Correcting php email form issue


#1

I have a cms which was written years ago. Over the years 3 different coders worked on the application but right now I do not have the funds to hire and am trying to fix this myself with somewhat limited php knowledge.

The issue is with a php contact form. There are three files involved (class, template, and variables). One of my client’s is constantly getting emails from the contact form with a subject line that looks like this:

Message From: ___ ___

and no message. At first I was thinking bots and since the client hated the math problem we used to verify a human user I changed it to a honeypot instead of a verify function. The client is still getting these emails.

This is the variable file:
<?php
$message = $this->message;
?>

The class code is as follows, including my honeypot addition (which I got off the web):

<?php
class Contact {
	var $display;
	var $content;
	var $message;

	function Contact() {
		global $current_page;
		if($current_page!='contact') return;
		
		if ($_POST['action'] == "send_contact") {
			$this->send();
		}
		
		$page = strtolower( get_class() );
		include("lib/pages/variables/$page.php");
		include("lib/pages/templates/$page.php");
		$this->content = $content;
	}
	
	function send() {
	
// if the url field is empty
if(isset($_POST['url']) && $_POST['url'] == ''){
		
			$to = $this->get_admin_email();
			$from = $_POST['email'];
			$name = $_POST['realname'];
			$message = $_POST['mesg'];
			$subject = "Message From: $name";
			$headers .= "From: $name<$from>";
			
			mail ( $to, $subject, $message, $headers );
		
			$this->message = "Your Message Has Been Sent";
		}		
	}
	
	function get_admin_email() {
			
		$functions = new Functions;
		$result = $functions->db_fetch_array ( $functions->db_query ( "SELECT * FROM `kennel` WHERE `UserID` = '" . $functions->get_user_id_from_name() . "'" ) );
		
		foreach ( $result as $var => $value ) {
			if ( $convert_number_to_checked == 1 ) {
				$display[$var] = $functions->convert_number_to_checked ( $value );
			} else {
				$display[$var] = $value;
			}
		}
		return ( $display['Email'] );			
	}
}
?>

The template is as follows:

        <?php
        $content = "<div class='gallery_header'>Contact Us</div>
    		<p class='error' align='center'>$message</p>    				
    		<div id='formblock'>
    			<form action='' method='post'>
    				<div class='formrow'>
    					<div class='formlabel'>name:</div>
    					<div class='forminput'><input type='text' name='realname' /></div>
    				</div>
    				<div class='formrow'>
    					<div class='formlabel'>email address:</div>
    					<div class='forminput'><input type='text' name='email' /></div>
    				</div>
    				<div class='formrow'>
    					<div class='formlabel'>Message:</div>
    					<div class='forminput'><textarea name='mesg' rows='10' cols='50'></textarea></div>
    				</div>
    				<div class='formrow' id='junkentry' style='display: none;'>
    					<div class='formlabel'>Leave this field blank</div>
    					<div class-'forminput'><input type='text' name='url' autocomplete='off' /></div>
    				</div>
    				<div class='formrow'>					
    					<div class='verifysubmit'><input type='submit' value='Send Message'></div>
    				</div>
    				<input type='hidden' name='action' value='send_contact'>
    				<div style='clear:both;'></div>
    			</form>
    			<div style='clear: both;'></div>
    		</div>";
    ?>

Note that I am giving you only the contact form from the template file as for this particular customer they had me add a clickable usa map and internal links to a long table of state contacts. I didn’t think you needed that and it would make the post very very long.

I know the code is old and some of it has been mocked together by myself. So there may be some deprecated syntax in here that I am not aware of. Can anybody see what may be causing the issue with the blank email? Also - how can I make all of the fields required (other than the honeypot url field) so that blank emails are not sent.

Thank you so much in advance for your help.


#2

Most likely your page is sending emails without validating them at all. So, press send and it does not check if you have a valid name entered. So, some comments on this process:

Well, first, you have absolutely no security on this contact form. Lines like this: $from = $_POST[‘email’]; can allow any beginner hacker to infect your site. At the very least, you should filter out bad stuff. Something like:
$from = filter_input(INPUT_POST, “email”); Which will at least remove any code that is stuck in the form.

Next, you do not validate any of your inputs. Normally you check your inputs and limit what is entered into them. Such as just letters and numbers for name or subject. And valid email addresses. There are tons of ways to do this. Here is one possible way to check for valid names from an old site. There are other newer ways, but to get you started:

		//  Validate all entries before sending the message...
		$errormessage = "";
		if (!preg_match("/^[a-zA-Z ]*$/", $name)) $errormessage .= "<br />Name must be only letters and spaces.";
		if (!preg_match("/^[a-zA-Z0-9 .,!-]*$/", $subject)) $errormessage .= "<br />Subject must be only letters, spaces, numbers and punctuation.";
		if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/", $email)) $errormessage .= "<br />Email address is not a valid format.";
                if ($errormessage == "") {
                       //  No errors, send email...
                       //  Rest of your code to build and send the email...
                } else {
                      //  Errors in form data, display them to the sender...
                     echo "There were errors in your data on the form!  ( " . $errormessage . " )";
               }

This is just an example not working code to put directly into your code. But, it should give you an idea what is possible. It limits characters in each of the three fields in the example. Hope it helps…


#3

Thank you very much - this is the sort of thing I knew I needed. Will search for a "complete form with validation that I can implement to work with the page content functions. One last question. If any of the fields (other than the honeypot) are blank the email should not send and a $message should be displayed without emptying the already populated fields.

This sets me in the right direction to look for a working form. Thank you.


#4

Yes, what I do is simply add a check for it like:

$from = filter_input(INPUT_POST, “email”);
if (trim($from)=="") { $errormessage .= "<br>No FROM address entered!  Please enter a from address.";

As you see form the previous code sampler, if there is ANY error message it is displayed and if multiple errors, they are put on separate lines when displayed using the .= instead of just assignments =…
So, if someone enters a space, the trim will remove it and if nothing else exists, then an error is added to the list to be displayed.


#5

Thank you very much ErnieAlex.