[RESOLVED] PHP form validation - sometimes sends 1000 of empty emails

Tali

Hi,

I have a contact form - It works, but sometimes could send 1000 of empty emails.
I made some research and changed the code.
The problem is - if i leave empty "name" or "email" it doesnt show error message, its just show "error!" , in all the cases.
Here is a contact page :

<?php 
include 'bus_var.php';
session_start();
$_SESSION["recipient"]= "tali@xxx.ca";
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>

    <div align="center">
    <form action="mail_validation.php" method="post">
			 <input type="hidden" name="ac" value="login" />
            <input type="hidden" name="company" value="BioPed Footcare Centres" />

    <div class="contact_row">
      <div class="contact_col1">Name<span class="red_text">*</span>:</div>
				<div class="contact_col2"><input class="formfield" name="realname" value="<?php echo $_POST["realname"]; ?>" type="text" size="35" maxlength="50" />
<?php if(isset($errName2)) echo $errName1; ?></div>
					<br class="clear" />
        </div>
        <div class="contact_row">
          <div class="contact_col1">Email<span class="red_text">*</span>:</div>
					<div class="contact_col2"><input class="formfield" name="email" value="<?php echo $_POST["email"]; ?>" type="text" size="35" maxlength="50" />
<?php if(isset($errEmail)) echo $errEmail; ?></div>
					<br class="clear" />
        </div>
        <div class="contact_row">
          <div class="contact_col1">Phone no.:<br /></div>
					<div class="contact_col2"><input class="formfield" name="phone" type="text" size="35" maxlength="50" /></div>
					<br class="clear" />
        </div>
        <div class="contact_row">
          <div class="contact_col1">Message:<br /></div>
					<div class="contact_col2"><textarea class="formfield" name="text" cols="38" rows="5"><?php echo $_POST["text"]; ?></textarea><br /><?php  if(isset($errMessage)) echo $errMessage; ?></div>
					<br class="clear" />
        </div>
        <div class="contact_row" align="right">
          <input class="formfield" type="submit" name="submit" value="Send message" />	
        </div>
				</form>
				</div>

Here is the form.php:

  <?php
	   session_start();

$errName1 = "";
$errEmail = "";
$errMessage = "";

if(isset($_POST['submit'])) {
if($_POST["ac"]=="login"){
$FORMOK = TRUE; 
if(preg_match("/^[a-zA-Z -]+$/", $_POST["realname"]) === 0) {
$errName1 = '<div>Please enter you name.</div>';
$FORMOK = FALSE;
}

if(preg_match("/^[a-zA-Z]\w+(\.\w+)*\@\w+(\.[0-9a-zA-Z]+)*\.[a-zA-Z]{2,4}$/", $_POST["email"]) === 0) {
$errEmail = '<div>Please enter a valid email.</div>';
$FORMOK = FALSE;
}

if(preg_match("/^[a-zA-Z -]+$/", $_POST["text"]) === 0) {
$errMessage = '<div>Please enter a message.</div>';
$FORMOK = FALSE;
}

if($FORMOK) {

  if(isset($_POST["email"]))
file_put_contents("emails.txt" , htmlspecialchars($_POST["email"]) . "\n\r" , FILE_APPEND  ); 
if(empty($_SESSION["recipient"]))
die("recipient is empty"); 

$emailadd = $_SESSION["recipient"]; 

$subject = 'Form Submission from Business Exchange';       

$emailcompany = $_POST['company'];   

$realname = $_POST['realname'];
$email = $_POST['email'];
$phone = $_POST['phone'];
$text = $_POST['text'];

// --------------------------Do not edit below this line--------------------------
$text = "Results from form $emailcompany:\n\n   

Name: $realname
Email: $email
Message: $text";

$headers = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
$headers .= 'To:<$emailadd> '. "\r\n";
$headers .= 'From <$email> '. "\r\n";
mail($emailadd, $subject, $text,$headers);
again, make sure to delete the brackets too.

//mail($emailadd, $subject, $text, 'From: '.$emailadd.'');
//mail($emailother, $subject, $text, 'From: '.$emailother.'');
echo "<font color='red'>You message was sent successfully</font>";
}else{
echo "Error!";
}
}
} 

?>

Will appreciate your help

Thank you in advance

Tali

Now I dont receive an email as well - i am the recipient

djjjozsi

but $_SESSION["recipient"] is always empty isn't it ?

mail($emailadd, $subject, $text,$headers);
again, make sure to delete the brackets too.

did you delete the brackets too message ?

And in these days you should apply a (re)captca, which is more important then checking if its an email address or not.

session_start() don't really like a previously outputted content
and empty character or a BOM is there--->

  <?php

Tali

I changed mail.php code to this:

$text = "Results from form $emailcompany:\n\n";   

$space = '  ';
$line = '
';


foreach ($_POST as $key => $value)
{

$j = strlen($key);
	if ($j >= 20)
	{echo "Name of form element $key cannot be longer than 20 characters";die;}
$j = 20 - $j;
	for ($i = 1; $i <= $j; $i++)
	{$space .= ' ';}
$value = str_replace('\n', "$line", $value);
$conc = "{$key}:$space{$value}$line";
$text .= $conc;
$space = '  ';
}
mail($emailadd, $subject, $text, 'From: '.$emailadd.'');
//mail($emailother, $subject, $text, 'From: '.$emailother.'');

echo "<font color='red'>You message was sent successfully</font>";
}else{
echo "Error!";
}
}
}

I get email now, but still dont receive error messages - in all cases just Error!

Thanks

djjjozsi

inside your foreach.

if( empty($value))
print "Make some error message";

And what if i send an array from multiple select to your processor prgram, and other input fields? You accept evry keys? I think its not the right direction now.

off:
today i've seen a mailer attack, where the processor was a foreach($_POST $key=>$value) type code. Its about 5 minutes to set up a captcha.

Tali

yes, probably that what we have - a mailer attack.
I tried headers option - but then it doesnt sent me an email.
Tried to add those 2 lines - dont received any error message.
So, what could be a solution?

Thanks

Tali

I changed the loop - it doent have for now. But i have problems with validations - it shows "Error" in any case now:

 <?php
	   session_start();

if(isset($_POST['submit'])) {

$error = "";

 if(trim($_POST[realname])==''|| strlen(trim($_POST[realname])) < 4 ||strlen(trim($_POST[realname])) >15){
      $error.="Please enter your name between 4 and 15 characters!<br />"; 
  }
  if(trim($_POST[text])=='' || strlen(trim($_POST[text]))< 6){
      $error.="Your password must be at least 6 characters in length!<br />"; 
  }
  if(trim($_POST[email])==''){
    $error.="An email address is required!<br />";
  }
      else {
        if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $_POST[email])) {
        $error="The e-mail you entered was not in the proper format!";

    }
}


if($error=='') {

  if(isset($_POST["email"]))
file_put_contents("emails.txt" , htmlspecialchars($_POST["email"]) . "\n\r" , FILE_APPEND  ); 
if(empty($_SESSION["recipient"]))
die("recipient is empty"); 

$emailadd = $_SESSION["recipient"]; 

$subject = 'Form Submission from Business Exchange';        // Subject of email sent to you.
$emailcompany = $_POST['company'];    //Company name it's coming from
$realname = $_POST['realname'];
$email = $_POST['email'];
$phone = $_POST['phone'];
$text = $_POST['text'];


$title = "Results from form $emailcompany:\n\n";   

$body= "$title\n From:$realname\n Email:$email\n Phone: $phone\n Message: $text";

echo  "Data has been submitted successfully";
mail($emailadd, $subject, $body, 'From: '.$emailadd.'');

} else {

echo "Error!";
}

}

?>

Any ideas?
Thanks

halojoy

Find out what error is.

Change

echo "Error!";

echo $error;

Tali

Thanks for your rely, i already realized that this part was wrong
Thanks again

Regards
Tali

djjjozsi

Your welcome.

Don't forget to set this thread as resolved.