Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: website security - blank forms

  1. #1
    Join Date
    May 2009
    Location
    Greensboro, GA
    Posts
    163
    Thanks
    5
    Thanked 0 Times in 0 Posts

    Default website security - blank forms

    I'm new to programming. I have 2 sites with php forms.
    1. On the first one, I get blank forms emailed to me (and also entered in my mysql database) even though there is validation on most of the fields (no blank fields allowed). What can I do to stop this.
    2. The second site is more disturbing since the code for the form is not even online yet but I still get blank forms. I am just testing it but it's in the directory where all the other files are. How can bots get to it if it isn't online?

    I would rather not use captcha. I have put a robots.txt file on both sites disallowing the *.php files.
    Thanks for any help. I really need it.

  2. #2
    Join Date
    May 2007
    Location
    Boston,ma
    Posts
    2,127
    Thanks
    173
    Thanked 207 Times in 205 Posts

    Default

    If it's in the directory it's online. Can you post your code. I don't know about the robot files but I usually put up a validator that has to be triggered by a person like 1+1 or where are you and if that doesn't equal whatever it should stop processing and end.

  3. #3
    Join Date
    May 2009
    Location
    Greensboro, GA
    Posts
    163
    Thanks
    5
    Thanked 0 Times in 0 Posts

    Default

    HTML Code:
    <HTML>
      <HEAD>
        <TITLE>Contribution / Donations Form</TITLE>
      </HEAD>
    
      <BODY bgcolor="#33ffcc" LINK="red" VLINK="red" topmargin="0" leftmargin="0" marginwidth="0" marginheight="0" rightmargin="0">
    	
    <SCRIPT>
    function validate() {
    mNv1=donationform.xname.value;
    mNv2=donationform.xemail.value;
    mNv3=donationform.xaddress.value;
    mNv4=donationform.xcity.value;
    mNv5=donationform.xstate.value;
    mNv6=donationform.xzip.value;
    mNv7=donationform.xother.value;
    
    if (mNv1=='') {
    alert('Name is a required field. Please try again.');
    event.returnValue=false;
    }
    if (mNv2=='') {
    alert('Email is a required field. Please try again.');
    event.returnValue=false;
    }
    if (mNv3=='') {
    alert('Address is a required field. Please try again.');
    event.returnValue=false;
    }
    if (mNv4=='') {
    alert('City is a required field. Please try again.');
    event.returnValue=false;
    }
    if (mNv5=='') {
    alert('State is a required field. Please try again.');
    event.returnValue=false;
    }
    if (mNv6=='') {
    alert('Zip is a required field. Please try again.');
    event.returnValue=false;
    }
    if ((donationform.donation[5].checked && mNv7=='' )) {
    alert('Please enter an Other Amount');
    event.returnValue=false;
    }
    if (!(donationform.donation[0].checked || donationform.donation[1].checked || donationform.donation[2].checked || donationform.donation[3].checked || donationform.donation[4].checked || donationform.donation[5].checked )) {
    alert('Donation box is a required field.');
    event.returnValue=false;
    }
    
    }
    </SCRIPT>
    			
    <TABLE width="100%" BORDER="0" CELLSPACING="0" CELLPADDING="10">
    			<TR>
            <TD>
    					<FONT FACE="Arial,sans-serif" SIZE="2" COLOR="black">
    					We would be delighted if you would contribute to the Oconee Regional Humane Society. This 
    					will make you a part of our team helping the needy animals in our community. You will also 
    					receive a quarterly newsletter to keep you up to date on our activities and our plans.
    	  			Complete the form and click "Submit".&nbsp;&nbsp;
    					</FONT>
              <FONT FACE="Arial,sans-serif" SIZE="2" COLOR="red">
    					  *
    					</FONT>
              <FONT FACE="Arial,sans-serif" SIZE="2" COLOR="black">
    					  = Required field.
    					</FONT>
            </TD>
    		  </TR>
        </TABLE>
    			
