website security - blank forms

[mcolton]

I'm new to programming. I have 2 sites with php forms.
1. On the first one, I get blank forms emailed to me (and also entered in my mysql database) even though there is validation on most of the fields (no blank fields allowed). What can I do to stop this.
2. The second site is more disturbing since the code for the form is not even online yet but I still get blank forms. I am just testing it but it's in the directory where all the other files are. How can bots get to it if it isn't online?

I would rather not use captcha. I have put a robots.txt file on both sites disallowing the *.php files.
Thanks for any help. I really need it.

[bluewalrus]

If it's in the directory it's online. Can you post your code. I don't know about the robot files but I usually put up a validator that has to be triggered by a person like 1+1 or where are you and if that doesn't equal whatever it should stop processing and end.

[mcolton]

HTML Code:

<HTML>
  <HEAD>
    <TITLE>Contribution / Donations Form</TITLE>
  </HEAD>

  <BODY bgcolor="#33ffcc" LINK="red" VLINK="red" topmargin="0" leftmargin="0" marginwidth="0" marginheight="0" rightmargin="0">
	
<SCRIPT>
function validate() {
mNv1=donationform.xname.value;
mNv2=donationform.xemail.value;
mNv3=donationform.xaddress.value;
mNv4=donationform.xcity.value;
mNv5=donationform.xstate.value;
mNv6=donationform.xzip.value;
mNv7=donationform.xother.value;

if (mNv1=='') {
alert('Name is a required field. Please try again.');
event.returnValue=false;
}
if (mNv2=='') {
alert('Email is a required field. Please try again.');
event.returnValue=false;
}
if (mNv3=='') {
alert('Address is a required field. Please try again.');
event.returnValue=false;
}
if (mNv4=='') {
alert('City is a required field. Please try again.');
event.returnValue=false;
}
if (mNv5=='') {
alert('State is a required field. Please try again.');
event.returnValue=false;
}
if (mNv6=='') {
alert('Zip is a required field. Please try again.');
event.returnValue=false;
}
if ((donationform.donation[5].checked && mNv7=='' )) {
alert('Please enter an Other Amount');
event.returnValue=false;
}
if (!(donationform.donation[0].checked || donationform.donation[1].checked || donationform.donation[2].checked || donationform.donation[3].checked || donationform.donation[4].checked || donationform.donation[5].checked )) {
alert('Donation box is a required field.');
event.returnValue=false;
}

}
</SCRIPT>
			
<TABLE width="100%" BORDER="0" CELLSPACING="0" CELLPADDING="10">
			<TR>
        <TD>
					<FONT FACE="Arial,sans-serif" SIZE="2" COLOR="black">
					We would be delighted if you would contribute to the Oconee Regional Humane Society. This 
					will make you a part of our team helping the needy animals in our community. You will also 
					receive a quarterly newsletter to keep you up to date on our activities and our plans.
	  			Complete the form and click "Submit".&nbsp;&nbsp;
					</FONT>
          <FONT FACE="Arial,sans-serif" SIZE="2" COLOR="red">
					  *
					</FONT>
          <FONT FACE="Arial,sans-serif" SIZE="2" COLOR="black">
					  = Required field.
					</FONT>
        </TD>
		  </TR>
    </TABLE>
			
	  <form NAME="donationform" method="post" action="donation.php" id="Form" onsubmit="validate();">
		<TABLE width="100%" BORDER="0" CELLSPACING="0" CELLPADDING="0">
			<tr valign="top">
        <td>
          <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
          <b>&nbsp;&nbsp;Yes! I wish to become a contributor to the<br>
		  		&nbsp;&nbsp;Oconee Regional Humane Society.</b><br><br>
          <i><b>&nbsp;&nbsp;All Donations are tax deductible<br>
					&nbsp;&nbsp;Your cancelled check is your receipt</b></i><br><br> 
			  	</FONT>
          <FONT FACE="Arial,sans-serif" SIZE="5" COLOR="red">&nbsp; * </FONT>
          <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
					Name:&nbsp;&nbsp;&nbsp;&nbsp;
					  <input type="text" name="xname" value="" size="50" maxlength="50"><br>
					</FONT>
          <FONT FACE="Arial,sans-serif" SIZE="5" COLOR="red">&nbsp; *	</FONT>
          <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
          Address:
  			    <input type="text" name="xaddress" value="" size="50" maxlength="70"><br>
					</FONT>
          <FONT FACE="Arial,sans-serif" SIZE="5" COLOR="red">&nbsp; * </FONT>
          <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
		  		City:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
				    <input type="text" name="xcity" value="" size="20" maxlength="30"><br>
					</FONT>
          <FONT FACE="Arial,sans-serif" SIZE="5" COLOR="red">&nbsp; *	</FONT>
          <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
					State:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
					  <input type="text" name="xstate" value="GA" size="2" maxlength="20"><br>
					</FONT>
          <FONT FACE="Arial,sans-serif" SIZE="5" COLOR="red">&nbsp; * </FONT>
          <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
					Zip:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
					  <input type="text" name="xzip" value="" size="5" maxlength="10"><br>
          </FONT>
          <FONT FACE="Arial,sans-serif" SIZE="5" COLOR="red">&nbsp; * </FONT>
          <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
					Email:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
					  <input type="text" name="xemail" value="" size="40" maxlength="50"><br>
					</FONT>	
          <FONT FACE="Arial,sans-serif" SIZE="1" COLOR="black">
					&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;We will NEVER share your email address with others<br>
					</FONT>
          <FONT FACE="Arial,sans-serif" SIZE="5" COLOR="#33ffcc">&nbsp; * </FONT>
          <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
          Phone:&nbsp;&nbsp;&nbsp;
					  <input type="text" name="xphone"  value="" size="20" maxlength="20">
						<br>
				</td>

        <td>
          <FONT FACE="Arial,sans-serif" SIZE="4" COLOR="red">	*	</FONT>
          <FONT FACE="Arial,sans-serif" SIZE="3" COLOR="black">
  				Donation:<br>
          &nbsp;&nbsp;&nbsp;&nbsp;<input type="radio" name="donation" value="$40 - Vaccinations and Tests"> $40 - Vaccinations and Tests<br>
					&nbsp;&nbsp;&nbsp;&nbsp;<input type="radio" name="donation" value="$85 - Spay/Neuter"> $85 - Spay/Neuter<br>
          &nbsp;&nbsp;&nbsp;&nbsp;<input type="radio" name="donation" value="$100 - 1 Animal's Expenses from Rescue to Placement"> $100 - 1 Animal's Expenses from Rescue to Placement<br>
		  		&nbsp;&nbsp;&nbsp;&nbsp;<input type="radio" name="donation" value="$300 - Emergency Medical Expenses"> $300 - Emergency Medical Expenses<br>
          &nbsp;&nbsp;&nbsp;&nbsp;<input type="radio" name="donation" value="$1000 - Life Saver"> $1000 - Life Saver<br>
          &nbsp;&nbsp;&nbsp;&nbsp;<input type="radio" name="donation" value="Any amount helps local animals and is appreciated"> Any amount helps local animals and is appreciated<br>
          &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Other amount:
					  <input type="text" name="xother"  value="" size="20" maxlength="20"><br><br>

  				I am interested in volunteering in the following areas.<br>
					Check All you are interested in:<br>
          &nbsp;&nbsp;&nbsp;&nbsp;<input type="checkbox" name="funds" value="Fund Raising / Special Events,"> Fund Raising / Special Events<br>
					&nbsp;&nbsp;&nbsp;&nbsp;<input type="checkbox" name="education" value="Education,"> Education<br>
          &nbsp;&nbsp;&nbsp;&nbsp;<input type="checkbox" name="building" value="Building Committee,"> Building Committee<br>
		  		&nbsp;&nbsp;&nbsp;&nbsp;<input type="checkbox" name="transportation" value="Transportation,"> Transportation<br>
          &nbsp;&nbsp;&nbsp;&nbsp;<input type="checkbox" name="adoption" value="Adoption Days,"> Adoption Days<br>
          &nbsp;&nbsp;&nbsp;&nbsp;<input type="checkbox" name="foster" value="Foster Homes,"> Foster Homes<br><br>
					
					&nbsp;&nbsp;&nbsp;&nbsp;<INPUT type="Submit" VALUE="Submit Information">
				  </FONT>
          <FONT FACE="Arial,sans-serif" SIZE="1" COLOR="black">
          &nbsp;&nbsp;You will receive an email with further instructions
				  </FONT>
				</td>
			</tr>
    </table>
    </form>
  </BODY>
</HTML>

[forum_amnesiac]

When you post code could you please use the code tags, #, <>, etc at the top of the message frame.

