20 Replies Latest reply on Dec 14, 2010 5:38 PM by award2209

    Blank contact forms

    award2209

      I have received from time to time several blank conact form e-mails that were developed in Dreamweaver PHP format. I also have validated the forms to not receive blank forms but occassionally I still get them. I know the form works properly because I do get good responses from the forms. Would there be any compatability issues with other devices that would cause this? Example: Using Ipad/Iphone and it validates on the user end but sends blank forms to the server side? Any information would be greatly appreciated.

       

      ASW

        • 1. Re: Blank contact forms
          garywpaul Level 5

          Sounds like it could be a spam bot probe.  Do you get the users ip address in your form?  Many time you can tell where it is coming from by the ip, for example, ip's that start with 122. come from india, and most likely a probe.

           

          I would re-evaluate your security on your form...

           

          Gary

          • 2. Re: Blank contact forms
            award2209 Level 1

            There is nothing in the "FROM" section of the email. Thats what I thought was just a spam bot e-mail. What would I need to do to add that spam security into the form?

            • 3. Re: Blank contact forms
              garywpaul Level 5

              What do you have now?


              • 4. Re: Blank contact forms
                Level 4
                I would re-evaluate your security on your form...

                 

                If that statement is taken literally then make sure you get a second opinion on whatever recommendation you recieve. I have tried countless times to inform gary of the security vulnerabilities in his form script examples. For instance it's obvious that gary doesn't know anything about cloaking an IP address. Look at the publish date for his so-called "beginners security tutorial". It's apparent that gary is quite new to the concept of form security.

                 

                just sayin'

                • 5. Re: Blank contact forms
                  award2209 Level 1

                  Are you referring to Spam protection through e-mail or security in the php form? If you were asking about Spam protection and that would be a settings issue I can handle that. I was wondering if there was a security issue in my php form to avoid those types of e-mails.

                  • 6. Re: Blank contact forms
                    garywpaul Level 5

                    I would have a read here, this is a begginers tutorial on security

                     

                    http://www.paulgdesigns.com/secure.php

                     

                    Also, you might want to give these guys a look, they have a fairly robust system.  There are others out there.

                     

                    http://www.spambotsecurity.com/zbblock_download.php

                     

                    Also look up

                     

                    my_real_escape_string in php as well as stripslashes and addslashes.

                     

                    There is plenty to read about it.

                     

                    Gary

                    • 7. Re: Blank contact forms
                      MurraySummers Level 8

                      Just so you'll know, it's quite possible to disable javascript in the browser so that none of your javascript validation works but the form still submits.  So, getting a blank form doesn't necessarily suggest anything to do with security.  I'd suggest that you do both javascript and server validation of the form. That way you will never receive blank forms again....

                      • 8. Re: Blank contact forms
                        award2209 Level 1

                        Found a code that advised me about the email hijacking. Unfortunately it doesnt tell me where exactly to enter it for a proper php form. Any suggestions and what do you think about this code?

                         

                        if ( preg_match( "/[\r\n]/", $name ) || preg_match( "/[\r\n]/", $email ) ) {
                        
                             [... direct user to an error page and quit ...]
                        
                        }
                        
                        • 9. Re: Blank contact forms
                          award2209 Level 1

                          How do I validate the server side? Sorry, but I'm new to this and have so many questions.

                          • 10. Re: Blank contact forms
                            Level 4

                            award2209 wrote:

                             

                            Found a code that advised me about the email hijacking. Unfortunately it doesnt tell me where exactly to enter it for a proper php form. Any suggestions and what do you think about this code?

                             

                            if ( preg_match( "/[\r\n]/", $name ) || preg_match( "/[\r\n]/", $email ) ) {
                            
                                 [... direct user to an error page and quit ...]
                            
