website security - blank forms

I'm new to programming. I have 2 sites with php forms.
1. On the first one, I get blank forms emailed to me (and also entered in my mysql database) even though there is validation on most of the fields (no blank fields allowed). What can I do to stop this.
2. The second site is more disturbing since the code for the form is not even online yet but I still get blank forms. I am just testing it but it's in the directory where all the other files are. How can bots get to it if it isn't online?

I would rather not use captcha. I have put a robots.txt file on both sites disallowing the *.php files.
Thanks for any help. I really need it.

If it's in the directory it's online. Can you post your code. I don't know about the robot files but I usually put up a validator that has to be triggered by a person like 1+1 or where are you and if that doesn't equal whatever it should stop processing and end.

HTML Code:

<HTML> <HEAD> <TITLE>Contribution / Donations Form</TITLE> </HEAD> <BODY bgcolor="#33ffcc" LINK="red" VLINK="red" topmargin="0" leftmargin="0" marginwidth="0" marginheight="0" rightmargin="0"> <SCRIPT> function validate() { mNv1=donationform.xname.value; mNv2=donationform.xemail.value; mNv3=donationform.xaddress.value; mNv4=donationform.xcity.value; mNv5=donationform.xstate.value; mNv6=donationform.xzip.value; mNv7=donationform.xother.value; if (mNv1=='') { alert('Name is a required field. Please try again.'); event.returnValue=false; } if (mNv2=='') { alert('Email is a required field. Please try again.'); event.returnValue=false; } if (mNv3=='') { alert('Address is a required field. Please try again.'); event.returnValue=false; } if (mNv4=='') { alert('City is a required field. Please try again.'); event.returnValue=false; } if (mNv5=='') { alert('State is a required field. Please try again.'); event.returnValue=false; } if (mNv6=='') { alert('Zip is a required field. Please try again.'); event.returnValue=false; } if ((donationform.donation[5].checked && mNv7=='' )) { alert('Please enter an Other Amount'); event.returnValue=false; } if (!(donationform.donation[0].checked || donationform.donation[1].checked || donationform.donation[2].checked || donationform.donation[3].checked || donationform.donation[4].checked || donationform.donation[5].checked )) { alert('Donation box is a required field.'); event.returnValue=false; } } </SCRIPT> <TABLE width="100%" BORDER="0" CELLSPACING="0" CELLPADDING="10"> <TR> <TD> <FONT FACE="Arial,sans-serif" SIZE="2" COLOR="black"> We would be delighted if you would contribute to the Oconee Regional Humane Society. This will make you a part of our team helping the needy animals in our community. You will also receive a quarterly newsletter to keep you up to date on our activities and our plans. Complete the form and click "Submit".   </FONT> <FONT FACE="Arial,sans-serif" SIZE="2" COLOR="red"> * </FONT> <FONT FACE="Arial,sans-serif" SIZE="2" COLOR="black"> = Required field. </FONT> </TD> </TR> </TABLE> <form NAME="donationform" method="post" action="donation.php" id="Form" onsubmit="validate();"> <TABLE width="100%" BORDER="0" CELLSPACING="0" CELLPADDING="0"> <tr valign="top"> <td> <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black"> <b>  Yes! I wish to become a contributor to the<br>   Oconee Regional Humane Society.