Hi folks,
I have a client with four websites. Each site has a contact form that
is identical. They all have "required" fields validated through a
JavaScript onSubmit() function. Upon validation, post values go to a
PHP processing page that adds values to a database and generates an
email to someone in marketing.
For three of these sites, we have no problem, but the fourth keeps
sending in blank forms.
I'd understand the occasional, JavaScript turned off + user
accidentally hitting submit without filling in any values. However,
this happens about 3% of the time (and only on one site). I'm worried
that $_POST values are somehow lost in the PHP processing page.
The relevant code in the processing page is:
$message = "";
foreach($_POST as $key=>$val)
{
$message .= "$key" . ": " . $val . "\n";
}
if( strlen( $message ) > 0 )
{
$to = "bo*@example.co m";
$subject = "Contact Us Form Results";
$headers = "From: $to";
$send = mail( $to, $subject, $message, $headers );
if ( $send ) echo "success";
else echo "error";
}
I thought that maybe I have a robot somehow visiting this page directly
(without first going through the form), but the if( strlen( $message ) 0 ) line should stop the email if message is blank.
To be thorough, I'll include the JavaScript validation code below.
field_arr = new Array( "name", "phone", ... );
field_desc_arr = new Array( "Name", "Telephone Number", ... );
for ( i = 0 ; i < field_arr.lengt h ; i++ )
{
eval("field = passed_form." + field_arr[i] + ";");
if ( ( !field.value ) || ( field.value.len gth < 1 ) )
{
alert("You can't submit form without completing " + field_desc_arr[i]
+ "!\nPlease try again.");
field.focus();
field.select();
return(false);
}
}
Anyone see anything I might have missed? 8 5094
*** dm*******@yahoo .com wrote/escribió (14 Jun 2005 10:46:03 -0700): To be thorough, I'll include the JavaScript validation code below.
[...] Anyone see anything I might have missed?
Have you tested your form with any browser apart from Internet Explorer. If
JavaScript is critical to the application that'd be a good beginning.
Also, is it possible that visitors are accessing the form processing script
directly, maybe from another POST script you may have forgot about?
--
-- Álvaro G. Vicario - Burgos, Spain
-- http://bits.demogracia.com - Mi sitio sobre programación web
-- Don't e-mail me your questions, post them to the group
--
*** Alvaro G Vicario wrote/escribió (Tue, 14 Jun 2005 21:00:03 +0200): Have you tested your form with any browser apart from Internet Explorer. If JavaScript is critical to the application that'd be a good beginning.
I forgot to mention: add debugging info to your form, especially $_POST,
$_SERVER['HTTP_REFERER'] and $_SERVER['USER_AGENT']. Functions like
var_dump() may be useful.
--
-- Álvaro G. Vicario - Burgos, Spain
-- http://bits.demogracia.com - Mi sitio sobre programación web
-- Don't e-mail me your questions, post them to the group
--
Alvaro G Vicario wrote: *** Alvaro G Vicario wrote/escribió (Tue, 14 Jun 2005 21:00:03 +0200): Have you tested your form with any browser apart from Internet Explorer.. If JavaScript is critical to the application that'd be a good beginning.
I forgot to mention: add debugging info to your form, especially $_POST, $_SERVER['HTTP_REFERER'] and $_SERVER['USER_AGENT']. Functions like var_dump() may be useful.
-- -- Álvaro G. Vicario - Burgos, Spain -- http://bits.demogracia.com - Mi sitio sobre programación web -- Don't e-mail me your questions, post them to the group --
Thanks, Alvaro.
I have tested using IE6, FireFox, and Opera on Windows. FireFox and
Opera on Linux. I don't have an OSX Mac. (I've even tried it with Lynx,
though that was expected to bypass the validation.)
As far as the debug vars, I've recently added a $_SERVER dump into the
email line. Hopefully I can figure out that all of these have something
in common.
Getting to the processing page from a page other than the form was my
first guess. That's why I dumped the $_SERVER variable.
Does GoogleBot (or any other bot for that matter) identify itself
within the USER_AGENT string?
Again, thanks.
>I have a client with four websites. Each site has a contact form that is identical. They all have "required" fields validated through a JavaScript onSubmit() function.
Remember, JavaScript does validation only if the client WANTS it
to do validation. Anyone else (especially the malicious ones, and
bots, and PHP pages getting the content of other pages, etc.) can
make their own form or request and leave out the JavaScript. Or
they can just turn it off.
Upon validation, post values go to a PHP processing page that adds values to a database and generates an email to someone in marketing.
I certainly hope the PHP processing page does at least enough
validation of its own to avoid SQL injection attacks. If I put the
last name O'Brien in the contact form, and it causes a SQL error,
you're in trouble.
