The contact form on my website keeps sending me blank emails!

dragon42tt

Hi everyone.

I read somewhere that Google crawler triggers the contact form to send blank emails.

I believe a validation of the fields will stop this from happening, but I couldn't solve this problem to save my life, I php skills are very poor.

Here is the code, I hope someone can help, any help is appreciated.

<?php
ob_start();
session_start();
include('class.phpmailer.php');
include('admin/includes/config.php');
	$name=isset($_POST['name']) ? addslashes($_POST['name']) : '';
	$email=isset($_POST['email']) ? addslashes($_POST['email']) : '';
	$phone=isset($_POST['phone']) ? addslashes($_POST['phone']) : '';
	$comment=isset($_POST['comment']) ? addslashes($_POST['comment']) : '';

	$row=mysql_fetch_array(mysql_query("SELECT * FROM `fds_tbladmin` WHERE `id`='1'"));


$admin_email=$row['email'];

	$Subject1 ="Someone Has Contacted You";

	$TemplateMessage.="<br/><br />Hi Admin";

	$TemplateMessage.="";

	$TemplateMessage.="<br><br>";
	$TemplateMessage.=" Name :".$name;


	$TemplateMessage.="<br><br>";
	$TemplateMessage.="Email :".$email;

	$TemplateMessage.="<br><br>";
	$TemplateMessage.="Phone :".$phone;


	$TemplateMessage.="<br><br>";
	$TemplateMessage.="Comment :".$comment;

	$TemplateMessage.="<br><br><br/>Thanks & Regards<br/>";

	$TemplateMessage.="Flash Driving School";

	$TemplateMessage.="<br><br><br>This is a post-only mailing.  Replies to this message are not monitored
	or answered.";

	$mail1 = new PHPMailer;

	$mail1->FromName = "flashdrivingschool.com";

	$mail1->From    = "info@flashdrivingschool.com";

	$mail1->Subject = $Subject1;

	$mail1->Body    = stripslashes($TemplateMessage);

	$mail1->AltBody = stripslashes($TemplateMessage);

	$mail1->IsHTML(true);

	$mail1->AddAddress($admin_email,"flashdrivingschool.com");//info@salaryleak.com

	$mail1->Send();


 header('location:thankyou.php');
 exit();


?>

dalecosp

At this point:

    $name=isset($_POST['name']) ? addslashes($_POST['name']) : ''; 
    $email=isset($_POST['email']) ? addslashes($_POST['email']) : ''; 
    $phone=isset($_POST['phone']) ? addslashes($_POST['phone']) : ''; 
    $comment=isset($_POST['comment']) ? addslashes($_POST['comment']) : '';

You're setting values to an empty string if the field was blank when the form was POSTed.

It would be fairly trivial to evaluate these like this in the next line(s):

if (!strlen($name) || !strlen($email) || !strlen($phone) || !strlen($comment))
{
    die("Fill out the form, stupid!"); // you'll note I'm a programmer, not in marketing ;-)
}

Of course, the real issue ... why is Google POSTing a form? I kind of doubt it's them. It's typically bots that are either TRYING to spam, or are actually doing it by means of inadequate security precautions. Without a deeper review I couldn't say.

You might look into how the bots are even finding the form. If it's via a link, the link should probably have a REL attribute set to "nofollow" ... Google, at least, will honor that one.

sneakyimp

I would imagine that the form handler doesn't check for a POST operation before trying to send off an email. You might want to check whether the method=POST first. I think this is how you do it. You'll need to experiment:

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    // check the POST data and if it looks good send the email
} else {
  die("This script expects a POST operation");
}

And, if you want to keep the bots out of a script, consider using the robots exclusion standard. I.e., create a robots.txt file on your site and put a disallow directive for the email script.

lilysmith22

This kind of problem also been faced by me and I did something instantly in code, even I don't know what I did but my problem got solved. You got you solution?

pbismad

The OP in this thread hasn't been active since a few minutes after the thread was started. He posted this on multiple help forums and got a solution elsewhere and didn't bother to reply/mark this thread as being solved.

The solution that was given in this thread and in the other help forum was to -

1) Check if a post method form was submitted before using any post data. Search engines do not make post requests and whatever he read was just 'internet knowledge' that isn't correct.

2) Correctly validate that 'required' form fields contain expected data before using that data. The 'validation' logic the OP has in his code isn't doing anything useful. All it is doing is testing if the form fields are set. They will be set if his post method form was submitted. If the code was requested via a get request or via a post request without all those form fields being present, the form fields won't be set either and the code will merrily run and use the empty values that were put into the variables by the 'validation' code.