Email Form Validation

[mRko81]

I have a form and the client insited on not using lables for the form elements, instead wants to use onBlur/onFocus to show what each form element is for. I believe that this is tampering with the validation of the form elements because it is 1. not able to check if a field has been filled in or not beacuse if is not then it is filled with the input lable and two it does not seem to be validating the email string for correct email syntax. your help is much appreciated.

FORM

<?php include 'fcf_config.php'; ?>
<div id="contact_form">
<form method="post" action="fcf_parse.php" name="contactform">
     <div>
	<INPUT
	   id="name"
	   onblur="if(this.value==''){this.value=' Name'}"
	   onfocus="if(this.value==' Name'){this.value=''}"
	   value=" Name"
	   title="* Name required"
	   name="Name" />
     </div>
     <div>
	<INPUT
	   id="email"
	   onblur="if(this.value==''){this.value=' Email'}"
	   onfocus="if(this.value==' Email'){this.value=''}"
	   value=" Email"
	   title="* Email required"
	   class="req"
	   name="Email" />
     </div>
     <div>
	<INPUT
	   id="phone"
	   onblur="if(this.value==''){this.value=' Phone'}"
	   onfocus="if(this.value==' Phone'){this.value=''}"
	   value=" Phone"
	   title="Phone"
	   name="Phone" />
     </div>
     <div>
	<TEXTAREA
	   id="comments"
	   onblur="if(this.value==''){this.value=' Questions'}"
	   onfocus="if(this.value==' Questions'){this.value=''}"
	   value=" Questions"
	   title="* Comments required"
	   class="req"
	   name="Comments"
	   rows="4"
	   cols="10" /> Questions</TEXTAREA>
     </div>
     <div>
	   <p class="form_p">To send your message, please verify your request by answering the simple math question below and then click "Send"</p>
	</div>
           <p class="form_p"><?php echo $question; ?> <input type="text" class="in_line" id="aplusb" name="answer_out" title="Please enter the answer the math question." />
        	<input type="hidden" name="answer_p" value="<?php echo $answer_pass; ?>">
        	<input type="hidden" name="enc" value="<?php echo $enc; ?>"><br /><br />
	<div>
	<input
	   id="submit"
	   type="submit"
	   class="cfcSub"
	   value="Send" />
	</div>
	   <p class="form_p">Why do we have verification on our forms? <a href="javascript:void(window.open('captcha_why.html','WHY','resizable=no,location=no,menubar=no,scrollbars=yes,status=no,toolbar=no,fullscreen=no,dependent=no,width=350,height=200'))">CLICK HERE</a> to find out why.</p>
</FORM>
<p><a href="<a href="[URL unfurl="true"]http://www.freecontactform.com/"[/URL] id="freecontactform" title="Free Contact Form">Free Contact Form 1.2</a></p>
</div>

FORM PARSE

<?php
/* YOU DO NOT NEED TO CHANGE ANYTHING IN HERE */
/* BUT FEEL FREE TO IF YOU LIKE, YOU CAN ADD YOUR OWN DESIGN! */
include 'fcf_config.php';

if(isset($_POST['enc'])) {
/* email validation checker */
$the_email = false;    
if(eregi("^[A-Z0-9._%-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$", $_POST['Email'])) {
 $the_email = true;
} else {
 $the_email = false;
}


if(!$the_email || !isset($_POST['Name']) || !isset($_POST['Phone']) || !isset($_POST['Comments'])) {
	header("Location: $fail_page");
}


/* validate the encrypted strings */
$dec = false;
$valid = false;

$dec = valEncStr(trim($_POST['enc']), $mkMine);
if($dec == true) {
    $valid = true;   
} else {
  echo "error: $dec <br />";
	header("Location: $fail_page");
}

// check the spam question has the correct answer
$ans_one = $_POST['answer_out'];
$ans_two = mkDecStr($_POST['answer_p']);

if($ans_one === $ans_two) {
    $valid = true;
} else {
    $valid = false;
}

if($valid) {

	$email_from = $_POST['Email'];
	$email_subject = "Contact from Charlestonlaw.net";
	$email_message = "Please find below a message submitted by ";
	$email_message .= stripslashes($_POST['Name']);
	$email_message .=" on ".date("d/m/Y")." at ".date("H:i")."\n\n";
	$email_message .= "Comments: \n";
	$email_message .= stripslashes($_POST['Comments'])."\n\n\n";
	$email_message .= "Name: \n";
	$email_message .= stripslashes($_POST['Name'])."\n\n";
	$email_message .= "Phone: \n";
	$email_message .= stripslashes($_POST['Phone'])."\n\n";
	$email_message .= "Email: \n";
	$email_message .= $_POST['Email'];

$headers = 'From: '.$email_from."\r\n" .
'Reply-To: '.$email_from."\r\n" .
'X-Mailer: PHP/' . phpversion();

	@mail($email_it_to, $email_subject, $email_message, $headers);

header("Location: $success_page");
die();

}

}
?>

AGAIN MUCH APPRECIATED!

 

[vacunita]

You'll have to check the fields for contents other than the default value that gets set.