For three of these sites, we have no problem, but the fourth keeps sending in blank forms.
I'd understand the occasional, JavaScript turned off + user accidentally hitting submit without filling in any values. However, this happens about 3% of the time (and only on one site). I'm worried that $_POST values are somehow lost in the PHP processing page.
Have you considered detecting when this happens, and logging relevant
things, like $_SERVER['REMOTE_ADDR'], $_SERVER['HTTP_REFERER'],
and $_SERVER['HTTP_USER_AGEN T'] ? It might turn out to be a search
engine bot. Do reverse lookups on the IP addresses. Many bots
clearly identify themselves in HTTP_USER_AGENT .
Oh, yes, some of this info may be in your Apache logs already if
you can match up times the blank messages are sent. The relevant code in the processing page is:
$message = "";
foreach($_PO ST as $key=>$val) {
$message .= "$key" . ": " . $val . "\n"; }
if( strlen( $message ) > 0 ) { $to = "bo*@example.co m"; $subject = "Contact Us Form Results"; $headers = "From: $to"; $send = mail( $to, $subject, $message, $headers );
if ( $send ) echo "success"; else echo "error";
Are you getting blank messages *IN SPITE OF* the check above, or
did you put the check in because you kept getting blank messages?
If you are still getting blanks in spite of the check, that's wierd.}
I thought that maybe I have a robot somehow visiting this page directly (without first going through the form), but the if( strlen( $message ) 0 ) line should stop the email if message is blank.
I vaguely recall something about the behavior of array iteration
with superglobals being odd and different between PHP versions. I
can't remember what it was, though. Is the odd-site-out having
blank emails using a different PHP version from the others?
Gordon L. Burditt
> I certainly hope the PHP processing page does at least enough validation of its own to avoid SQL injection attacks. If I put the last name O'Brien in the contact form, and it causes a SQL error, you're in trouble.
I edit $_POST values via addslashes() and trim(). In other forms that
require numerical values or date/time entries, I use programming logic
to verify info. All is server-side. Not enough?
Have you considered detecting when this happens, and logging relevant things, like $_SERVER['REMOTE_ADDR'], $_SERVER['HTTP_REFERER'], and $_SERVER['HTTP_USER_AGEN T'] ?
This was brought to my attention this morning. I added a dump of the
$_SERVER array to the email. When I have more than a couple to look at,
I'll try to find a thread.
Are you getting blank messages *IN SPITE OF* the check above, or did you put the check in because you kept getting blank messages? If you are still getting blanks in spite of the check, that's wierd.
The check has been in since the beginning. That's primarilly what I
don't understand. In the resulting email, a healthy message might read
"first_name : John". In the errant messages, the line reads
"first_name :". Not even a space. (adding values to the database uses
trim(), but generating the email uses the raw post values). In the
$key=>$val clause, it would seem that $key is filled with the names of
my input fields but $val is null. Would $_POST have an element for a
given input field if the field were null?
I vaguely recall something about the behavior of array iteration with superglobals being odd and different between PHP versions. I can't remember what it was, though. Is the odd-site-out having blank emails using a different PHP version from the others?
Great idea. Last I checked the odd site out was on the same box as two
of the others, and running PHP 4.
Thanks for the lead,
-Dan
>> I certainly hope the PHP processing page does at least enough validation of its own to avoid SQL injection attacks. If I put the last name O'Brien in the contact form, and it causes a SQL error, you're in trouble. I edit $_POST values via addslashes() and trim(). In other forms that require numerical values or date/time entries, I use programming logic to verify info. All is server-side. Not enough?
That should be good enough. Too many people using JavaScript try
to do their input validation EXCLUSIVELY in JavaScript. But watch
out for quotes in stuff you thought was numeric. Regex to make
sure it's really numeric, plus range checking, should be enough.
How does PHP handle arithmetic operations on stuff like:
if ($month < 1 || $month > 12) { ...handle bad month error; }
where $month = "3'or 1"; Have you considered detecting when this happens, and logging relevant things, like $_SERVER['REMOTE_ADDR'], $_SERVER['HTTP_REFERER'], and $_SERVER['HTTP_USER_AGEN T'] ?
This was brought to my attention this morning. I added a dump of the $_SERVER array to the email. When I have more than a couple to look at, I'll try to find a thread.
Are you getting blank messages *IN SPITE OF* the check above, or did you put the check in because you kept getting blank messages? If you are still getting blanks in spite of the check, that's wierd.