                            }
                            

                            Not secure. If hacker enters either \r or \n by itself it can still cause damage. It's impossible to tell you where to enter the one-line santation code without you first providing your code. There's no mind readers here. You should use the regular expression so that if potential hacker enters either \r OR \n by itself (or any combination of the two server side line break codes) then do not process the form. The current method only redirects if hacker enters exactly \r\n which is not completely secure. Provide your form processing code and others may be able to tell you where to insert the sanitation and server side validation. Like I said: there's no mind readers here.

                             

                            You obviously put a lock on a door, it's what door you put it on that matters. We can't tell you what door to put the lock on until you show us your blueprint. Get it?

                            • 11. Re: Blank contact forms
                              award2209 Level 1

                              Any other suggestions then?

                              • 12. Re: Blank contact forms
                                Level 4

                                Suggested twice in the previous response and once again for good measure:

                                 

                                Provide your form processing code and others may be able to tell you where to insert the sanitation and server side validation. Like I said: there's no mind readers here.
                                • 13. Re: Blank contact forms
                                  award2209 Level 1

                                  I really appreciate the help but I cant read minds either. Just say "hey,send us your form code" would be much easier. Here's what I have:

                                   

                                  <td align="left" valign="top"><form id="contact" name="contact" method="post" action="contactformprocess.php">
                                            <table width="100%" border="0" cellpadding="5" cellspacing="5" id="contactform">
                                              <tr>
                                                <th width="29%" align="right" valign="top" scope="col"><label for="company name">Company Name:</label></th>
                                                <th width="71%" align="left" valign="top" scope="col"><input name="company name" type="text" id="company name"  size="40" maxlength="90" /></th>
                                              </tr>
                                              <tr>
                                                <td align="right" valign="top"><label for="name">Name:</label></td>
                                                <td align="left" valign="top"><input name="name" type="text" id="name" size="40" maxlength="90" /></td>
                                              </tr>
                                              <tr>
                                                <td align="right" valign="top"><label for="address1">Address:</label></td>
                                                <td align="left" valign="top"><input name="address1" type="text" id="address1" size="40" maxlength="90" /></td>
                                              </tr>
                                              <tr>
                                                <td align="right" valign="top"><label for="address2"></label></td>
                                                <td align="left" valign="top"><input name="address2" type="text" id="address2" size="40" maxlength="90" /></td>
                                              </tr>
                                              <tr>
                                                <td align="right" valign="top"><label for="phone">Phone:</label></td>
                                                <td align="left" valign="top"><input name="phone" type="text" id="phone" size="40" maxlength="12" /></td>
                                              </tr>
                                              <tr>
                                                <td align="right" valign="top"><label for="email">E-Mail:</label></td>
                                                <td align="left" valign="top"><input name="email" type="text" id="email" size="40" maxlength="90" /></td>
                                              </tr>
                                              <tr>
                                                <td align="right" valign="top"><label for="reason">Reason for Contact:</label></td>
                                                <td align="left" valign="top"><select name="reason" size="1" id="reason">
                                                  <option>General Info</option>
                                                  <option>Event Info</option>
                                                  <option>Donating</option>
                                                  <option>Fundraising</option>
                                                  <option>Sponsorship Info</option>
                                                  <option>GBTB Merchandise</option>
                                                  <option>Volunteer</option>
                                                  <option>Financial Info</option>
                                                  <option>Business Info</option>
                                                </select></td>
                                              </tr>
                                              <tr>
                                                <td align="right" valign="top"><label for="comments">Comments:</label></td>
                                                <td align="left" valign="top"><textarea name="comments" id="comments" cols="45" rows="10"></textarea></td>
                                              </tr>
                                              <tr>
                                                <td align="right" valign="top"><label for="submit"></label>
                                                  <input name="submit" type="submit" id="submit" onclick="MM_validateForm('name','','R','address1','','R','address2','','R','phone','','Ri sNum','email','','RisEmail','comments','','R');return document.MM_returnValue" value="Submit" /></td>
                                                <td align="left" valign="top"><label for="reset"></label>
                                                  <input type="reset" name="reset" id="reset" value="Reset" /></td>
                                              </tr>
                                            </table>
                                          </form></td>
                                        </tr>
                                      </table>
                                      <p> </p>

                                   

                                   

                                   

                                  PHP Form:

                                   

                                  <?php

                                  /* Subject and Email Variables */

                                  $emailSubject = 'GBTB Contact Form';
                                  $webMaster = 'getbehindthebadge@gmail.com';

                                  /* Gathering Data Varibles */

                                  $companyField = $_POST['company'];
                                  $nameField = $_POST['name'];
                                  $address1Field = $_POST['address1'];
                                      $address2Field = $_POST['address2'];
                                  $phoneField = $_POST['phone'];
                                  $emailField = $_POST['email'];
                                  $reasonField = $_POST['reason'];
                                  $commentsField = $_POST['comments'];


                                  $body = <<<EOD
                                  <br><hr><br>
                                  Company: $companyField <br>
                                  Name: $nameField <br>
                                  Address: $address1Field <br>
                                  City, State, Zip: $address2Field <br>
                                  Phone: $phoneField <br>
                                  Email: $emailField <br>
                                  Reason for Contact: $reasonField <br>
                                  Comments: $commentsField <br>
                                  EOD;

                                  $headers = "From: $emailField\r\n";
                                  $headers .= "Content-type: text/html\r\n";
                                  $success = mail($webMaster, $emailsubject, $body, $headers);

                                  /* Results rendered as HTML */

                                    $theResults = <<<EOD
                                  <html xmlns="http://www.w3.org/1999/xhtml"><!-- InstanceBegin template="/Templates/layout.dwt" codeOutsideHTMLIsLocked="false" -->
                                  <head>
                                  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
                                  <!-- InstanceBeginEditable name="doctitle" -->
                                  <title>| Get Behind The Badge |</title>
                                  <!-- InstanceEndEditable -->
                                  <style type="text/css">
                                  <!--
                                  body {
                                  background-color: #000;
                                  }
                                  -->
                                  </style>
                                  <script src="SpryMenuBar.js" type="text/javascript"></script>
                                  <script type="text/javascript">
                                  <!--
                                  function MM_preloadImages() { //v3.0
                                    var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new Array();
                                      var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0; i<a.length; i++)
                                      if (a[i].indexOf("#")!=0){ d.MM_p[j]=new Image; d.MM_p[j++].src=a[i];}}
                                  }
                                  function MM_swapImgRestore() { //v3.0
                                    var i,x,a=document.MM_sr; for(i=0;a&&i<a.length&&(x=a[i])&&x.oSrc;i++) x.src=x.oSrc;
                                  }
                                  function MM_findObj(n, d) { //v4.01
                                    var p,i,x;  if(!d) d=document; if((p=n.indexOf("?"))>0&&parent.frames.length) {
                                      d=parent.frames[n.substring(p+1)].document; n=n.substring(0,p);}
                                    if(!(x=d[n])&&d.all) x=d.all[n]; for (i=0;!x&&i<d.forms.length;i++) x=d.forms[i][n];
                                    for(i=0;!x&&d.layers&&i<d.layers.length;i++) x=MM_findObj(n,d.layers[i].document);
                                    if(!x && d.getElementById) x=d.getElementById(n); return x;
                                  }

                                  function MM_swapImage() { //v3.0
                                    var i,j=0,x,a=MM_swapImage.arguments; document.MM_sr=new Array; for(i=0;i<(a.length-2);i+=3)
                                     if ((x=MM_findObj(a[i]))!=null){document.MM_sr[j++]=x; if(!x.oSrc) x.oSrc=x.src; x.src=a[i+2];}
                                  }
                                  //-->
                                  </script>
                                  <link href="SpryMenuBarHorizontal.css" rel="stylesheet" type="text/css" />
                                  <!-- InstanceBeginEditable name="head" -->
                                  <!-- InstanceEndEditable -->
                                  <link href="layout.css" rel="stylesheet" type="text/css" />
                                  </head>

