Please Help : Blank doznes of PHP Form Email

[sushant9999]

Hi PHP Experts.

 

Last day, i got my website new version up (from old xhtml to responsive website)

as i uploaded the new website live, i started getting dozens of form email in my email.

 

And it's really annoying, i got 250 blank emails in 24 hours, with 4 or 5 real filled form emails.
So form PHP is working fine, but loads of blank emails.

 

I am a graphics designer, so totally novice in PHP, i am using below script from years,
worked in website old, as well as new version of my website,

i also tried putting validation using DreamWeaver behaviors, which puts validation, i have checked,

but still getting blank form emails, what can be the reason.

 

PLEASE HELP..... It will be kind if someone can share workable easy validation script... thats easy to understand and edit.

 

Thanks in advance.

 

 

--------------------1 PHP File (contact.php)

 

<?

 

        $mailto="info@mydomainname.com";

        $file="thanks.htm";

        $pcount=0;

        $gcount=0;

        $subject = "Naming Mail from Enquiry Form";

 

        $from="info@mydomainname.com";

       

   while (list($key,$val)=each($_POST))

        {

        $pstr = $pstr."$key : $val \n ";

        ++$pcount;

 

        }

        while (list($key,$val)=each($_GET))

        {

        $gstr = $gstr."$key : $val \n ";

        ++$gcount;

 

        }

        if ($pcount > $gcount)

        {

        $message_body=$pstr;

 

 

mail($mailto,$subject,$message_body,"From:".$from);

        // #include("$file");

header('Location: thankyou.htm');  

 

        }

        else

        {

        $message_body=$gstr;

 

        mail($mailto,$subject,$message_body,"From:".$from);

        // #include("$file");

header('Location: thankyou.htm'); 

 

        }

        ?>

 

 

 

----------------------2 validation

<script type="text/javascript">

function change(val)

{

window.location = 'http://www.mydomainname.com/'+val;

}

function MM_validateForm() { //v4.0

  if (document.getElementById){

    var i,p,q,nm,test,num,min,max,errors='',args=MM_validateForm.arguments;

    for (i=0; i<(args.length-2); i+=3) { test=args[i+2]; val=document.getElementById(args);

      if (val) { nm=val.name; if ((val=val.value)!="") {

        if (test.indexOf('isEmail')!=-1) { p=val.indexOf('@');

          if (p<1 || p==(val.length-1)) errors+='- '+nm+' must contain an e-mail address.\n';

        } else if (test!='R') { num = parseFloat(val);

          if (isNaN(val)) errors+='- '+nm+' must contain a number.\n';

          if (test.indexOf('inRange') != -1) { p=test.indexOf(':');

            min=test.substring(8,p); max=test.substring(p+1);

            if (num<min || max<num) errors+='- '+nm+' must contain a number between '+min+' and '+max+'.\n';

      } } } else if (test.charAt(0) == 'R') errors += '- '+nm+' is required.\n'; }

    } if (errors) alert('The following error(s) occurred:\n'+errors);

    document.MM_returnValue = (errors == '');

} }

</script>

 

 

---------------------- 3

    <form action="http://www.yourdomainname.com/contactus.php" method="post" name="myForm" id="contactForm" onsubmit="MM_validateForm('name','','R','cell','','RisNum','email4','','RisEmail','nationality3','','R','company-details','','R');return document.MM_returnValue">

        

                <div class="col-md-12">

            <div class="form-group">

            <label>1. Name</label>

                <input name="name" type="text" id="name" class="form-control"/>

                </div>

                </div>

                

                

                <div class="col-md-12">

            <div class="form-group">

<label> 2. Phone / Mobile</label>

              <input name="cell" type="text" id="cell" class="form-control"/>

              </div>

              </div>

 

and so on more form fields.................................

[Psycho]

There could be a couple causes for you receiving blank emails:

 

1. There is a logic problem that legitimate user activity is calling the action to send the email. E.g. the script is run on page load without checking that the form was submitted, duplicate code hiding somewhere that you are not aware, etc.

2. A bot is making the action to submit the request causing the empty emails.

 

There are several solutions needed. I will cover some of them.

 

1. Do NOT implement JavaScript as a validation technique. I'm not even going to try to understand that garbled mess. A user with JavaScript disabled or a bot will not invoke the JavaScript, so that validation is useless in those scenarios. It's fine to put some client-side validation in to enhance the user experience (i.e. give the user an error for a required field w/o having to submit the form), but you must absolutely have validation for all business logic on the server-side. I would first enclose the logic in a condition to ensure the form was submitted. You are currenlty using $_GET, but $_POST is more appropriate (and could also be the root of your problem, see below).

if($_SERVER['REQUEST_METHOD'] !="POST") {
    //Form not posted, do something - e.g. error condition
} else {
    //Form was posted, continue validation
}

Then you should have validation that any required fields have values and that any values received are "correct". E.g. if one field is a select list, ensure the received value is in the list of valid values. If an email is required, make sure it is validly configured.

 

2. Don't use $_GET. When a user submits a form using the GET method it puts all that data into the URL and redirects them to the action parameter. If a user was to refresh the page or bookmark it, it will continue to process the "submission". A POST will resubmit on a page refresh, but you can avoid that much easier by using a header() call at the end of the processing to a different page (e.g. "Thank you for your submission"). Or, even better, implement a PRG process (google for more info).

 

3. The above two suggestions should solve your problem since the submissions are apparently empty and server-side validation should be written to prevent the email if there is no valid data. But, if you have a problem where a bot is continually submitting a form with valid data, then you would have to implement some sort of "bot check" such as a CAPTCHA image where the user has to enter the characters in the image or the checkbox stating "I am not a bot" (NOte, it is not a normal checkbox, but there are pre-built solutions out there.

 

But, I don't think you have to worry about #3 at this time. Start by switching to $_POST and ensure it still works. Then move on to implementing server-side validation logic to prevent the email if there are errors/invalid data/no data.

 

EDIT: OK, I see now that you have both $_POST & $_GET variables in your code. Not sure why. Are you expecting data to come in from either/or method? the logic is kind of "hokey". Plus, you should never use something like this:

 

while (list($key,$val)=each($_POST))

 

It is a trivial thing for a user to pass any name/value pairs they wish to your page. If you had a hard-coded variable that determines a folder path, logic like that could cause your system to be compromised. Your specific usage doesn't appear to have a security problem, but it is a bad practice.

Edited January 4, 2017 by Psycho