    	  <form NAME="donationform" method="post" action="donation.php" id="Form" onsubmit="validate();">
    		<TABLE width="100%" BORDER="0" CELLSPACING="0" CELLPADDING="0">
    			<tr valign="top">
            <td>
              <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
              <b>&nbsp;&nbsp;Yes! I wish to become a contributor to the<br>
    		  		&nbsp;&nbsp;Oconee Regional Humane Society.</b><br><br>
              <i><b>&nbsp;&nbsp;All Donations are tax deductible<br>
    					&nbsp;&nbsp;Your cancelled check is your receipt</b></i><br><br> 
    			  	</FONT>
              <FONT FACE="Arial,sans-serif" SIZE="5" COLOR="red">&nbsp; * </FONT>
              <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
    					Name:&nbsp;&nbsp;&nbsp;&nbsp;
    					  <input type="text" name="xname" value="" size="50" maxlength="50"><br>
    					</FONT>
              <FONT FACE="Arial,sans-serif" SIZE="5" COLOR="red">&nbsp; *	</FONT>
              <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
              Address:
      			    <input type="text" name="xaddress" value="" size="50" maxlength="70"><br>
    					</FONT>
              <FONT FACE="Arial,sans-serif" SIZE="5" COLOR="red">&nbsp; * </FONT>
              <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
    		  		City:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    				    <input type="text" name="xcity" value="" size="20" maxlength="30"><br>
    					</FONT>
              <FONT FACE="Arial,sans-serif" SIZE="5" COLOR="red">&nbsp; *	</FONT>
              <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
    					State:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    					  <input type="text" name="xstate" value="GA" size="2" maxlength="20"><br>
    					</FONT>
              <FONT FACE="Arial,sans-serif" SIZE="5" COLOR="red">&nbsp; * </FONT>
              <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
    					Zip:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    					  <input type="text" name="xzip" value="" size="5" maxlength="10"><br>
              </FONT>
              <FONT FACE="Arial,sans-serif" SIZE="5" COLOR="red">&nbsp; * </FONT>
              <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
    					Email:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    					  <input type="text" name="xemail" value="" size="40" maxlength="50"><br>
    					</FONT>	
              <FONT FACE="Arial,sans-serif" SIZE="1" COLOR="black">
    					&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;We will NEVER share your email address with others<br>
    					</FONT>
              <FONT FACE="Arial,sans-serif" SIZE="5" COLOR="#33ffcc">&nbsp; * </FONT>
              <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
              Phone:&nbsp;&nbsp;&nbsp;
    					  <input type="text" name="xphone"  value="" size="20" maxlength="20">
    						<br>
    				</td>
    
            <td>
              <FONT FACE="Arial,sans-serif" SIZE="4" COLOR="red">	*	</FONT>
              <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
      				Donation:<br>
              &nbsp;&nbsp;&nbsp;&nbsp;<input type="radio" name="donation" value="$40 - Vaccinations and Tests"> $40 - Vaccinations and Tests<br>
    					&nbsp;&nbsp;&nbsp;&nbsp;<input type="radio" name="donation" value="$85 - Spay/Neuter"> $85 - Spay/Neuter<br>
              &nbsp;&nbsp;&nbsp;&nbsp;<input type="radio" name="donation" value="$100 - 1 Animal's Expenses from Rescue to Placement"> $100 - 1 Animal's Expenses from Rescue to Placement<br>
    		  		&nbsp;&nbsp;&nbsp;&nbsp;<input type="radio" name="donation" value="$300 - Emergency Medical Expenses"> $300 - Emergency Medical Expenses<br>
              &nbsp;&nbsp;&nbsp;&nbsp;<input type="radio" name="donation" value="$1000 - Life Saver"> $1000 - Life Saver<br>
              &nbsp;&nbsp;&nbsp;&nbsp;<input type="radio" name="donation" value="Any amount helps local animals and is appreciated"> Any amount helps local animals and is appreciated<br>
              &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Other amount:
    					  <input type="text" name="xother"  value="" size="20" maxlength="20"><br><br>
    
      				I am interested in volunteering in the following areas.<br>
    					Check All you are interested in:<br>
              &nbsp;&nbsp;&nbsp;&nbsp;<input type="checkbox" name="funds" value="Fund Raising / Special Events,"> Fund Raising / Special Events<br>
    					&nbsp;&nbsp;&nbsp;&nbsp;<input type="checkbox" name="education" value="Education,"> Education<br>
              &nbsp;&nbsp;&nbsp;&nbsp;<input type="checkbox" name="building" value="Building Committee,"> Building Committee<br>
    		  		&nbsp;&nbsp;&nbsp;&nbsp;<input type="checkbox" name="transportation" value="Transportation,"> Transportation<br>
              &nbsp;&nbsp;&nbsp;&nbsp;<input type="checkbox" name="adoption" value="Adoption Days,"> Adoption Days<br>
              &nbsp;&nbsp;&nbsp;&nbsp;<input type="checkbox" name="foster" value="Foster Homes,"> Foster Homes<br><br>
    					
    					&nbsp;&nbsp;&nbsp;&nbsp;<INPUT type="Submit" VALUE="Submit Information">
    				  </FONT>
              <FONT FACE="Arial,sans-serif" SIZE="1" COLOR="black">
              &nbsp;&nbsp;You will receive an email with further instructions
    				  </FONT>
    				</td>
    			</tr>
        </table>
        </form>
      </BODY>
    </HTML>
    Last edited by Snookerman; 05-12-2009 at 04:13 PM. Reason: added [html] tags

  4. #4
    Join Date
    Apr 2009
    Location
    Cognac, France
    Posts
    400
    Thanks
    2
    Thanked 57 Times in 57 Posts

    Default

    When you post code could you please use the code tags, #, <>, etc at the top of the message frame.

    That code does test out all the fields, something of a pain to have to click on so many alerts. Try to do the validation as one function and return after the first error.

    Is there maybe a problem in your php.