                                  <body onload="MM_preloadImages('public_html/home_f2.png','public_html/about_f2.png','public_htm l/sponsor_f2.png','public_html/event_f2.png','public_html/contact_f2.png','public_html/gro ups_f2.png','public_html/donate_f2.png','public_html/merchandise_f2.png','public_html/face book_f2.png','public_html/foyble_f2.png')">
                                  <div id="wrapper">
                                    <div id="banner"></div>
                                    <div id="navbar">
                                      <table width="100%" border="0" cellspacing="0" cellpadding="0">
                                        <tr>
                                          <th width="88%" align="left" valign="top" scope="col"><ul id="MenuBar1" class="MenuBarHorizontal">
                                            <li><a href="http://www.getbehindthebadge.org/index.html">Home</a></li>
                                            <li><a href="#" class="MenuBarItemSubmenu">About Us</a>
                                              <ul>
                                                <li><a href="http://www.getbehindthebadge.org/mission.html">Mission</a></li>
                                                <li><a href="http://www.getbehindthebadge.org/corporate.html">Corporate Info</a></li>
                                                <li><a href="http://www.getbehindthebadge.org/board.html">Our Board</a></li>
                                              </ul>
                                            </li>
                                            <li><a class="MenuBarItemSubmenu" href="#">Groups</a>
                                              <ul>
                                                <li><a href="http://www.getbehindthebadge.org/unions.html">Unions</a></li>
                                                <li><a href="http://www.getbehindthebadge.org/sports.html">Sports</a></li>
                                                <li><a href="http://www.getbehindthebadge.org/nonprofits.html">Non-Profits</a></li>
                                                <li><a href="http://www.getbehindthebadge.org/mcclubs.html">Motorcycle Clubs</a></li>
                                                <li><a href="http://www.getbehindthebadge.org/pipes_drums.html">Pipes &amp; Drums</a></li>
                                              </ul>
                                            </li>
                                            <li><a href="http://www.getbehindthebadge.org/sponsors.html">Our Sponsors</a></li>
                                            <li><a href="http://www.getbehindthebadge.org/contact.html">Contact Us</a></li>
                                            <li><a href="http://www.getbehindthebadge.org/calendar.html">Event Calendar</a></li>
                                            <li><a href="http://www.getbehindthebadge.org/merchandise.html">Merchandise</a></li>
                                          </ul></th>
                                          <th width="12%" align="left" valign="top" scope="col"><a href="http://www.facebook.com/pages/Get-Behind-the-Badge/105128966732?ref=search&amp;sid=1109503 914.2814906571..1" target="_blank"><img src="black-facebook-logo.png" alt="Find Us On Facebook" width="34" height="28" border="0" /></a> <a href="http://www.foyble.com/charities/23/foybles/act_map" target="_blank"><img src="Foyble_Logo w-TM.jpg" alt="Find Us On Foyble" width="72" height="26" border="0" /></a></th>
                                        </tr>
                                      </table>
                                    </div>
                                    <div id="spacer"></div>
                                    <div id="column1"><!-- InstanceBeginEditable name="EditRegion1" --> <table width="100%" border="0" cellspacing="5" cellpadding="5">
                                        <tr>
                                          <th align="left" valign="top" id="gbtbhdr" scope="col">Get Behind The Badge - Thank You!</th>
                                        </tr>
                                      </table>
                                      <table width="100%" border="0" cellspacing="5" cellpadding="5">
                                        <tr>
                                          <th align="left" valign="top" scope="col"><div align="justify">Thank you for contacting Get Behind The Badge, your form has been submitted. We will reply within 48 hours. If you have not received a response by then, please contact our office at (614) 212-7526 or e-mail at <a href="getbehindthebadge@gmail.com" target="_blank">getbehindthebadge@gmail.com</a>. We thank you for visiting our site and for supporting our organization.</div></th>
                                        </tr>
                                      </table>
                                      <p> </p>
                                      <p> </p>
                                      <p> </p><!-- InstanceEndEditable --></div>
                                    <div id="footer"></div>
                                    <div id="copyright">
                                      <table width="100%" border="0" cellspacing="5" cellpadding="2">
                                        <tr>
                                          <th align="right" valign="top" scope="col">All Rights Reserved Get Behind The Badge &copy; 2010</th>
                                          <th align="left" valign="top" scope="col">Site Designed &amp; Maintained By<a href="http://www.bluelinedesigns.org" target="_blank" id="bld"> Blue Line Designs &copy;</a></th>
                                        </tr>
                                      </table>
                                    </div>
                                  </div>
                                  <script type="text/javascript">
                                  <!--
                                  var MenuBar1 = new Spry.Widget.MenuBar("MenuBar1", {imgDown:"public_html/SpryMenuBarDownHover.gif", imgRight:"public_html/SpryMenuBarRightHover.gif"});
                                  //-->
                                  </script>
                                  </body>
                                  <!-- InstanceEnd --></html>
                                  EOD;

