website security - blank forms [Archive]

View Full Version : website security - blank forms

mcolton

05-12-2009, 11:56 AM

I'm new to programming. I have 2 sites with php forms.
1. On the first one, I get blank forms emailed to me (and also entered in my mysql database) even though there is validation on most of the fields (no blank fields allowed). What can I do to stop this.
2. The second site is more disturbing since the code for the form is not even online yet but I still get blank forms. I am just testing it but it's in the directory where all the other files are. How can bots get to it if it isn't online?

I would rather not use captcha. I have put a robots.txt file on both sites disallowing the *.php files.
Thanks for any help. I really need it.

bluewalrus

05-12-2009, 01:06 PM

If it's in the directory it's online. Can you post your code. I don't know about the robot files but I usually put up a validator that has to be triggered by a person like 1+1 or where are you and if that doesn't equal whatever it should stop processing and end.

mcolton

05-12-2009, 01:17 PM

<HTML>
<HEAD>
<TITLE>Contribution / Donations Form</TITLE>
</HEAD>

<BODY bgcolor="#33ffcc" LINK="red" VLINK="red" topmargin="0" leftmargin="0" marginwidth="0" marginheight="0" rightmargin="0">

<SCRIPT>
function validate() {
mNv1=donationform.xname.value;
mNv2=donationform.xemail.value;
mNv3=donationform.xaddress.value;
mNv4=donationform.xcity.value;
mNv5=donationform.xstate.value;
mNv6=donationform.xzip.value;
mNv7=donationform.xother.value;

if (mNv1=='') {
alert('Name is a required field. Please try again.');
event.returnValue=false;
}
if (mNv2=='') {
alert('Email is a required field. Please try again.');
event.returnValue=false;
}
if (mNv3=='') {
alert('Address is a required field. Please try again.');
event.returnValue=false;
}
if (mNv4=='') {
alert('City is a required field. Please try again.');
event.returnValue=false;
}
if (mNv5=='') {
alert('State is a required field. Please try again.');
event.returnValue=false;
}
if (mNv6=='') {
alert('Zip is a required field. Please try again.');
event.returnValue=false;
}
if ((donationform.donation[5].checked && mNv7=='' )) {
alert('Please enter an Other Amount');
event.returnValue=false;
}
if (!(donationform.donation[0].checked || donationform.donation[1].checked || donationform.donation[2].checked || donationform.donation[3].checked || donationform.donation[4].checked || donationform.donation[5].checked )) {
alert('Donation box is a required field.');
event.returnValue=false;
}

}
</SCRIPT>

<TABLE width="100%" BORDER="0" CELLSPACING="0" CELLPADDING="10">
<TR>
<TD>
<FONT FACE="Arial,sans-serif" SIZE="2" COLOR="black">
We would be delighted if you would contribute to the Oconee Regional Humane Society. This
will make you a part of our team helping the needy animals in our community. You will also
receive a quarterly newsletter to keep you up to date on our activities and our plans.
Complete the form and click "Submit".  
</FONT>
<FONT FACE="Arial,sans-serif" SIZE="2" COLOR="red">
*
</FONT>
<FONT FACE="Arial,sans-serif" SIZE="2" COLOR="black">
= Required field.
</FONT>
</TD>
</TR>
</TABLE>

<form NAME="donationform" method="post" action="donation.php" id="Form" onsubmit="validate();">
<TABLE width="100%" BORDER="0" CELLSPACING="0" CELLPADDING="0">
<tr valign="top">
<td>
<FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
<b>  Yes! I wish to become a contributor to the<br>
  Oconee Regional Humane Society.</b><br><br>
<i><b>  All Donations are tax deductible<br>
  Your cancelled check is your receipt</b></i><br><br>
</FONT>
<FONT FACE="Arial,sans-serif" SIZE="5" COLOR="red">  * </FONT>
<FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
Name:    
<input type="text" name="xname" value="" size="50" maxlength="50"><br>
</FONT>
<FONT FACE="Arial,sans-serif" SIZE="5" COLOR="red">  * </FONT>
<FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
Address:
<input type="text" name="xaddress" value="" size="50" maxlength="70"><br>
</FONT>
<FONT FACE="Arial,sans-serif" SIZE="5" COLOR="red">  * </FONT>
<FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
City:        
<input type="text" name="xcity" value="" size="20" maxlength="30"><br>
</FONT>
<FONT FACE="Arial,sans-serif" SIZE="5" COLOR="red">  * </FONT>
<FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
State:      
<input type="text" name="xstate" value="GA" size="2" maxlength="20"><br>
</FONT>
<FONT FACE="Arial,sans-serif" SIZE="5" COLOR="red">  * </FONT>
<FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
Zip:         
<input type="text" name="xzip" value="" size="5" maxlength="10"><br>
</FONT>
<FONT FACE="Arial,sans-serif" SIZE="5" COLOR="red">  * </FONT>
<FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
Email:     
<input type="text" name="xemail" value="" size="40" maxlength="50"><br>
</FONT>
<FONT FACE="Arial,sans-serif" SIZE="1" COLOR="black">
        We will NEVER share your email address with others<br>
</FONT>
<FONT FACE="Arial,sans-serif" SIZE="5" COLOR="#33ffcc">  * </FONT>
<FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
Phone:   
<input type="text" name="xphone" value="" size="20" maxlength="20">
<br>
</td>

<td>
<FONT FACE="Arial,sans-serif" SIZE="4" COLOR="red"> * </FONT>
<FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
Donation:<br>
    <input type="radio" name="donation" value="$40 - Vaccinations and Tests"> $40 - Vaccinations and Tests<br>
    <input type="radio" name="donation" value="$85 - Spay/Neuter"> $85 - Spay/Neuter<br>
    <input type="radio" name="donation" value="$100 - 1 Animal's Expenses from Rescue to Placement"> $100 - 1 Animal's Expenses from Rescue to Placement<br>
    <input type="radio" name="donation" value="$300 - Emergency Medical Expenses"> $300 - Emergency Medical Expenses<br>
    <input type="radio" name="donation" value="$1000 - Life Saver"> $1000 - Life Saver<br>
    <input type="radio" name="donation" value="Any amount helps local animals and is appreciated"> Any amount helps local animals and is appreciated<br>
               Other amount:
<input type="text" name="xother" value="" size="20" maxlength="20"><br><br>

I am interested in volunteering in the following areas.<br>
Check All you are interested in:<br>
    <input type="checkbox" name="funds" value="Fund Raising / Special Events,"> Fund Raising / Special Events<br>
    <input type="checkbox" name="education" value="Education,"> Education<br>
    <input type="checkbox" name="building" value="Building Committee,"> Building Committee<br>
    <input type="checkbox" name="transportation" value="Transportation,"> Transportation<br>
    <input type="checkbox" name="adoption" value="Adoption Days,"> Adoption Days<br>
    <input type="checkbox" name="foster" value="Foster Homes,"> Foster Homes<br><br>

    <INPUT type="Submit" VALUE="Submit Information">
</FONT>
<FONT FACE="Arial,sans-serif" SIZE="1" COLOR="black">
  You will receive an email with further instructions
</FONT>
</td>
</tr>
</table>
</form>
</BODY>
</HTML>

forum_amnesiac

05-12-2009, 01:36 PM

When you post code could you please use the code tags, #, <>, etc at the top of the message frame.

That code does test out all the fields, something of a pain to have to click on so many alerts. Try to do the validation as one function and return after the first error.

Is there maybe a problem in your php.

Post it here, minus any MYSQL login details, please

mcolton

05-12-2009, 02:44 PM

This form isn't connected to a mysql database.
I don't have any problems with this code as far as I know.
When I test it, I cannot hit submit if there is a non-validated field. I don't understand how bots can get past this.

Sorry about the #<> stuff. Like I said I am new to this

forum_amnesiac

05-12-2009, 02:51 PM

can you post the code for the php please

mcolton

05-12-2009, 04:09 PM

<?PHP
global $_POST;
$name = $_POST["xname"] ;
$email = $_POST["xemail"];
$address = $_POST["xaddress"];
$city = $_POST["xcity"];
$state = $_POST["xstate"];
$zip = $_POST["xzip"];
$phone = $_POST["xphone"];
$donation = $_POST["donation"];
$other = $_POST["xother"];
$adoption = $_POST["adoption"];
$foster = $_POST["foster"];
$funds = $_POST["funds"];
$education = $_POST["education"];
$building = $_POST["building"];
$transportation = $_POST["transportation"];

$subject = "ORHS Donation";

$to = "martyc@windstream.net";
$to2 = "$email";
$headers = "From: $email\n";

$message = "The following person wants to donate to ORHS.
Name: $name
Address: $address
City: $city
State: $state
Zip: $zip
Phone: $phone
Email Address: $email
Donation: $donation
Other Amount: $other
Volunteer: $adoption $foster $funds $education $building $transportation";

$message2 = "Thank you for donating to the ORHS. Please send your check to:
Oconee Regional Humane Society
6350 Lake Oconee Parkway
Suite 102, PMB 178
Greensboro, GA 30642

Your cancelled check is your receipt.
Below is the information we received:

Name: $name
Address: $address
City: $city
State: $state
Zip: $zip
Phone: $phone
Email Address: $email
Donation: $donation
Other Amount: $other
Volunteer: $adoption $foster $funds $education $building $transportation";

if (preg_match(' /[\r\n,;\'"]/ ', $_POST['email'])) {
exit('Invalid Email Address');
}
else {
mail($to,$subject,$message,$headers);
mail($to2,$subject,$message2,$headers);
header("Location: http://www.orhspets.org");
}

?>

forum_amnesiac

05-12-2009, 05:07 PM

you can test whether the fields are empty and based on that use an if statement to decide, or not, to send an email.

eg
$empty=$name.$email.$etc;

if (trim($empty)==""){

I have had some empty emails before and I believe it was that somebody was just calling the PHP file, this stops that.

mcolton

05-12-2009, 05:56 PM

Sorry I really don't understand. This form isn't even reachable by my users yet.

Also, I didn't understand your code. Sorry again.

forum_amnesiac

05-13-2009, 08:36 AM

Sorry if you didn't understand my code.

Make another variable in your PHP that consists of all the values in your other variables, then using trim(), to get rid of spaces at the beginning and end of the string, you test this to see if there is a value in any of the fields.

If there is a value then you can use an if statement to send the email, this should ensure that your PHP code will not send an email that has no content.

The PHP code I wrote is a cut down version, ie did not have all your variables included, you needed to add them. To concatenate strings in PHP you use the '.' character rather than the '+'. You terminate the new string with a ';'.

So to create the new variable your code would be this.

$empty=$name.$email.$address.$city.$state.$zip.$phone.$donation.$other.$adoption.$foster.$funds.$education.$building.$transportation;

This code should be situated in your PHP just before you set $subject.

You would then put
if (trim($empty)==""){
exit('No valid Email Contents');
} else { in your PHP before the 'if (preg(' near the bottom and another '}' after the '}' at the bottom.

However, if this code is not yet live, ie on the web, then it is not as a result of this that you are getting blank emails, it is another cause entirely.

If the code is on the web then it is possible for somebody/a process to look at your html, see the name of your PHP and submit it, that is why I prefer to have a check in my PHP before it can process anything.

kuau

05-13-2009, 11:11 PM

I was also getting an increasingly annoying number of blank form entries even though I had js validation on my forms. Then I discovered that most PDAs, BlackBerries, etc did not have javascript ... so much for my validation, but I do think it was from bots. Bots who got smarter. When the blanks were supplanted by really long drug spams I finally added a simple CAPTCHA I wrote myself and that was the end of it. Not one since.

I hate those illegible CAPTCHAs too, but mine is really easy to read so it was rather painless and sure saves me time by not having to clean junk out of the database. :)

mcolton

05-14-2009, 11:25 AM

Thanks for the help. I'm not getting any blank emails from users. Maybe it is blackberries/etc.

Is there a way around this without using captcha

forum_amnesiac

05-14-2009, 01:44 PM

There is a system called MathGuard that does something similar to Captcha but is a lot simpler, unless you can't add 2 numbers together.

Have a search for it and see what you think

kuau

05-14-2009, 04:02 PM

I haven't seen MathGuard yet, which sounds interesting, but you can see the simple method I devised here...

http://www.sargentsfineart.com/php/contact.php

Some forum members objected to the use of color, but I haven't had one complaint or one spam or blank since. Whatever works... :)

mcolton

05-14-2009, 06:49 PM

Thanks for all your help. I'll take a look