Jump to content

Recommended Posts

Thanks to this group, I am getting my first PHP script set up and running.  It is an online job application form for my employer that just emails the fields of the form to an email account - pretty basic for now.

 

In the past 24 hours I have received TWO of the submitted forms to my inbox.  They are mostly blank - as if someone went to the page and clicked SUBMIT without filling anything out (I have not yet added any code to stop blank forms).  I thought maybe someone had stumbled on the simple unpublished form or that one of the two other folks here that know where the form is located had been testing it.  They said they had not and I changed the URL of the form to one much more obscure.  That was at about 8AM this morning.  Just now I received a THIRD blank email from the form, even after changing the URL.

 

How can the PHP script be getting triggered on its own?  Our IT person said maybe a bot is triggering it.  Is that possible?  If so, how can I trap for that so I don't get random blank emails?

 

Thanks in advance for any help you can give!

 

Steve

 

Link to comment
https://forums.phpfreaks.com/topic/296669-php-script-firing-unattended/
Share on other sites

you need to look at the web server access log to find out where the requests are coming from and/or add logic in your php script to log all the information you are getting with the request.

 

i looked at your previous thread, and the code isn't even checking if a form was submitted, so anything like a search engine spider or a bot script making a get or post request for the page will cause the code to run. once you have made sure a post method form has submitted, you need to properly validate each input to make sure that it is not empty and that it only contains data of the expected format.

 

you are also putting form data into the header field. this will allow a hacker to do anything he wants to the email that gets sent by your server. without proper validation, this will allow any to:, from:, cc: , bcc:, subject, message body, attachments.... to be send through your mail server.

 

and an fyi - the email is not being sent from the person who entered the information in the form. the email is being sent from your sending mail server. the From: mail header needs to be an email address at the domain of your sending mail server or you need an SPF DNS zone record at the domain being used in the from address that says your sending mail server is authorized to send email for that domain. the Reply-to: mail header is where you would put the email address from the person who filled in the form, after you have validated that it only contains an email address and no mail header injection content.

Edited by mac_gyver

Thanks - I have just started working on the validation.  From examples online I have found that my FORM line should contain:

form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">

it was:

<form action="send_job_app.php" method="post">

 which worked to get the form data to me just fine.

 

 

I have looked at the PHP manual entries on $_SERVER and "PHP_SELF" but am still not clear on them.  Are these items pulled from the server when the form is submitted?  When I put this code at the start of my FORM, the characters "> appear at the very top of the web page and are visible as if they weren't code.  When I click SUBMIT, I get an page not found error and the URL in the browser reads:

 

 

http://www.morgansmithllc.com/%3C?php%20echo%20htmlspecialchars%28$_SERVER[

 

 

In the PHP Manual its says "PHP_SELF" is the name of the running script relative to the root.  Do I need to code that in somehow or is PHP pulling that from the server?

 

As I had it originally, the action was "send_job_app.php".  How does this newer code know what to send?  I have a feeling I am missing something, somewhere.

 

FYI - the example in verification I am looking at is at:

 

http://www.sitepoint.com/form-validation-with-php/

 

Thanks!

 

Steve

i looked at your previous thread, and the code isn't even checking if a form was submitted,

 

mac_gyver provide a lot of good info, but the above was something that you should pay particular attention to as the problem may not have anything to do with bots. If I understand his comment, the page would send an email just from accessing the form - i.e. so submission would be needed. If that is the case, you should wrap all the logic to receive the form data and process it within a condition that actually checks if the form was submitted. 

the line of code you showed us (reply #3 in this thread) for the <form ....> tag is either not in a .php file or it's already part of a php echo statement. in either case, the php code in it isn't being parsed and executed.

 

if the page where your form is at isn't a .php page or you haven't configured your web server to parse .htm or .html pages as php code, no php code in it will ever be executed.

 

if your original form action='....' attribute worked, why did you make a change to it?

 


 

i have a recommendation concerning the article you linked to at sitepoint, DON'T write code like this - 

$nameErr = $addrErr = $emailErr = $howManyErr = $favFruitErr = "";
$name = $address = $email = $howMany = "";

instead, use an array for the errors and and array for the form data.

 

initialize the errors using $errors = array(), then set elements in the $errors array for each detected error - $errors['some_field_name'] = 'The some_field_name is required'; to test if there are any errors, just test if the $errors array is empty or not.

 

initialize the $data array by making a copy of the $_POST array, trimming each element (some people allow leading/trailing white-space characters in password type fields.) if you are submitting arrays data in the post data, you can use a recursive user written trim function with array_walk_recursive() to operate on all elements of the submitted post data. then, use elements in the $data array everyplace you reference post data - $data['some_field_name']

 

 

OK.  It sounds like I need to talk to our IT guy again.

 

The web pages are all HTML - not PHP.  If the IT person sets it up so HTML parses as PHP, what will that do to all my HTML pages that have no PHP in them?  Will they still render in a browser OK?  Or am I going to have to re-code a bunch of stuff?

 

I switched because, as others pointed out, there is no validation in my PHP and in looking for examples and tutorials online, this is how 2-3 sites recommended doing it.  Is there a way to validate from the external PHP file the FORM calls?  Or from within the HTML page itself without PHP?

your form's action='...' attribute has nothing to do with validation. it's where the form will submit to. which a little inference about what it's name is and what value it had in it when it worked would have told you. if it was correct and worked in the first place, don't blindly change it based on something you saw on the internet, otherwise i have a bridge in Arizona that i have been trying to sell, that you may be interested in buying... 

your form's action='...' attribute has nothing to do with validation. it's where the form will submit to. which a little inference about what it's name is and what value it had in it when it worked would have told you. if it was correct and worked in the first place, don't blindly change it based on something you saw on the internet, otherwise i have a bridge in Arizona that i have been trying to sell, that you may be interested in buying... 

 

Thanks for the condescending and not at all helpful response.  I asked some very specific questions in my post regarding this change to the ACTION section.  I am quite aware of what the ACTION section does and was pointing out what SEVERAL sources online about verification state the action tag should be and then I asked several specific questions about how that "new" tag worked.  If my questions are too "dumb" for you, then please just don't bother to respond rather than feeling the need to give an insulting response.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.