                                  echo "$theResults";

                                  ?>

                                  • 14. Re: Blank contact forms
                                    Level 4

                                    You can read English though, correct? Like when I said several times in previous post to provide your form processing script?.. or when gary asked what you have in post #3?

                                     

                                    This should get you started. Replace $success = mail($webMaster, $emailsubject, $body, $headers); in your code with this:

                                     

                                    // check to make sure the email address is valid syntax
                                    if(eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})$", $emailField)) {
                                    // sanitize form field from injection attack
                                    if ( preg_match( "/[\n]/", $emailFeild ) || preg_match( "/[\r]/", $emailField ) ) {} else {
                                    $success = mail($webMaster, $emailsubject, $body, $headers);
                                    }
                                    }
                                    • 15. Re: Blank contact forms
                                      award2209 Level 1

                                      so does that preg_match line go into the "$headers = line"? If so, do I remove the content already there or add it to the end of the code?

                                      • 16. Re: Blank contact forms
                                        Level 4
                                        Replace $success = mail($webMaster, $emailsubject, $body, $headers); in your code with this:

                                         

                                        That should get you started on the right track. You have a long way to go with validation though unfortunately. For server side validation you should create a series of if statements where if POST value is not null != "" then process the variable in your script and move on to the next form variable else cease form processing and display error message that all form fields were not completed. For client side form validation look into spry validation. View the source code of the spry examples to see how it's done:

                                         

                                        http://labs.adobe.com/technologies/spry/samples/validationwidgets/with_spry_region/widgets _region.html

                                        • 17. Re: Blank contact forms
                                          award2209 Level 1

                                          Yeah, unfortunately I have a way to go with a lot of this. But I'm getting there slowly but surely. I really do appreciate the help! Are you aware of any tutorials about the email injection or the spry validation?

                                          • 18. Re: Blank contact forms
                                            Level 4

                                            There are several articles that explain email injection attacks. Just do a google search for php email injection attack and go to town reading articles. They're all basically the same though which is first-and-foremost to eliminate the carriage (\r) and new line (\n) codes in form submission. Fortunately spry is very straight-forward. If you know html you can basically view the source code of the spry examples and see how it's done. If you have DW CS3 or above you can insert spry validation into your forms directly within the dreamweaver menu commands.

                                            • 19. Re: Blank contact forms
                                              garywpaul Level 5
                                              eregi() is deprecated and should be discouraged from being used.

                                              http://www.php.net/manual/en/function.eregi.php

                                              I would again suggest looking into http://www.spambotsecurity.com/zbblock.php, it is free and seems to cover most of the bases.  If in your research you feel you can go it alone, then you have that option. But security of a form/database is not something that you want to just take a stab at.

                                               

                                              Gary

                                              • 20. Re: Blank contact forms
                                                award2209 Level 1

                                                Cool, thanks again! I have DW CS4, so I will look into the spry validation.