Status
Not open for further replies.

pauldf

New Member
Hi Guys

A quick question. I have a few forms on my website that i made in Dreamweaver cs3. As security i added in the Validation mark up. I tested the forms online and when i leave out either the name or email, an error message appears saying that the form can't be sent because these fields can't be left blank, so it's doing exactly like i want it to. Once all the fields are filled in, the form can be sent and it arrives in my inbox perfect.
Just this week though a lot of blank emails are arriving in my inbox from the forms and i can't get my head around why it's happening, any time i test the forms and try leave the fields blank an error message appears so does anyone know why so many blank emails are arriving into my inbox? Below is the form code.

Thanks for any help anyone can give with this.

HTML:
<form action="webmasterform.php" method="post" name="form1" id="form1" onsubmit="MM_validateForm('name','','R','email','','RisEmail');return document.MM_returnValue">
		    <label>Name:<br />
		    <input type="text" name="name" id="name" />
            </label>
		    <br />
		    <label>Email:<br />
		    <input type="text" name="email" id="email" />
            </label>
		    <br />
		    <label>Question / Comment / Link<br />
		    <textarea name="comment" id="comment" cols="45" rows="5"></textarea>
            </label>
		    <br />
		    <br />
            <label>
		    <input type="submit" name="submit" id="submit" value="Submit" />
</label>
                                                  </form>
 

louie

New Member
You only do "client side" validation so you need to ad so "server side" validation as well to prevent automatic submissions.
PHP:
//e.g.
$error = array();//set an empty array
if(count($_POST)>0){
    //the form was submitted
    $name = trim($_POST['name']);
    if($name == "") $error[] = "Please enter your name";
 
   if(!empty($error)){
       foreach($error as $x=>$y){
          echo $y."<br />";
       }
   }else{//no errors - send email
 
    }
}

you also need to check the REFERER to make sure the submission was made from your own server...
 

pauldf

New Member
Hi Louie

Thanks a million for posting back. I was wondering the php code you posted could, i use that in my php script to act as the server side validation? I went searching the web and i couldn't find anywhere that explained in detail how to go about setting up a server side validation, they were all happy to explain why you needed it but none really showed how to go about adding it. I have attached the php script that i use for sending forms to this post ( it's very basic ) but i would be really thankful if you could have a look at it and tell me exactly how basic it is and where i would need to beef it up security wise etc., This php form script was my first real adventure into creating a php form script so i would be really thankful for any advice you could give.

PHP:
<?php

/* Subject and Email Variables */


	$emailSubject = 'Webmaster Form';
	$webMaster = 'ashrescue@gmail.com';
	
	
/* Gathering Data Variables */

	$emailField = $_POST['email'];
	$nameField = $_POST['name'];
	$commentField = $_POST['comment'];



	$body = <<<EOD
<br><hr><br>
Name: $nameField <br>
Email: $emailField <br>
Comment: $commentField <br>
EOD;


	$headers = "From: $emailField\r\n";
	$headers .= "Content-type: text/html\r\n";
	$success = mail($webMaster, $emailSubject, $body, $headers);
	
	$theResults = <<<EOD
	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- InstanceBegin template="/Templates/index.dwt" codeOutsideHTMLIsLocked="false" -->
<!-- DW6 -->
<head>
<!-- Copyright 2005 Macromedia, Inc. All rights reserved. -->
<title>ASH Animal Rescue</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<link rel="stylesheet" href="mm_lodging1.css" type="text/css" />
<style type="text/css">
<!--
body {
	background-color: #FFFFFF;
}
.style2 {color: #000000}
.style3 {color: #FF0000}
-->
</style>
<script type="text/javascript">
<!--
function MM_preloadImages() { //v3.0
  var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new Array();
    var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0; i<a.length; i++)
    if (a[i].indexOf("#")!=0){ d.MM_p[j]=new Image; d.MM_p[j++].src=a[i];}}
}

function MM_findObj(n, d) { //v4.01
  var p,i,x;  if(!d) d=document; if((p=n.indexOf("?"))>0&&parent.frames.length) {
    d=parent.frames[n.substring(p+1)].document; n=n.substring(0,p);}
  if(!(x=d[n])&&d.all) x=d.all[n]; for (i=0;!x&&i<d.forms.length;i++) x=d.forms[i][n];
  for(i=0;!x&&d.layers&&i<d.layers.length;i++) x=MM_findObj(n,d.layers[i].document);
  if(!x && d.getElementById) x=d.getElementById(n); return x;..................

THIS JUST IS THE CODE FOR THE THANK YOU FOR POSTING PAGE


............</map><script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-15108390-1");
pageTracker._trackPageview();
} catch(err) {}</script></body>
<!-- InstanceEnd --></html>

EOD;
echo "$theResults"; 

?>
 

louie

New Member
send me the code for the posting page (the one with the form itself) and I'll implement it for you there.
 

pauldf

New Member
Hi Louie

Thanks a million for your help with this. I mailed you the form code, will you let me know if you need anything else. I couldn't send you all the code, the page design etc. because it wouldn't send the message it said the mail was to big but sure i presume once you have the form code it's all good, sure you can let me know.

All the best

Paul
 

louie

New Member
Give this a go...
PHP:
<?php
//CHECK VALID EMAIL
function isValidEmail($email){
 return eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email);
}
$ewd_error = array();
$web_url = "website.com"; // NO http:// OR www.
$form_url = "YOUR PAGE URL"; //pagename.php
$emailSubject = 'Webmaster Form'; //email subject
$webMaster = '********@gmail.com'; //webmaster email address
$success = false;
//GET REFERER AND MAKE SURE THE FORM WAS SUBMITTED FROM THIS WEBSITE
$referer = $_SERVER['HTTP_REFERER'];
if($referer != ""){
 $x = parse_url($referer);
 if($x['host'] != $web_url){ //SUBMISSION MADE FROM OTHER WEBSITE
  echo "<h1>**** Off</h1>";
  die();
 }
}
//END CHECK REFERER
if(count($_POST)>0){
 $name = trim($_POST['name']);
 $email = trim($_POST['email']);
 $comment = trim($_POST['comment']);
 //CHECK FOR ERRORS
 if($name == "") $ewd_error[] = "Name is required";
 if($email == "") $ewd_error[] = "Email is required";
 if($email != "" && !isValidEmail($email)) $ewd_error[] = "Please enter a proper email address";
 if($comment == "") $ewd_error[] = "Comment is required";
 
 if(!empty($ewd_error)){
  echo "<div style='padding:5px; border:3px solid #cc0014;'><h3>ERROR...</h3>";
  foreach($ewd_error as $x=>$y){
   echo $y."<br />";
  }
  echo "</div>";
 }else{
  //SEND EMAIL
  $body = "<br><hr><br> 
  Name: $name <br> 
  Email: $email <br> 
  Comment: $comment <br>";
  $headers = "From: $email\r\n"; 
  $headers .= "Content-type: text/html\r\n"; 
  $success = mail($webMaster, $emailSubject, $body, $headers);
 }
}else{
 $name = "";
 $email = "";
 $comment = "";
}
if($success){//SAY THANKS
 echo "<h1>Thank you for your email!...</h1>";
}else{//show form
?>
    <p><span class="pageName style3" style="font-weight: bold">Webmaster Contact</span></p>
    <p class="style2" style="font-size: 14px">Please use the form below to contact our webmaster</p>
        <form action="<?php echo $form_url;?>" method="post" name="form1" id="form1" onsubmit="MM_validateForm('name','','R','email','','RisEmail');return document.MM_returnValue">
            <label>Name:<br />
            <input type="text" name="name" id="name" />
            </label>
            <br />
            <label>Email:<br />
            <input type="text" name="email" id="email" />
            </label>
            <br />
            <label>Question / Comment / Link<br />
            <textarea name="comment" id="comment" cols="45" rows="5"></textarea>
            </label>
            <br />
            <br />
            <label>
            <input type="submit" name="submit" id="submit" value="Submit" />
            </label>
        </form>
    <p class="style2" style="font-size: 14px">&nbsp;</p>
<?php }?>
 

php.allstar

New Member
...you also need to check the REFERER to make sure the submission was made from your own server...

Louie, that is not technically correct as the REFERER header is sent by the client and thus can easily be modified with the likes of the "RefControl" plugin for firefox and many others.
 

php.allstar

New Member
Just to add a few security enhancements to Louie's code above...

PHP:
 <?php
//CHECK VALID EMAIL
function isValidEmail($email){
 return eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email);
}

// A PHP5 function to help prevent email header injection
function sanitize( $data ) {
   return( str_ireplace(array(  "Content-Type:","to:","cc:", "bcc:", "\n", "\r", "%0d", "%0a"), "", $data) );
}

$ewd_error = array();
$web_url = "website.com"; // NO http:// OR www.
$form_url = "YOUR PAGE URL"; //pagename.php
$emailSubject = 'Webmaster Form'; //email subject
$webMaster = '********@gmail.com'; //webmaster email address
$success = false;

/*
 * BOF Security Advisory
 * Please note: the below commented out code is not a secure method
 * for validating a form or preventing form spoofing as the HTTP_REFERER 
 * is sent by the client and as a result is easily manipulated!
*/

    //GET REFERER AND MAKE SURE THE FORM WAS SUBMITTED FROM THIS WEBSITE
    //$referer = $_SERVER['HTTP_REFERER'];
    //if($referer != ""){
    // $x = parse_url($referer);
    // if($x['host'] != $web_url){ //SUBMISSION MADE FROM OTHER WEBSITE
    //  echo "<h1>**** Off</h1>";
    //  die();
    // }
    //}
    //END CHECK REFERER

/*
 * EOF Security Advisory
*/

if(count($_POST)>0){
 // Use the sanitize function to prevent email header injection
 // which can reult in your form being used as a mass mailer!
 $name = sanitize($_POST['name']);
 $email = sanitize($_POST['email']);
 $comment = sanitize($_POST['comment']);
 //CHECK FOR ERRORS
 if($name == "") $ewd_error[] = "Name is required";
 if($email == "") $ewd_error[] = "Email is required";
 if($email != "" && !isValidEmail($email)) $ewd_error[] = "Please enter a proper email address";
 if($comment == "") $ewd_error[] = "Comment is required";
 
 if(!empty($ewd_error)){
  echo "<div style='padding:5px; border:3px solid #cc0014;'><h3>ERROR...</h3>";
  foreach($ewd_error as $x=>$y){
   echo $y."<br />";
  }
  echo "</div>";
 }else{
  //SEND EMAIL
  $body = "<br><hr><br> 
  Name: $name <br> 
  Email: $email <br> 
  Comment: $comment <br>";
  $headers = "From: $email\r\n"; 
  $headers .= "Content-type: text/html\r\n"; 
  $success = mail($webMaster, $emailSubject, $body, $headers);
 }
}else{
 $name = "";
 $email = "";
 $comment = "";
}
if($success){//SAY THANKS
 echo "<h1>Thank you for your email!...</h1>";
}else{//show form
?>
    <p><span class="pageName style3" style="font-weight: bold">Webmaster Contact</span></p>
    <p class="style2" style="font-size: 14px">Please use the form below to contact our webmaster</p>
        <form action="<?php echo $form_url;?>" method="post" name="form1" id="form1" onsubmit="MM_validateForm('name','','R','email','','RisEmail');return document.MM_returnValue">
            <label>Name:<br />
            <input type="text" name="name" id="name" />
            </label>
            <br />
            <label>Email:<br />
            <input type="text" name="email" id="email" />
            </label>
            <br />
            <label>Question / Comment / Link<br />
            <textarea name="comment" id="comment" cols="45" rows="5"></textarea>
            </label>
            <br />
            <br />
            <label>
            <input type="submit" name="submit" id="submit" value="Submit" />
            </label>
        </form>
    <p class="style2" style="font-size: 14px">&nbsp;</p>
<?php }?>

There are lots of things to take into consideration when it comes to handling forms securely. Above I've just added in some code to prevent email header injection and removed Louie's HTTP_REFERER check as this is not technically correct.

You should look at adding some form of captcha challenge to help reduce bot submissions.

To answer your original question about why your form was sending so many blank results, it looks like it could be a classical example of "form spoofing".

As Louie correctly pointed out, your form had relied upon some client side validation. An attacker could have:

  1. copied the html of your form
  2. pasted it into a html file on one of their own domains
  3. changed the form action to an absolute version (European Web hosting based in Ireland, exchange hosting, domain registration, dedicated servers, colocation - Blacknight Solutions...) of your form action
  4. Removed all your client side validation
  5. Submitted what they wanted to your form processor
 

php.allstar

New Member
Blacknight, if you read this post, thread, please look at the url in my point 3 above. I entered "h t t p : / / w w w ." (no spaces) after "absolute version (" and the forum converted the url to what you see above!
 

louie

New Member
Louie, that is not technically correct as the REFERER header is sent by the client and thus can easily be modified with the likes of the "RefControl" plugin for firefox and many others.

That is just basic validation. Any form open to public submission requires a lot more than that which I haven't got the time to explain it to someone that knows the minimum php coding....
He will be lost at <?php opening tag....
 

php.allstar

New Member
LOL! I know.

But the stuff about the REFERER was more aimed at you...just so you know, in case you rely on it on some of your current scripts or in future! ;o)
 

pauldf

New Member
Thanks a million guys for all your help.
I still have a way to go to be comfortable with php coding, but i really appreciate all the advice and help you guys gave.
All the best
 
Status
Not open for further replies.
Top