For example you'll have to check that the email text box has an actual email instead of the string "EMAIL".



----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

 

[mRko81]

thanks vacunita,
i appreciate your quick response, and logically that makes sense i am just not exactley sure how to phrase that.
here is my attempt but it make no change.

<?php
/* YOU DO NOT NEED TO CHANGE ANYTHING IN HERE */
/* BUT FEEL FREE TO IF YOU LIKE, YOU CAN ADD YOUR OWN DESIGN! */
include 'fcf_config.php';

if(isset($_POST['enc'])) {

if ($_POST['Name'] == " Name") {
	header("Location: $fail_page");
}
if ($_POST['Email'] == " Email") {
	header("Location: $fail_page");
}
if ($_POST['Phone'] == " Phone") {
	header("Location: $fail_page");
}
if ($_POST['Comments'] == " Questions") {
	header("Location: $fail_page");
}
 


/* email validation checker */
$the_email = false;    
if(eregi("^[A-Z0-9._%-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$", $_POST['Email'])) {
 $the_email = true;
} else {
 $the_email = false;
}


if(!$the_email || !isset($_POST['Name']) || !isset($_POST['Phone']) || !isset($_POST['Comments'])) {
	header("Location: $fail_page");
}


/* validate the encrypted strings */
$dec = false;
$valid = false;

$dec = valEncStr(trim($_POST['enc']), $mkMine);
if($dec == true) {
    $valid = true;   
} else {
  echo "error: $dec <br />";
	header("Location: $fail_page");
}

// check the spam question has the correct answer
$ans_one = $_POST['answer_out'];
$ans_two = mkDecStr($_POST['answer_p']);

if($ans_one === $ans_two) {
    $valid = true;
} else {
    $valid = false;
}

if($valid) {

	$email_from = $_POST['Email'];
	$email_subject = "Contact from Charlestonlaw.net";
	$email_message = "Please find below a message submitted by ";
	$email_message .= stripslashes($_POST['Name']);
	$email_message .=" on ".date("d/m/Y")." at ".date("H:i")."\n\n";
	$email_message .= "Comments: \n";
	$email_message .= stripslashes($_POST['Comments'])."\n\n\n";
	$email_message .= "Name: \n";
	$email_message .= stripslashes($_POST['Name'])."\n\n";
	$email_message .= "Phone: \n";
	$email_message .= stripslashes($_POST['Phone'])."\n\n";
	$email_message .= "Email: \n";
	$email_message .= $_POST['Email'];

$headers = 'From: '.$email_from."\r\n" .
'Reply-To: '.$email_from."\r\n" .
'X-Mailer: PHP/' . phpversion();

	@mail($email_it_to, $email_subject, $email_message, $headers);

header("Location: $success_page");
die();

}

}
?>

 

[jpadie]

you might want to do some work on protecting the email headers from attach too. at the moment they look nicely open to anyone wanting to use the site contact form as a spam relay.

 

[mRko81]

that sounds like a great idea, how would i go about doing that?

im sorry for my lack of knowledge but i can only learn it by doing it

 

[jpadie]

this is one of those times when you really need to understand what happens and how to protect against it. thus, unusually, i'm loathe to supply code to cleanse the input.

i suggest you start here

http://www.securephpwiki.com/index.php/Email_Injection

and search elsewhere on the web for "php email injection

 

[vacunita]

Your IF's look o.k. They should work as advertised, are you getting any errors?

----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

 

[mRko81]

no erros but it is still sending the form despite that default text is there.

 

[vacunita]

Are you sure the inputs aren't empty?

I can't see why it would continue on down unless the contents of the inputs are not the default. IF they are empty or have anything else, it will move down to email checker and since I have no knowledge of the eregi function i can't say that will work. Maybe someone else here can check the pattern or the eregi and see if its valid.



----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

 

[Miros]

Maybe you need to use Javascript to validate the current values in the fields and enable and disable the submit button.

 

[mRko81]

Hey V give it a try for yourself:

http://lowcountrylegalgroup.com/

 

[vacunita]

I copied your code an ran it, and it works for me. It won't send the email unless everything is correct.

And unless the email is wellformed including the @ and .com.

are you doing anything differently? Are you sure $succes_page and $fail_page are correct?
thats the only thing i can think off that might be off.

----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

 

[mRko81]

REALLY??!?!
you copied the code straight from here and ran i and it worked?

it should not the success/fail pages because i am receiving the email with the default values in it.

ARGH!

I guess i will try the same.

 

[vacunita]

It ran fine.
I just set the variables $success_page and $fail_page to 2 different things, and it works. Check your variables, i'm sure they are backwards.



----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

 

[mRko81]

Hey V,
i double checked the success/fail pages and they are correct. I am so at a loss.

Especially since it wouldn't send the email if the "IF"'s were "If-ing" success/fail page aside.

I really appreciate you help on this i am just frustrated and about to pull my hair out.

~m

 

[vacunita]

You're going to have to bread crumb it. See if everything is as expected. Start adding echo statements inside the IF's to
see if they are getting through or not. comment out the redirects, and add echo statements instead, this should tell you if its going into them or not.

I have no idea why it would be working for me and not for you.







----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.