</b><br><br> <i><b>  All Donations are tax deductible<br>   Your cancelled check is your receipt</b></i><br><br> </FONT> <FONT FACE="Arial,sans-serif" SIZE="5" COLOR="red">  * </FONT> <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black"> Name:     <input type="text" name="xname" value="" size="50" maxlength="50"><br> </FONT> <FONT FACE="Arial,sans-serif" SIZE="5" COLOR="red">  * </FONT> <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black"> Address: <input type="text" name="xaddress" value="" size="50" maxlength="70"><br> </FONT> <FONT FACE="Arial,sans-serif" SIZE="5" COLOR="red">  * </FONT> <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black"> City:         <input type="text" name="xcity" value="" size="20" maxlength="30"><br> </FONT> <FONT FACE="Arial,sans-serif" SIZE="5" COLOR="red">  * </FONT> <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black"> State:       <input type="text" name="xstate" value="GA" size="2" maxlength="20"><br> </FONT> <FONT FACE="Arial,sans-serif" SIZE="5" COLOR="red">  * </FONT> <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black"> Zip:          <input type="text" name="xzip" value="" size="5" maxlength="10"><br> </FONT> <FONT FACE="Arial,sans-serif" SIZE="5" COLOR="red">  * </FONT> <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black"> Email:      <input type="text" name="xemail" value="" size="40" maxlength="50"><br> </FONT> <FONT FACE="Arial,sans-serif" SIZE="1" COLOR="black">         We will NEVER share your email address with others<br> </FONT> <FONT FACE="Arial,sans-serif" SIZE="5" COLOR="#33ffcc">  * </FONT> <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black"> Phone:    <input type="text" name="xphone" value="" size="20" maxlength="20"> <br> </td> <td> <FONT FACE="Arial,sans-serif" SIZE="4" COLOR="red"> * </FONT> <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black"> Donation:<br>     <input type="radio" name="donation" value="$40 - Vaccinations and Tests"> $40 - Vaccinations and Tests<br>     <input type="radio" name="donation" value="$85 - Spay/Neuter"> $85 - Spay/Neuter<br>     <input type="radio" name="donation" value="$100 - 1 Animal's Expenses from Rescue to Placement"> $100 - 1 Animal's Expenses from Rescue to Placement<br>     <input type="radio" name="donation" value="$300 - Emergency Medical Expenses"> $300 - Emergency Medical Expenses<br>     <input type="radio" name="donation" value="$1000 - Life Saver"> $1000 - Life Saver<br>     <input type="radio" name="donation" value="Any amount helps local animals and is appreciated"> Any amount helps local animals and is appreciated<br>                Other amount: <input type="text" name="xother" value="" size="20" maxlength="20"><br><br> I am interested in volunteering in the following areas.<br> Check All you are interested in:<br>     <input type="checkbox" name="funds" value="Fund Raising / Special Events,"> Fund Raising / Special Events<br>     <input type="checkbox" name="education" value="Education,"> Education<br>     <input type="checkbox" name="building" value="Building Committee,"> Building Committee<br>     <input type="checkbox" name="transportation" value="Transportation,"> Transportation<br>     <input type="checkbox" name="adoption" value="Adoption Days,"> Adoption Days<br>     <input type="checkbox" name="foster" value="Foster Homes,"> Foster Homes<br><br>     <INPUT type="Submit" VALUE="Submit Information"> </FONT> <FONT FACE="Arial,sans-serif" SIZE="1" COLOR="black">   You will receive an email with further instructions </FONT> </td> </tr> </table> </form> </BODY> </HTML>

