Securing a Form

[rastaIT34]

I created a couple forms that sends the results via email. But I Keep getting these empty form results. As if the user just clicked submit without entering any information.

I added a check empty field script that pops up a message saying "please enter...blah blah"

But I still get these empty messages....And occasionally I'll get a result like this:

Below is a completed Basketball Camp Registration Form form ryanmartinbasketball.org. 

Athlete_Full_Name = utzbtfoelm
Age = rs
Date_of_Birth = vFjKUs  <a
Address = [URL unfurl="true"]http://mhmsxgaulnns.com/[/URL]
Address_Line_2 = [URL unfurl="true"]http://mhmsxgaulnns.com/[/URL]
City = New York
State = NY
Zip_Code = 78229
Country = USA
Phone_Number = 2953428456
Email = rsbvga@bpkpkn.com
Medical_Condition = vFjKUs  <a href=\"[URL unfurl="true"]http://rjkpihihhzca.com/\">rjkpihihhzca</a>,[/URL] [url=http://xeyfajauweig.com/]xeyfajauweig[/url], [link=http://szohsqthtoei.com/]szohsqthtoei[/url], [url]http://nizrltbrmwas.com/[/url]
Parent_Name1 = utzbtfoelm
Parent_Name2 = [email]rsbvga@bpkpkn.com[/email]


THE TIME AND DATE THE FORM WAS COMPLETED: 03:35 AM Thursday July 28th, 2011

I thought about adding a captcha security image...Would this help? Any thoughts?

Artist/Designer

 

[rastaIT34]

LINK TO TEST PAGE:

http://www.rossow-web.com/test/test2/contact.html

Artist/Designer

 

[IPGuru]

You cannot achieve what you require client side.
no matter what checks you perform in the users web browser the determined hacker (actually it doesn't take much though or determination) can still submit invalid data.

the only sensible option is to validate all data when it is received by the server & if in doubt reject the request.


client side validation Via JavaScript etc. is purely to improve the user experience.

Mundus vult decipi decipiatur ergo.

 

[rastaIT34]

ok great... i'll look into server side validation.... but how do i make sure its a human and not a web robot? would i still need a captcha?

Artist/Designer

 

[rastaIT34]

do i have to contact the service provider for the server side form validation? or is that something i can do myself?

Artist/Designer

 

[vacunita]

you can use a captcha to confirm its a human entering the data in the form. However no captcha is fool proof, so server side validation must still be done.

There are any number of captcha implementations out there you can plug into your form, just know that bots eventually can break the captcha.

As far as server side validation goes, whatever script you are using to email the form, be it PHP, or ASP or whatever else can perform the validation, you just need to code the proper checks of the form data.



----------------------------------
Phil AKA Vacunita
----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

Behind the Web, Tips and Tricks for Web Development.

http://behindtheweb.blogspot.com/

 

[rastaIT34]

i'm using FormMail.php for my form.


So let me understand, I need to add into that php script a field validation?


I didn't write FormMail.php. the code is here:

<?php

//*****************************************************************************	
// This scripts is a product of MyKazaam.Com. Please see the enclosed files	*
// or website for license and restrictions. Support is available from our	*
// website at [URL unfurl="true"]http://www.mykazaam.com.[/URL] Installation is also available. 		*
// Both of these services are accompanied by a nominal fee. Please try 		*
// to use the forums located on the website before buying support. 		*
//*****************************************************************************


//-----------------------------------------------------------------------------


//*************************************
// Variables to customize this script.* 
//******vvvvvvvvvvvvvvvvvvvvvvvv*******

$email_address = "rscr@rossow-web.com";
// your e-mail address goes here
// this is the address where your form info will be sent
// use a complete address such as something@something.com

$email_subject = "Message from [URL unfurl="true"]www.test.com";[/URL]
// the subject line for the e-mail goes here
// this line will appear as the subject of any form
// submissions that are sent. Use something that will
// help you identify what form it is from. 
// such as "Work Order Request". 

$from_email_name = "rscr@rossow-web.com";
// the from address goes here 
// this is just the from header that will be displayed in
// the email that is sent to you. You can use your own 
// e-mail address here also if you would like. 


$show_ip_address = "off";
// "on" to show ip address, "off" to leave the ip address out of the e-mail

$show_refering_page = "off";
// "on" to show the form that sent user to this script, otherwise "off"

$show_browser_type = "on";
// "on" to show what browser the user has, otherwise "off"

$show_date_and_time = "on";
// "on" to show the date and time sent, otherwise "off"


$redirect_to_page = "contact_sent.html";
// enter the web address where the user should be sent after completing the form


//*********************************
// DO NOT EDIT BELOW THIS LINE!!!**
//*********************************


$mailTo = "$email_address";

$mailSubject = "$email_subject";

$mailBody = "A visitor to [URL unfurl="true"]www.test.com[/URL] has sent you a message. See below. \n\n";

foreach($HTTP_POST_VARS as $key=>$value)
{

$mailBody .= "$key = $value\n";

}


$mailBody .= "\n\n";

if ($show_ip_address == "on")
{

$mailBody .= "THE IP ADDRESS OF THE FORM USER IS: $REMOTE_ADDR\n\n";

}


if ($show_refering_page == "on")
{

$mailBody .= "THE USER WAS SENT TO THIS SCRIPT FROM THE FOLLOWING FORM: $HTTP_REFERER\n\n";

}


if ($show_browser_type == "off")
{

$mailBody .= "THE USER USED THE FOLLOWING BROWSER TYPE: $HTTP_USER_AGENT\n\n";

}


if ($show_date_and_time == "on")
{

$mailBody .= "THE TIME AND DATE THE FORM WAS COMPLETED: " . date("h:i A l F dS, Y") . "\n\n";

}


//$mailBody .= "\nThis message sent via MyKazaam.Com! \n VISIT US AT [URL unfurl="true"]HTTP://WWW.MYKAZAAM.COM[/URL] \n";


$fromHeader = "From: $from_email_name\n";


if(mail($mailTo, $mailSubject, $mailBody, $fromHeader)) 
{

print ("<B>Your form has been sent!<br></b>");

}

echo "<meta HTTP-EQUIV=\"REFRESH\" content=\"0; url=$redirect_to_page\">";

?>

Artist/Designer

 

[vacunita]

You don't need to edit the formmail.php script, but you should want to make a script of your own to validate before calling formmail.php as all it does is simply take the values whatever they are and email them to you.

So basically what I would do, is make a second php script call it something like validate.php and use that in your forms action property.

<form action="validate.php" ...>

Inside validate.,php you can check your values, and if everything is o.k, you can then call formmail.php to get the data emailed.

for example:

<?PHP

if(!isset($_POST['fieldnamex'])||empty($_POST['fieldnamex'])){
echo "This field is not correct...."
return;
...
}
else{
include("formail.php");
}
?>

With that said, if you need help coding the PHP side of it, I suggest posting in forum434 as this would know fall outside the scope of the HTML forum. If you do post there come back to this thread and post a link so any future visitors may follow the link there if they need help with the PHP portion.

----------------------------------
Phil AKA Vacunita
----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

Behind the Web, Tips and Tricks for Web Development.

http://behindtheweb.blogspot.com/

 

[rastaIT34]

This posting continues with:

http://www.tek-tips.com/viewthread.cfm?qid=1659506&page=1

Artist/Designer

 

[imeldesign]

For a little less complicated option that is easy to configure I have used iPhorm for simple forms in Dreamweaver. It has a captcha and some validation. You can configure auto responding emails as well.

http://codecanyon.net/item/iphorm-simple-yet-powerful-ajax-contact-form/148273

Another option for dreamweaver is to embed a jotform (jotform.com)