Blank form processing: POST values lost?

To be thorough, I'll include the JavaScript validation code below. [...] Anyone see anything I might have missed?

Have you tested your form with any browser apart from Internet Explorer. If
JavaScript is critical to the application that'd be a good beginning.

*** Alvaro G Vicario wrote/escribió (Tue, 14 Jun 2005 21:00:03 +0200):

Have you tested your form with any browser apart from Internet Explorer.. If
JavaScript is critical to the application that'd be a good beginning.

I forgot to mention: add debugging info to your form, especially $_POST,
$_SERVER['HTTP_REFERER'] and $_SERVER['USER_AGENT']. Functions like
var_dump() may be useful.

--
-- Álvaro G. Vicario - Burgos, Spain
-- http://bits.demogracia.com - Mi sitio sobre programación web
-- Don't e-mail me your questions, post them to the group
--

is identical. They all have "required" fields validated through a
JavaScript onSubmit() function.
Remember, JavaScript does validation only if the client WANTS it
to do validation. Anyone else (especially the malicious ones, and
bots, and PHP pages getting the content of other pages, etc.) can
make their own form or request and leave out the JavaScript. Or
they can just turn it off.
Upon validation, post values go to a
PHP processing page that adds values to a database and generates an
email to someone in marketing.
I certainly hope the PHP processing page does at least enough
validation of its own to avoid SQL injection attacks. If I put the
last name O'Brien in the contact form, and it causes a SQL error,
you're in trouble.
For three of these sites, we have no problem, but the fourth keeps
sending in blank forms. I'd understand the occasional, JavaScript turned off + user
accidentally hitting submit without filling in any values. However,
this happens about 3% of the time (and only on one site). I'm worried
that $_POST values are somehow lost in the PHP processing page.
Have you considered detecting when this happens, and logging relevant
things, like $_SERVER['REMOTE_ADDR'], $_SERVER['HTTP_REFERER'],
and $_SERVER['HTTP_USER_AGENT'] ? It might turn out to be a search
engine bot. Do reverse lookups on the IP addresses. Many bots
clearly identify themselves in HTTP_USER_AGENT.

Oh, yes, some of this info may be in your Apache logs already if
you can match up times the blank messages are sent.

The relevant code in the processing page is:

$message = "";

foreach($_POST as $key=>$val)
{

$message .= "$key" . ": " . $val . "\n";
}

if( strlen( $message ) > 0 )
{
$to = "bo*@example.com";
$subject = "Contact Us Form Results";
$headers = "From: $to";
$send = mail( $to, $subject, $message, $headers );

if ( $send ) echo "success";
else echo "error";
Are you getting blank messages *IN SPITE OF* the check above, or
did you put the check in because you kept getting blank messages?
If you are still getting blanks in spite of the check, that's wierd.}

I thought that maybe I have a robot somehow visiting this page directly
(without first going through the form), but the if( strlen( $message )

0 ) line should stop the email if message is blank.

validation of its own to avoid SQL injection attacks. If I put the
last name O'Brien in the contact form, and it causes a SQL error,
you're in trouble.
I edit $_POST values via addslashes() and trim(). In other forms that
require numerical values or date/time entries, I use programming logic
to verify info. All is server-side. Not enough?
Have you considered detecting when this happens, and logging relevant
things, like $_SERVER['REMOTE_ADDR'], $_SERVER['HTTP_REFERER'],
and $_SERVER['HTTP_USER_AGENT'] ?
This was brought to my attention this morning. I added a dump of the
$_SERVER array to the email. When I have more than a couple to look at,
I'll try to find a thread.
Are you getting blank messages *IN SPITE OF* the check above, or
did you put the check in because you kept getting blank messages?
If you are still getting blanks in spite of the check, that's wierd.
The check has been in since the beginning. That's primarilly what I
don't understand. In the resulting email, a healthy message might read
"first_name: John". In the errant messages, the line reads
"first_name:". Not even a space. (adding values to the database uses
trim(), but generating the email uses the raw post values). In the
$key=>$val clause, it would seem that $key is filled with the names of
my input fields but $val is null. Would $_POST have an element for a
given input field if the field were null?
I vaguely recall something about the behavior of array iteration
with superglobals being odd and different between PHP versions. I
can't remember what it was, though. Is the odd-site-out having
blank emails using a different PHP version from the others?

validation of its own to avoid SQL injection attacks. If I put the
last name O'Brien in the contact form, and it causes a SQL error,
you're in trouble.
I edit $_POST values via addslashes() and trim(). In other forms that
require numerical values or date/time entries, I use programming logic
to verify info. All is server-side. Not enough?

That should be good enough. Too many people using JavaScript try
to do their input validation EXCLUSIVELY in JavaScript. But watch
out for quotes in stuff you thought was numeric. Regex to make
sure it's really numeric, plus range checking, should be enough.
How does PHP handle arithmetic operations on stuff like:

if ($month < 1 || $month > 12) { ...handle bad month error; }

where $month = "3'or 1";

Have you considered detecting when this happens, and logging relevant
things, like $_SERVER['REMOTE_ADDR'], $_SERVER['HTTP_REFERER'],
and $_SERVER['HTTP_USER_AGENT'] ?

This was brought to my attention this morning. I added a dump of the
$_SERVER array to the email. When I have more than a couple to look at,
I'll try to find a thread.

Are you getting blank messages *IN SPITE OF* the check above, or
did you put the check in because you kept getting blank messages?
If you are still getting blanks in spite of the check, that's wierd.

The check has been in since the beginning. That's primarilly what I
don't understand. In the resulting email, a healthy message might read
"first_name: John". In the errant messages, the line reads
"first_name:". Not even a space. (adding values to the database uses

Ok, I thought you were getting *COMPLETELY BLANK* messages. You
seem to be getting field names. And I don't understand not getting
a space since your code had a colon followed by a space after the
key.
trim(), but generating the email uses the raw post values). In the
$key=>$val clause, it would seem that $key is filled with the names of
my input fields but $val is null. Would $_POST have an element for a
given input field if the field were null?

a space since your code had a colon followed by a space after the
key.

Does GoogleBot (or any other bot for that matter) identify itself
within the USER_AGENT string?