was at about 8AM this morning. Just now I received a THIRD blank email from the form, even after changing the URL. How can the PHP script be getting triggered on its own? Our IT person said maybe a bot is triggering it. Is that possible? If so, how can I trap for that so I don't get random blank emails? Thanks in advance for any help you can give! Steve Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted June 5, 2015 Share Posted June 5, 2015 (edited) you need to look at the web server access log to find out where the requests are coming from and/or add logic in your php script to log all the information you are getting with the request. i looked at your previous thread, and the code isn't even checking if a form was submitted, so anything like a search engine spider or a bot script making a get or post request for the page will cause the code to run. once you have made sure a post method form has submitted, you need to properly validate each input to make sure that it is not empty and that it only contains data of the expected format. you are also putting form data into the header field. this will allow a hacker to do anything he wants to the email that gets sent by your server. without proper validation, this will allow any to:, from:, cc: , bcc:, subject, message body, attachments.... to be send through your mail server. and an fyi - the email is not being sent from the person who entered the information in the form. the email is being sent from your sending mail server. the From: mail header needs to be an email address at the domain of your sending mail server or you need an SPF DNS zone record at the domain being used in the from address that says your sending mail server is authorized to send email for that domain. the Reply-to: mail header is where you would put the email address from the person who filled in the form, after you have validated that it only contains an email address and no mail header injection content. Edited June 5, 2015 by mac_gyver Quote Link to comment Share on other sites More sharing options...
stjonesMSI Posted June 12, 2015 Author Share Posted June 12, 2015 Thanks - I have just started working on the validation. From examples online I have found that my FORM line should contain: form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>"> it was: <form action="send_job_app.php" method="post"> which worked to get the form data to me just fine. I have looked at the PHP manual entries on $_SERVER and "PHP_SELF" but am still not clear on them. Are these items pulled from the server when the form is submitted? When I put this code at the start of my FORM, the characters "> appear at the very top of the web page and are visible as if they weren't code. When I click SUBMIT, I get an page not found error and the URL in the browser reads: http://www.morgansmithllc.com/%3C?php%20echo%20htmlspecialchars%28$_SERVER[ In the PHP Manual its says "PHP_SELF" is the name of the running script relative to the root. Do I need to code that in somehow or is PHP pulling that from the server? As I had it originally, the action was "send_job_app.php". How does this newer code know what to send? I have a feeling I am missing something, somewhere. FYI - the example in verification I am looking at is at: http://www.sitepoint.com/form-validation-with-php/ Thanks! Steve Quote Link to comment Share on other sites More sharing options...
Psycho Posted June 12, 2015 Share Posted June 12, 2015 i looked at your previous thread, and the code isn't even checking if a form was submitted, mac_gyver provide a lot of good info, but the above was something that you should pay particular attention to as the problem may not have anything to do with bots. If I understand his comment, the page would send an email just from accessing the form - i.e. so submission would be needed. If that is the case, you should wrap all the logic to receive the form data and process it within a condition that actually checks if the form was submitted. Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted June 12, 2015 Share Posted June 12, 2015 the line of code you showed us (reply #3 in this thread) for the <form ....> tag is either not in a .php file or it's already part of a php echo statement. in either case, the php code in it isn't being parsed and executed. if the page where your form is at isn't a .php page or you haven't configured your web server to parse .htm or .html pages as php code, no php code in it will ever be executed. if your original form action='....' attribute worked, why did you make a change to it? i have a recommendation concerning the article you linked to at sitepoint, DON'T write code like this - $nameErr = $addrErr = $emailErr = $howManyErr = $favFruitErr = ""; $name = $address = $email = $howMany = ""; instead, use an array for the errors and and array for the form data. initialize the errors using $errors = array(), then set elements in the $errors array for each detected error - $errors['some_field_name'] = 'The some_field_name is required'; to test if there are any errors, just test if the $errors array is empty or not. initialize the $data array by making a copy of the $_POST array, trimming each element (some people allow leading/trailing white-space characters in password type fields.) if you are submitting arrays data in the post data, you can use a recursive user written trim function with array_walk_recursive() to operate on all elements of the submitted post data. then, use elements in the $data array everyplace you reference post data - $data['some_field_name'] Quote Link to comment Share on other sites More sharing options...
stjonesMSI Posted June 12, 2015 Author Share Posted June 12, 2015 OK. It sounds like I need to talk to our IT guy again. The web pages are all HTML - not PHP. If the IT person sets it up so HTML parses as PHP, what will that do to all my HTML pages that have no PHP in them? Will they still render in a browser OK? Or am I going to have to re-code a bunch of stuff? I switched because, as others pointed out, there is no validation in my PHP and in looking for examples and tutorials online, this is how 2-3 sites recommended doing it. Is there a way to validate from the external PHP file the FORM calls? Or from within the HTML page itself without PHP? Quote Link to comment Share on other sites More sharing options...
jcbones Posted June 13, 2015 Share Posted June 13, 2015 To cancel a script if no form was submitted, this will do. Applies to scripts that do nothing but form processing. if($_SERVER['REQUEST_METHOD'] != 'POST') { exit(); } Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted June 13, 2015 Share Posted June 13, 2015 your form's action='...' attribute has nothing to do with validation. it's where the form will submit to. which a little inference about what it's name is and what value it had in it when it worked would have told you. if it was correct and worked in the first place, don't blindly change it based on something you saw on the internet, otherwise i have a bridge in Arizona that i have been trying to sell, that you may be interested in buying... Quote Link to comment Share on other sites More sharing options...
Barand Posted June 13, 2015 Share Posted June 13, 2015 ... how much? Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted June 13, 2015 Share Posted June 13, 2015 since there won't be much paperwork involved, just the cash from your hands to mine, i can let it go for $2000 US, and you would be getting your bridge (or at least the bricks from it) back .dismantling and shipping would be up to you. Quote Link to comment Share on other sites More sharing options...
Barand Posted June 13, 2015 Share Posted June 13, 2015 My cheques's in the post. Quote Link to comment Share on other sites More sharing options...
stjonesMSI Posted June 15, 2015 Author Share Posted June 15, 2015 your form's action='...' attribute has nothing to do with validation. it's where the form will submit to. which a little inference about what it's name is and what value it had in it when it worked would have told you. if it was correct and worked in the first place, don't blindly change it based on something you saw on the internet, otherwise i have a bridge in Arizona that i have been trying to sell, that you may be interested in buying... Thanks for the condescending and not at all helpful response. I asked some very specific questions in my post regarding this change to the ACTION section. I am quite aware of what the ACTION section does and was pointing out what SEVERAL sources online about verification state the action tag should be and then I asked several specific questions about how that "new" tag worked. If my questions are too "dumb" for you, then please just don't bother to respond rather than feeling the need to give an insulting response. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.