When you post code could you please use the code tags, #, <>, etc at the top of the message frame.

That code does test out all the fields, something of a pain to have to click on so many alerts. Try to do the validation as one function and return after the first error.

Is there maybe a problem in your php.

Post it here, minus any MYSQL login details, please

This form isn't connected to a mysql database.
I don't have any problems with this code as far as I know.
When I test it, I cannot hit submit if there is a non-validated field. I don't understand how bots can get past this.

Sorry about the #<> stuff. Like I said I am new to this

can you post the code for the php please

PHP Code:

<?PHP global $_POST; $name = $_POST["xname"] ; $email = $_POST["xemail"]; $address = $_POST["xaddress"]; $city = $_POST["xcity"]; $state = $_POST["xstate"]; $zip = $_POST["xzip"]; $phone = $_POST["xphone"]; $donation = $_POST["donation"]; $other = $_POST["xother"]; $adoption = $_POST["adoption"]; $foster = $_POST["foster"]; $funds = $_POST["funds"]; $education = $_POST["education"]; $building = $_POST["building"]; $transportation = $_POST["transportation"]; $subject = "ORHS Donation"; $to = "martyc@windstream.net"; $to2 = "$email"; $headers = "From: $email\n"; $message = "The following person wants to donate to ORHS. Name: $name Address: $address City: $city State: $state Zip: $zip Phone: $phone Email Address: $email Donation: $donation Other Amount: $other Volunteer: $adoption $foster $funds $education $building $transportation"; $message2 = "Thank you for donating to the ORHS. Please send your check to: Oconee Regional Humane Society 6350 Lake Oconee Parkway Suite 102, PMB 178 Greensboro, GA 30642 Your cancelled check is your receipt. Below is the information we received: Name: $name Address: $address City: $city State: $state Zip: $zip Phone: $phone Email Address: $email Donation: $donation Other Amount: $other Volunteer: $adoption $foster $funds $education $building $transportation"; if (preg_match(' /[\r\n,;\'"]/ ', $_POST['email'])) { exit('Invalid Email Address'); } else { mail($to,$subject,$message,$headers); mail($to2,$subject,$message2,$headers); header("Location: http://www.orhspets.org"); } ?>

you can test whether the fields are empty and based on that use an if statement to decide, or not, to send an email.

eg

PHP Code:

$empty=$name.$email.$etc; if (trim($empty)==""){

I have had some empty emails before and I believe it was that somebody was just calling the PHP file, this stops that.

Sorry I really don't understand. This form isn't even reachable by my users yet.

Also, I didn't understand your code. Sorry again.

Sorry if you didn't understand my code.

Make another variable in your PHP that consists of all the values in your other variables, then using trim(), to get rid of spaces at the beginning and end of the string, you test this to see if there is a value in any of the fields.

If there is a value then you can use an if statement to send the email, this should ensure that your PHP code will not send an email that has no content.

The PHP code I wrote is a cut down version, ie did not have all your variables included, you needed to add them. To concatenate strings in PHP you use the '.' character rather than the '+'. You terminate the new string with a ';'.

So to create the new variable your code would be this.

$empty=$name.$email.$address.$city.$state.$zip.$phone.$donation.$other.$adoption.$foster.$funds.$education.$building.$transportation;

This code should be situated in your PHP just before you set $subject.

You would then put

PHP Code:

if (trim($empty)==""){ exit('No valid Email Contents'); } else {

in your PHP before the 'if (preg(' near the bottom and another '}' after the '}' at the bottom.

However, if this code is not yet live, ie on the web, then it is not as a result of this that you are getting blank emails, it is another cause entirely.

If the code is on the web then it is possible for somebody/a process to look at your html, see the name of your PHP and submit it, that is why I prefer to have a check in my PHP before it can process anything.

I was also getting an increasingly annoying number of blank form entries even though I had js validation on my forms. Then I discovered that most PDAs, BlackBerries, etc did not have javascript ... so much for my validation, but I do think it was from bots. Bots who got smarter. When the blanks were supplanted by really long drug spams I finally added a simple CAPTCHA I wrote myself and that was the end of it. Not one since.

I hate those illegible CAPTCHAs too, but mine is really easy to read so it was rather painless and sure saves me time by not having to clean junk out of the database. :)

Thanks for the help. I'm not getting any blank emails from users. Maybe it is blackberries/etc.

Is there a way around this without using captcha

There is a system called MathGuard that does something similar to Captcha but is a lot simpler, unless you can't add 2 numbers together.

Have a search for it and see what you think

I haven't seen MathGuard yet, which sounds interesting, but you can see the simple method I devised here...

http://www.sargentsfineart.com/php/contact.php

Some forum members objected to the use of color, but I haven't had one complaint or one spam or blank since. Whatever works... :)

Thanks for all your help. I'll take a look