That code does test out all the fields, something of a pain to have to click on so many alerts. Try to do the validation as one function and return after the first error.

Is there maybe a problem in your php.

Post it here, minus any MYSQL login details, please

[mcolton]

This form isn't connected to a mysql database.
I don't have any problems with this code as far as I know.
When I test it, I cannot hit submit if there is a non-validated field. I don't understand how bots can get past this.

Sorry about the #<> stuff. Like I said I am new to this

[forum_amnesiac]

can you post the code for the php please

[mcolton]

PHP Code:

<?PHP
global $_POST;
$name = $_POST["xname"] ;
$email = $_POST["xemail"];
$address = $_POST["xaddress"];
$city = $_POST["xcity"];
$state = $_POST["xstate"];
$zip = $_POST["xzip"];
$phone = $_POST["xphone"];
$donation = $_POST["donation"];
$other = $_POST["xother"];
$adoption = $_POST["adoption"];
$foster = $_POST["foster"];
$funds = $_POST["funds"];
$education = $_POST["education"];
$building = $_POST["building"];
$transportation = $_POST["transportation"];

$subject = "ORHS Donation";

$to = "martyc@windstream.net";
$to2 = "$email";
$headers = "From: $email\n";

$message = "The following person wants to donate to ORHS.
Name: $name 
Address: $address
City: $city
State: $state
Zip: $zip
Phone: $phone
Email Address: $email
Donation: $donation
Other Amount: $other
Volunteer: $adoption $foster $funds $education $building $transportation";

$message2 = "Thank you for donating to the ORHS. Please send your check to:
Oconee Regional Humane Society
6350 Lake Oconee Parkway
Suite 102, PMB 178
Greensboro, GA 30642

Your cancelled check is your receipt.
Below is the information we received:

Name: $name
Address: $address
City: $city
State: $state
Zip: $zip
Phone: $phone
Email Address: $email
Donation: $donation
Other Amount: $other
Volunteer: $adoption $foster $funds $education $building $transportation";

if (preg_match(' /[\r\n,;\'"]/ ', $_POST['email'])) {
  exit('Invalid Email Address');
}
else {
mail($to,$subject,$message,$headers);
mail($to2,$subject,$message2,$headers);
header("Location: http://www.orhspets.org");
}

?>

[forum_amnesiac]

you can test whether the fields are empty and based on that use an if statement to decide, or not, to send an email.

eg

PHP Code:

$empty=$name.$email.$etc;

if (trim($empty)==""){ 


I have had some empty emails before and I believe it was that somebody was just calling the PHP file, this stops that.

[mcolton]

Sorry I really don't understand. This form isn't even reachable by my users yet.

Also, I didn't understand your code. Sorry again.

[forum_amnesiac]

Sorry if you didn't understand my code.

Make another variable in your PHP that consists of all the values in your other variables, then using trim(), to get rid of spaces at the beginning and end of the string, you test this to see if there is a value in any of the fields.

If there is a value then you can use an if statement to send the email, this should ensure that your PHP code will not send an email that has no content.

The PHP code I wrote is a cut down version, ie did not have all your variables included, you needed to add them. To concatenate strings in PHP you use the '.' character rather than the '+'. You terminate the new string with a ';'.

So to create the new variable your code would be this.

$empty=$name.$email.$address.$city.$state.$zip.$phone.$donation.$other.$adoption.$foster.$funds.$education.$building.$transportation;

This code should be situated in your PHP just before you set $subject.

You would then put

PHP Code:

if (trim($empty)==""){ 
 exit('No valid Email Contents'); 
} else { 


in your PHP before the 'if (preg(' near the bottom and another '}' after the '}' at the bottom.

However, if this code is not yet live, ie on the web, then it is not as a result of this that you are getting blank emails, it is another cause entirely.

If the code is on the web then it is possible for somebody/a process to look at your html, see the name of your PHP and submit it, that is why I prefer to have a check in my PHP before it can process anything.