    Post it here, minus any MYSQL login details, please

  5. #5
    Join Date
    May 2009
    Location
    Greensboro, GA
    Posts
    163
    Thanks
    5
    Thanked 0 Times in 0 Posts

    Default

    This form isn't connected to a mysql database.
    I don't have any problems with this code as far as I know.
    When I test it, I cannot hit submit if there is a non-validated field. I don't understand how bots can get past this.

    Sorry about the #<> stuff. Like I said I am new to this

  6. #6
    Join Date
    Apr 2009
    Location
    Cognac, France
    Posts
    400
    Thanks
    2
    Thanked 57 Times in 57 Posts

    Default

    can you post the code for the php please

  7. #7
    Join Date
    May 2009
    Location
    Greensboro, GA
    Posts
    163
    Thanks
    5
    Thanked 0 Times in 0 Posts

    Default

    PHP Code:
    <?PHP
    global $_POST;
    $name $_POST["xname"] ;
    $email $_POST["xemail"];
    $address $_POST["xaddress"];
    $city $_POST["xcity"];
    $state $_POST["xstate"];
    $zip $_POST["xzip"];
    $phone $_POST["xphone"];
    $donation $_POST["donation"];
    $other $_POST["xother"];
    $adoption $_POST["adoption"];
    $foster $_POST["foster"];
    $funds $_POST["funds"];
    $education $_POST["education"];
    $building $_POST["building"];
    $transportation $_POST["transportation"];

    $subject "ORHS Donation";

    $to "martyc@windstream.net";
    $to2 "$email";
    $headers "From: $email\n";

    $message "The following person wants to donate to ORHS.
    Name: 
    $name 
    Address: 
    $address
    City: 
    $city
    State: 
    $state
    Zip: 
    $zip
    Phone: 
    $phone
    Email Address: 
    $email
    Donation: 
    $donation
    Other Amount: 
    $other
    Volunteer: 
    $adoption $foster $funds $education $building $transportation";

    $message2 "Thank you for donating to the ORHS. Please send your check to:
    Oconee Regional Humane Society
    6350 Lake Oconee Parkway
    Suite 102, PMB 178
    Greensboro, GA 30642

    Your cancelled check is your receipt.
    Below is the information we received:

    Name: 
    $name
    Address: 
    $address
    City: 
    $city
    State: 
    $state
    Zip: 
    $zip
    Phone: 
    $phone
    Email Address: 
    $email
    Donation: 
    $donation
    Other Amount: 
    $other
    Volunteer: 
    $adoption $foster $funds $education $building $transportation";

    if (
    preg_match(' /[\r\n,;\'"]/ '$_POST['email'])) {
      exit(
    'Invalid Email Address');
    }
    else {
    mail($to,$subject,$message,$headers);
    mail($to2,$subject,$message2,$headers);
    header("Location: http://www.orhspets.org");
    }

    ?>

  8. #8
    Join Date
    Apr 2009
    Location
    Cognac, France
    Posts
    400
    Thanks
    2
    Thanked 57 Times in 57 Posts

    Default

    you can test whether the fields are empty and based on that use an if statement to decide, or not, to send an email.

    eg
    PHP Code:
    $empty=$name.$email.$etc;

    if (
    trim($empty)==""){ 
    I have had some empty emails before and I believe it was that somebody was just calling the PHP file, this stops that.

  9. #9
    Join Date
    May 2009
    Location
    Greensboro, GA
    Posts
    163
    Thanks
    5
    Thanked 0 Times in 0 Posts

    Default

    Sorry I really don't understand. This form isn't even reachable by my users yet.

    Also, I didn't understand your code. Sorry again.

  10. #10
    Join Date
    Apr 2009
    Location
    Cognac, France
    Posts
    400
    Thanks
    2
    Thanked 57 Times in 57 Posts

    Default

    Sorry if you didn't understand my code.

    Make another variable in your PHP that consists of all the values in your other variables, then using trim(), to get rid of spaces at the beginning and end of the string, you test this to see if there is a value in any of the fields.

    If there is a value then you can use an if statement to send the email, this should ensure that your PHP code will not send an email that has no content.

    The PHP code I wrote is a cut down version, ie did not have all your variables included, you needed to add them. To concatenate strings in PHP you use the '.' character rather than the '+'. You terminate the new string with a ';'.

    So to create the new variable your code would be this.

    $empty=$name.$email.$address.$city.$state.$zip.$phone.$donation.$other.$adoption.$foster.$funds.$education.$building.$transportation;

    This code should be situated in your PHP just before you set $subject.

    You would then put
    PHP Code:
    if (trim($empty)==""){ 
     exit(
    'No valid Email Contents'); 
    } else { 
    in your PHP before the 'if (preg(' near the bottom and another '}' after the '}' at the bottom.

    However, if this code is not yet live, ie on the web, then it is not as a result of this that you are getting blank emails, it is another cause entirely.

    If the code is on the web then it is possible for somebody/a process to look at your html, see the name of your PHP and submit it, that is why I prefer to have a check in my PHP before it can process anything.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •