I'm using the following jQuery and PHP where people fill in a form, jQuery then goes through the fields, validates there is content and if everything is filled in correctly it will send to PHP which then formats the email and sends.
The problem is when I am trialing it, it works fine but I have received emails with the line headings such as Name: and Email: etc but the user input content is blank.
Could it be possible that search engines are crawling the site and come across the PHP file and this is why it sends blank data?
jQuery
$('body').on('click','.sendmail',function(){
var arr = [];
$('.form input').each(function(index, element) {
var i = $(this).prop('id');
var v = $(this).val();
var obj = {key: i, val: v};
arr.push(obj);
});
arr.push({key:"subject", val: $('.subject .active').text()});
arr.push({key:"comments", val: $('#comments').val()});
var param = {};
$.each(arr, function() {
param[this.key] = this.val;
});
var sValid;
var isValid = !$('#name, #company, #tel, #comments').filter(function() {return !this.value;}).length;
var eValid = validateEmail($('#email').val());
if ($('.subject span').hasClass("active")) {
sValid = true;
} else {
sValid = false;
}
if (isValid && sValid && eValid){
$.ajax({
type: "POST",
url: "/assets/inc/contact.php",
data: param,
dataType: "json",
success: function(data) {
$('.form span').removeClass('active');
$('.form-response').removeClass('green');
$('.form-response').removeClass('red');
if (data.sent == 1){
$('.form-response h1').text('Form is sent! We\'ll be in touch soon');
$('.form-response').addClass('green');
} else {
$('.form-response h1').text('Form not sent! Please check all fields are filled in.');
$('.form-response').addClass('red');
}
$('.form-response').slideDown().delay(3000).slideUp();
$('.form input, .form textarea').val('');
$('.form label').css({'opacity':1, 'display':'block'});
$('.form span').removeClass('active');
}
});
} else {
$('.form-response h1').text('Form not sent! Please check all fields are filled in.');
$('.form-response').addClass('red');
$('.form-response').slideDown().delay(3000).slideUp();
}
});
PHP
<?php
$name = $_POST['name'];
$email = $_POST['email'];
$company = $_POST['company'];
$tel = $_POST['tel'];
$subject = $_POST['subject'];
$comments = $_POST['comments'];
$to = 'info@domain.com';
$subject = $subject;
$message = '
Name: '.$name.'<br>
Email: '.$email.'<br>
Company: '.$company.'<br>
Tel: '.$tel.'<br><br><hr><br><br>
Comments: '.$comments.'<br>
';
$headers = 'From: noreply@domain.com' . "
" .
'X-Mailer: PHP/' . phpversion();
$headers .= 'Content-Type: text/html; charset=utf-8';
// To send HTML mail, the Content-type header must be set
$headers = 'MIME-Version: 1.0' . "
";
$headers .= 'Content-type: text/html; charset=utf-8' . "
";
// Additional headers
$headers .= 'From: '.$name.' <'.$email.'>' . "
";
$sent = mail($to, $subject, $message, $headers);
if($sent){
$sent = 1;
} else {
$sent = 0;
}
$post_data = json_encode(array('sent' => $sent));
echo $post_data;
I found that going directly to the .php file which executes the above would send the file. I think that it was crawled or someone looked at my code directly and checked out the PHP file.
I have taken car of it by wrapping my PHP with the following
if (!empty($name) and !empty($email) and !empty($company) and !empty($tel) and !empty($subject) and !empty($comments)) {
// my code to send the form
} else {
$post_data = json_encode(array('sent' => 'no'));
echo $post_data;
}
I would suggest you check your access logs and compare the timing. But I doubt this is the case.
I also noticed you don't make any checks on the server side. Fix that and you can see if u r getting empty string from the jQuery. At least it will point to the direction of the problem.
First you should add some CAPTCHA in the form.
Make sure your validations are properly working
In you PHP code you should add some condition whether data has been posted or not like
if(count($_POST)){ // or if(isset($_POST['sub'])) // some parameter
// all code in between
}
Add some validation in server side code that is PHP code. Like if name or email is empty then do not send email but send an error back to user
Captcha is probably more safe but it raises the threshold for most users to fill out a form. If that is a problem, you can try a honeypot strategy for your server side validation.
You can do it by adding a checkbox to the form and hide it with css. If it is checked you can almost be certain it wasn't a human that filled out the form. It is less intrusive for users because they aren't confronted with more fields than they should.
Als have a look at your $_POST data. You are excepting the user's input without having a look at it first. You can (and should) 'guide' the user to valid data at the front end but more importantly should always validate it at the server side.
use JQuery for sending data to PHP
if(check_flag == 0){$.post('PHP/common.php?action=newempcontact',
{
name: name,
email: email,
company: company,
tel: tel,
subject: subject,
comment: comment,
},
function(info){
$("#validate_msg").html(info).addClass('validatectrl');
$('html, body').animate({ scrollTop: 0 },'slow');
clear_fields();
});
one:
if($_POST)
{
}
two:
header('content-type=text/json');
three
if(mail($to, $subject, $message, $headers))
{
}