Web Form Send to Email Blank

[Spunky]

Hey everyone small question.

 

I have this code for sending a filled out form to an email. The form is written in HTML5 and uses the required attribute in the fields which stops the user from being able to send a blank form. Trouble is, I get blank emails anyway, but not from a "user", perhaps somehow from a bot? (I don't actually see how, I only have this site live for testing purposes, but I know it is possible).

 

 

To combat this, I also put in a back-up server side check to ensure a blank form is not sent. Here is the total code:

<?php     if(empty($_POST['name'])){	exit();     }     else{          $ToEmail = 'email';      $EmailSubject = 'Emergency Contact Form';      $mailheader = "From: ".$_POST["name"]."rn";      //$mailheader .= "Reply-To: ".$_POST["email"]."rn";      $mailheader .= "Content-type: text/plain; charset=iso-8859-1"."rn";      $MESSAGE_BODY .= "Name: ".$_POST["name"]."rn";      $MESSAGE_BODY .= "Telephone: ".$_POST["telephone"]."rn";      $MESSAGE_BODY .= "Message: ".nl2br($_POST["message"])."rn";      mail($ToEmail, $EmailSubject, $MESSAGE_BODY, $mailheader) or die ("Failure");			}?>

The if statement simply checks to see if the "name" field is blank. But as I said, I still receive some sort of blank email.

 

When the email is received, it shows the recipient as the Name provided. In my blank emails it shows it as "World Wide Web Owner"

 

When the form is filled out with a name, the email tagged to it is name@spinin1.securesites.net

 

While if it is blank it is www@spinin1.securesites.net

 

This makes me believe it has something to do with the host of the site? I don't manage the host, so I don't know who hosts it. I was hoping someone could tell me how to stop receiving random blank forms to the email? They get sent randomly, I haven't been able to confirm if it is only while I have my browser on the web page or not. Ultimately the goal is to have these emails sent to multiple people's phone (for a business), so receiving random blank forms in their email would become a nuisance.

 

Thanks

[JamesB]

The required attribute is client-side validation and is only for convenience, it should not be relied upon for validation.

You should be validating that all fields aren't blank server-side in PHP.

[Spunky]

I'll keep that in mind, this is only beta code anyway until I get a solution. No reason to add more code until I find the solution.

[justsomeguy]

The form is written in HTML5 and uses the required attribute in the fields which stops the user from being able to send a blank form.

The required attribute won't stop anyone from doing anything. In browsers that support it, it will show a message about a blank field. In every other case (browsers that don't support it, bots, etc), it won't have any effect.Receiving emails is not random, the page is being executed and it's being given, at a minimum, something in $_POST['name']. Maybe you should validate more than just the name. Your code is also open to spam attacks (attackers can use it to send any message to anyone through your server), because you're putting something from $_POST right into the email headers without validating it. The From field should also be a valid email address, not just a name.

[Spunky]

...the page is being executed and it's being given, at a minimum, something in $_POST['name'].

 

You're saying that maybe something even as little as a space is being input into the text box? I didn't think of that. I'll see if I can combat that.

 

Guys, I know I need stronger validation. Right now I am trying to pinpoint exactly what the problem is. If I was receiving actual spam I would believe that I am being attacked by a spambot. Or if I was getting hundreds of entries that would crash the server or something. So I feel there is a different reason for the blank entry. But if it is not, that's ok too. I could validate all the fields the same way as the name and we'd still have the same issue if whatever it is is sending blank spaces.

 

 

 

The From field should also be a valid email address, not just a name.

 

Why do you say that? It is just a form that is filled out online and an email address isn't required or needed from the user. What is the thinking behind this? (I'm new to this concept, I'm just trying to accommodate a client's need, learning how to implement this sort of stuff.)

 

Note: I can confirm that there are no spaces after in the entries. Not that I can tell anyways. I highlight the Name: and Telephone: and Message: and there are no spaces after the colon.

Edited August 20, 2014 by Spunky

[justsomeguy]

This page lists the values that are considered to be empty:http://www.php.net/manual/en/function.empty.phpA space isn't one of them, so yeah a space would be considered non-empty.

I could validate all the fields the same way as the name and we'd still have the same issue if whatever it is is sending blank spaces.

If that's the issue, sure. You can use trim to remove excess space, but it would be useful in your case to set up logging. You can set up PHP to use an error log, and not only will it write all error messages to that file, but you can also send your own messages there. Have it be a running log of your email script so that, if a blank email is received, you can check the time and check the log to see what happened at that time. The $_SERVER array contains information that you can use to add to the log to help figure out what is going on (i.e., the user's IP address, browser string, etc). You can write the entire $_POST array to the error log to see what what submitted, you can even use the referer header to figure out where they came from.This is how you set PHP to use an error log:

ini_set('log_errors', 1);ini_set('html_errors', 0);ini_set('error_log', dirname(__FILE__) . DIRECTORY_SEPARATOR . 'error.log');error_reporting(E_ALL);

That will write errors to a file called error.log in the same directory as the PHP script. After that, you can use the error_log function to write whatever you want there, e.g.:

error_log('POST: ' . print_r($_POST, true));

You can use that to write whatever information you want to the log that would help you figure out what is going on.

Why do you say that? It is just a form that is filled out online and an email address isn't required or needed from the user. What is the thinking behind this?

The email specification defines what is allowed in the various header fields, and the From header needs to contain a valid email address. The From header isn't just some text to show in the user's email client, it is supposed to represent the address that the email is from. Your email server is probably looking at the From header, figuring out that it is not a valid address, and replacing it with the default email address for the server, which I assume is the spinin1.securesites.net address. If you're not collecting the email address from the user and want to use that as the From address, then just specify your own From address to use for the email, or leave the From header out and the mail server will use its own default address.

[Spunky]

So I've been super busy lately, so haven't had a chance to implement suggestions here on this post but I discovered something interesting.

 

I began working on other aspects of the website today which included going to the web page with the form. However I never filled anything out or pressed the submit button. I noticed that other than during that span that my browser was on the page and the last time my browser was on this page (last time I posted in this post), was the only time I was receiving the blank emails. So, it seems that this only occurs if a browser is on the page, regardless of if the submit button is pressed.

 

Would someone be able to explain to me why this is? Perhaps there is a different solution I should pursue before I begin tackling it?

[justsomeguy]

It sounds like your PHP code is sending the email without checking if the form was submitted.