The check has been in since the beginning. That's primarilly what I don't understand. In the resulting email, a healthy message might read "first_name : John". In the errant messages, the line reads "first_name: ". Not even a space. (adding values to the database uses
Ok, I thought you were getting *COMPLETELY BLANK* messages. You
seem to be getting field names. And I don't understand not getting
a space since your code had a colon followed by a space after the
key.
trim(), but generating the email uses the raw post values). In the $key=>$val clause, it would seem that $key is filled with the names of my input fields but $val is null. Would $_POST have an element for a given input field if the field were null?
If the field is empty, you'd get an empty string (I forget whether
PHP makes a distinction between an empty string and null like SQL
does). I believe this is what you get when someone clicks on the
form without filling anything in (and JavaScript either doesn't
catch it or is turned off).
if ($_POST['first_name'] == '' && $_POST['last_name'] == '') {
... bad message, ignore it ...;
}
Gordon L. Burditt
> seem to be getting field names. And I don't understand not getting a space since your code had a colon followed by a space after the key.
My error. The space after the colon _is_ in there. I meant that I'm not
getting an additional space, one that would represent someone just
putting a space in the field to bypass the JavaScript.
*** dm*******@yahoo .com wrote/escribió (14 Jun 2005 12:43:39 -0700): Does GoogleBot (or any other bot for that matter) identify itself within the USER_AGENT string?
Search engine bots normally do so, esp. Google's.
--
-- Álvaro G. Vicario - Burgos, Spain
-- http://bits.demogracia.com - Mi sitio sobre programación web
-- Don't e-mail me your questions, post them to the group
-- This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: dan glenn |
last post by:
Hi. I'm finding that if I have text entered into a
<textarea ...> </textarea> in a form, and that text
has leading blank lines (with no spaces or anything
else), that when I retrieve the entered text, I
lose the leading blank line. Each time it goes through
a post any top-leading blank line is lost. Only one-
if I have several blank lines in a row at the top,
only the first is lost. (If the top blank line has
a single space, it's handled...
|
by: Ray Torres |
last post by:
I would appreciate any help with the following problem.
I have several different htm pages with (simalar) forms that are
processed by the same
PHP script. If there is data missing on the form, the script displays
an error page (using the header() function) and informs the user to
press
the browser's "Back" button. The problem is that when the user goes
back
to the form's htm page, all the fields are blank. I would like all
|
by: Jerry Sievers |
last post by:
Fellow coders; I am curious about a difference in behavior between
Mozilla and MSIE.
The scenario;
1. a php form page is loaded on first hit with field values set to
various things including many empty strings.
2. User fills out some fields but leaves blank one or more or
otherwise causes invalid input and database error.
|
by: CCP |
last post by:
I've got a simple HTML page containing a form and a few hidden
variables.
This form post into a .Net application (that lives in a seperate
directory).
The first thing I do in my codebehind is grab the values of the form
fields, however .net is unable to see these values. The entire
Request.Form object is empty. Request.Form.Count == 0. If I turn on
the tracing/debug output the form itself isn't even listed.
|
by: lorirobn |
last post by:
Hi,
I have a form with several combo boxes, continuous form format, with
record source a query off an Item Table. The fields are Category,
Subcategory, and Color. I am displaying descriptions, not ID's, so I
have to convert the ID's from various lookup tables.
The combo boxes work fine except for subcategory, which is dependent on
category. Depending on category, the drop-down box for subcategory
will display different items. (for...
| |
by: Jack |
last post by:
Hi,
I have a asp form where one element is a list box which lists four years
starting from 2004. This list is drawn from a database table which has YearID
and Year as two fields as shown below:
YearID YEAR
1 2004
2 2005
3 2006
4 2007
PART OF ASP CODE IS:
|
by: Esa |
last post by:
Hi,
I'm having problems with one strange web system where submitting an
application and making queries about its handling status require a series of
form submits and response parsing - all in HTML. Luckily other interfaces
are "modern" using xml file up/downloads without any difficulties...
I'm not very used to .NET-environment yet, so I'd appreciate some clues
about the classes I should use to implement this stupid interface - stupid...
|
by: h7qvnk7q001 |
last post by:
I'm trying to implement a simple server-side form validation (No
Javascript). If the user submits a form with errors, I want to
redisplay the same form with the errors highlighted. Once the form is
correct I need to submit to another page that uses the form data.
I first tried making the form submit action= field point to the same
file. When the form was correct, I tried loading the next page by using
<META http-equiv refresh>. But...
|
by: sujith.bolar |
last post by:
Hello
I am using a <form method="post"to submit values to the processing
agent. If the processing agent returns an error, I call the
history.go(-1) or history.back() function to reload the page. The page
does reload but all the values entered disappears.
I am using Java Script and html.
Code:
---------------------
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |