PHP validation failing on Ajax contact form
https://stackoverflow.com/questions/8979586
-
12-11-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm a PHP hack. Insight is much appreciated as it will help me figure out where I went wrong.
Basically I adapted this contact form for my own purposes. Javascript validation works great! It seemed like php validation was working correctly as well too. That was until I started getting blank submissions from my own form. I am trying to avoid adding a captcha to this form. The blank submissions are annoying and I would love it if someone can point out if I'm making a mistake in my adaptation. Thank you for your time.
Form HTML
<?php include('/ajax/verify.php');?>
<form action="/ajax/" method="post" id="sendEmail">
<h4>Contact Us</h4>
<p class="alert">* All fields are required</p>
<ol class="forms">
<li><label for="username">Your Name</label><input type="text" name="username" id="username" value="" /></li>
<li><label for="emailFrom">Your Email</label><input type="text" name="emailFrom" id="emailFrom" value="" /></li>
<li><label for="phonenumber">Phone Number</label><input type="text" name="phonenumber" id="phonenumber" value="" /></li>
<li><label for="message">Message</label><textarea name="message" id="message"></textarea></li>
<li class="buttons"><button type="submit" id="submit">Send Email »</button><input type="hidden" name="submitted" id="submitted" value="true" /></li>
</ol>
</form>
Javascript Validation
//Ajax Form
$(document).ready(function(){
$("#submit").click(function(){
$(".error").hide();
var hasError = false;
var emailReg = /^([\w-\.]+@([\w-]+\.)+[\w-]{2,4})?$/;
var phoneReg = /^\(?(\d{3})\)?[- ]?(\d{3})[- ]?(\d{4})$/;
//from email
var emailFromVal = $("#emailFrom").val();
if(emailFromVal == '') {
$("#emailFrom").after('<span class="error">You forgot to enter the email address to send from.</span>');
hasError = true;
} else if(!emailReg.test(emailFromVal)) {
$("#emailFrom").after('<span class="error">Enter a valid email address to send from.</span>');
hasError = true;
}
//name
var usernameVal = $("#username").val();
if(usernameVal == '') {
$("#username").after('<span class="error">You forgot to enter your name.</span>');
hasError = true;
}
//phone
var phonenumberVal = $("#phonenumber").val();
if(phonenumberVal == '') {
$("#phonenumber").after('<span class="error">You forgot to enter your phone number.</span>');
hasError = true;
} else if(!phoneReg.test(phonenumberVal)) {
$("#phonenumber").after('<span class="error">Enter a valid phone number.</span>');
hasError = true;
}
//message
var messageVal = $("#message").val();
if(messageVal == '') {
$("#message").after('<span class="error">You forgot to enter the message.</span>');
hasError = true;
}
if(hasError == false) {
$(this).hide();
$("#sendEmail li.buttons").append('<img src="/ajax/img/ajax-loader.gif" alt="Loading" id="loading" />');
$.post("/ajax/sendEmail.php",
{ emailFrom: emailFromVal, username: usernameVal, phonenumber: phonenumberVal, message: messageVal },
function(data){
$("#sendEmail").slideUp("normal", function() {
$("#sendEmail").before('<h4 class="success">Thank You</h4><p class="success">One of our highly trained staff will contact with you shortly.</p>');
});
}
);
}
return false;
});
});
Verify Script (php)
if(isset($_POST['submitted'])) {
if($_POST['emailFrom'] == '') {
$emailFromError = 'You forgot to enter the email address to send from.';
} else if (!eregi("^[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}$", $_POST['emailFrom'])) {
$emailFromError = 'Enter a valid email address to send from.';
}
if($_POST['phonenumber'] == '') {
$emailFromError = 'You forgot to enter the email address to send from.';
} else if (!eregi("/^\(?(\d{3})\)?[- ]?(\d{3})[- ]?(\d{4})$/$", $_POST['phonenumber'])) {
$emailFromError = 'Enter a valid email address to send from.';
}
if($_POST['message'] == '') {
$messageError = 'You forgot to enter the message.';
}
if($_POST['username'] == '') {
$messageError = 'You forgot your name.';
}
if(!isset($emailFromError) && !isset($messageError)) {
include('sendEmail.php');
include('thanks.php');
}
}
Mailscript
$mailTo = 'redacted@emailaddress.com';
$mailFrom = $_POST['emailFrom'];
$username = $_POST['username'];
$phonenumber = $_POST['phonenumber'];
$subject = "New website inquiry from $username";
$message = $_POST['message'];
$message = wordwrap($message, 70);
$messagebody = "From: $username Phone Number: $phonenumber $message";
mail($mailTo, $subject, $messagebody, "From: ".$mailFrom);
Solution
It seems to be (judging by the filenames) that if someone disables javascript, he or she is posting directly to the mail script and no server-side validation is done.
You would need to change this:
<form action="/ajax/sendEmail.php" method="post" id="sendEmail">
to:
<form action="/ajax/validation.php" method="post" id="sendEmail">
or whatever your validation script is called.
OTHER TIPS
Rather than just looking for an empty string in the message body, you need to strip out all whitespace characters (using something like trim() and then look for content in there.
As it stands right now, someone could simply enter some whitespace characters and it would pass the PHP validation.
Lastly, remember that javascript validation is only a useful speed boost for the user ad is not trustable for validation, since I could just use your site with javascript turned off.
In verify, you may want to do something like this:
foreach($_POST as $name => $value) {
$_POST[$name] = trim($value);
}
The validation looks sound, but it seems like a blank submission could get through if they put one space for all of your required fields. I'm not sure if that's what is happening, but from what I see there, it looks as if empty values should not pass server side validation.
Any bots likely to fill out your form will ignore the javascript, so make sure the server validation is tight.
