I have a form I built for a client, it takes in user information and send it to my client and I. It has input validation and will not allow a user to send an e-mail without filling out the form.
What I cannot figure out is how the form is getting sent to me every morning for the last 3 days in a row and 5 emails are send at exactly 7:48am. The weirdest part about it is that the form is blank.
Also note: The form is working correctly every time from multiple different devices and browsers when testing it.
I am using PHP to send the form, javascript for form validation, HTML and CSS. Below is the relevant code (to reduce the code I left out the most of the inputs, I kept only one field so you can see how everything is working)
HTML
<form method="post" name="form" id="email-form" action="css/form-to-email.php">
<p class="blue" id="body-text-name">Name: <input id="input-name" name="fname" type="text" required />
<input class="btn" onClick="return IsEmpty()" type="submit" name='submit' />
</form>
javascript
function IsEmpty() {
if (document.forms['form'].name.value == "") {
alert("empty");
return false;
}
return true;
}
and PHP
<?php
if(!isset($_POST['submit']))
{
echo "error; you need to submit the form!";
}
$fname = $_POST['fname'];
$to = 'someEmail@some.com';
$cc = '';
$recipients = $to.", ".$cc;
$email_subject = "Order Form";
$email_body = "Order For: $fname
";
$headers = "From: Order_Form
";
$headers .= "Reply-To:
";
mail($recipients,$email_subject,$email_body,$headers);
header('Location: ../index1.html');
?>
I have searched and searched for an answer but I cannot figure out for the life of me what is causing this or were to look. Any help would be greatly appreciated.
It may be possible that something (an user, a bot) is visiting your css/form-to-email.php directly.
So, When you visit css/form-to-email.php directly
In the "If" block you are echoing a message but not preventing that the script continue it execution, so the other code after that block runs always.
echo "error; you need to submit the form!";
should be:
return echo "error; you need to submit the form!";
or
echo "error; you need to submit the form!";
exit(); // || die() its the same.
You also could throw an exception.
throw new Exception("error; you need to submit the form!");
The could be using the raw URL to send the email, most likely web crawlers since you mention the time consistency. Best to have validation on the server side as well, that should stop it.
This function
function IsEmpty() {
if (document.forms['form'].name.value == "") {
alert("empty");
return false;
}
return true;
}
Is wrong!
document.forms['form'].name.value
returns the value of the name field of the form tag i.e. in your case from this HTML it returns 'form' and will always be set to that
<form method="post" name="form" id="email-form" action="css/form-to-email.php">
from the name="form" property.
Change the script to get the content of the field you actually want to check!!
function IsEmpty() {
if (document.getElementById('input-name').value == "") {
alert("empty");
return false;
}
return true;
}
Also this validation should be done in the PHP script that accepts this data and generates the email.
<?php
if( ! isset($_POST['submit']) )
{
echo "error; you need to submit the form!";
exit;
}
if ( ! isset($_POST['fname'] ) {
echo "error; You must have something in this field!";
exit;
}
$fname = $_POST['fname'];
$to = 'someEmail@some.com';
$cc = '';
$recipients = $to.", ".$cc;
$email_subject = "Order Form";
$email_body = "Order For: $fname
";
$headers = "From: Order_Form
";
$headers .= "Reply-To:
";
mail($recipients,$email_subject,$email_body,$headers);
header('Location: ../index1.html');
?>