I`ve been using the latest form for about 3 weeks now, and for some reason about 1 or 2 times a week I receive notification of an empty form submission. Ie all the fields are empty. Now i`ve setup my form so you must enter several fields otherwise it wont be sent, so any ideas whats going on?
After I received an empty submission I went on and tried it myself and it sends a filled in form fine.
Also, any idea how you can change the email notification from "Nobody" to something more meaningful.
thanks
Paul
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This is likely due to some person or some automated form abuse script attempting to highjack your form. I would add a check in the processor.php file to only accept submissions from your form.html file and to error out when all or at least the required fields are blank.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm experiencing the same problem (forms with gibberish or completely blank fields), so I'm sure you're correct about the automated form abuse script being the culprit.
For someone like me, whose experience with PHP is VERY limited, could you please explain how to accomplish your suggested (check & error out) solution?
Many thanks in advance!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
// Check for yourURL.com in the referrer variable.
if (strpos("youtURL.com",$_SERVER[HTTP_referer])==0) {
echo "You are not using this form the way it was intended";
die;
}
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
However, the following two items are not yet clear to me:
(1) Precisely where within the processor.php code should this be inserted?
(2) When you list "yourURL.com", should I be substituting my domain name, or the precise URL of the form page, or --?
Thanks in advance for the clarification.
For your reference, here's what I've got in my current processor.php file:
I too am having these same issues with receiving mostly blank forms with spammy type messages. I followed TNTEverett's suggestion to add a check in the processor.php file and it does not allow blank fields to be sent, but it also doesn't allow any forms, even filled out ones, to be sent. Below is my process-fran.php form (which is my processor.php form). Does it look like I am missing something or have the check script wrong? If I remove the check script it sends fine.
<?php
// Check for FranchiseMassageHeights.com in the referrer variable.
if (strpos("FranchiseMassageHeights.com",$_SERVER[HTTP_referer])==0) {
echo "You are not using this form the way it was intended. Use the 'back' button on your browser and fill in the required fields.";
die;
}
Source: FranchiseMassageHeights.com domain
-----------------------------------------------------------------
PLEASE NOTE: Do not just hit 'reply' -- you must send your reply to: " . $_POST['field_8'] . "
--------------------------------------------------------------------------------------
header("Refresh: 0;url=http://www.franchisemassageheights.com/apply-success.php");
}
else {
echo "ERROR---------- You did not type the correct validation code. Use the 'back' button on your browser and try again.";
}
?>
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It does not look like you are using the strpos function correctly. Take a look at this page to see an example. http://www.php.net/strpos
FYI,
All forms are subject to spam, no matter how good the security is. The spammer must have some reason for targeting your form. If the spam has no purpose then you would have to ask yourself why would someone have any interest in your form.
The other thing about creating some sort of spam blocker is that you must fully understand how the spammer is using your form. Until you know this there is no way to come up with a method of blocking a particular method of abuse.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm trying to implement the checking script that you already gave above to prevent spammers from using the processor.php file. I don't know for sure that that is what they are doing, but it seems likely and your solution seems like a good one, but I can't get the script to work. In my previous post I gave you the example of how I am using it and you said it looks like I am not using it correctly. I don't understand how I am not using it correctly? I thought I just followed your instructions you gave to rhg328 above. I don't know php enough to understand how to make this work. I appreciate the reference link, but it is over my head at this point.
We do have the captcha security feature in place as well.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
OK,
#1) My mistake for posting a piece of code that someone else wrote. The code does not work for you because of a lack of information on how to use the function. It could work but is probably not the easiest way to accomplish the task. What you really need to do is just match any part of the string returned by $_SERVER['HTTP_REFERER'] with any part of your forms URL.
I would put this in the code temprarily just so you see what is returned.
echo $_SERVER['HTTP_REFERER'];
I have the same problem. I'm receiving blank emails and blank posts in the database sometimes. I suspect that someone has bookmarked the confirmation-page, and as soon as they go back the scripts kicks in.
I've tried both the suggestions in this thread and with no luck. Every time I use the form now, it echoes "You are not using this form the way it was intended"
Tried;
// Check for MyURL.com in the referrer variable.
if (strpos("MyURL.com",$_SERVER[HTTP_referer])==0) {
echo "You are not using this form the way it was intended";
die;
}
And also;
// Check for yourURL.com in the referrer variable.
if (stristr($_SERVER[HTTP_referer],'MyURL') === FALSE) {
echo "You are not using this form the way it was intended";
die;
}
I've did put that code in top in processor.php.
Is there any workaround for this type of problem?
Any help is much appreciated.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
First, strpos — Find position of first occurrence of a string
this will return a number not a string match true/false result.
Second, stristr ---- Returns the matched substring
This will return a string not a string match true/false result.
Third,
HTTP_REFERER'
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
Use this search string in Google to find some good examples and explanations on the reliability of doing this.
"php check HTTP_referer"
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have the same problem. I'm receiving blank emails and blank posts in the database sometimes. I suspect that someone has bookmarked the confirmation-page, and as soon as they go back the scripts kicks in.
I've tried both the suggestions in this thread and with no luck. Every time I use the form now, it echoes "You are not using this form the way it was intended"
Tried;
// Check for MyURL.com in the referrer variable.
if (strpos("MyURL.com",$_SERVER[HTTP_referer])==0) {
echo "You are not using this form the way it was intended";
die;
}
And also;
// Check for MyURL.com in the referrer variable.
if (stristr($_SERVER[HTTP_referer],'MyURL') === FALSE) {
echo "You are not using this form the way it was intended";
die;
}
I've did put that code in top in processor.php.
Is there any workaround for this type of problem?
Any help is much appreciated.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
My appologies if I gave a bad example for checking HTTP_REFERER but customizing your code needs to be targeted at a specific function/feature and finally it needs to be tested before you use it live.
If you need more help then send me your complete form and tell me what function you are looking for.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi All
I`ve been using the latest form for about 3 weeks now, and for some reason about 1 or 2 times a week I receive notification of an empty form submission. Ie all the fields are empty. Now i`ve setup my form so you must enter several fields otherwise it wont be sent, so any ideas whats going on?
After I received an empty submission I went on and tried it myself and it sends a filled in form fine.
Also, any idea how you can change the email notification from "Nobody" to something more meaningful.
thanks
Paul
This is likely due to some person or some automated form abuse script attempting to highjack your form. I would add a check in the processor.php file to only accept submissions from your form.html file and to error out when all or at least the required fields are blank.
I'm experiencing the same problem (forms with gibberish or completely blank fields), so I'm sure you're correct about the automated form abuse script being the culprit.
For someone like me, whose experience with PHP is VERY limited, could you please explain how to accomplish your suggested (check & error out) solution?
Many thanks in advance!
// Check for yourURL.com in the referrer variable.
if (strpos("youtURL.com",$_SERVER[HTTP_referer])==0) {
echo "You are not using this form the way it was intended";
die;
}
Thank you for providing the code.
However, the following two items are not yet clear to me:
(1) Precisely where within the processor.php code should this be inserted?
(2) When you list "yourURL.com", should I be substituting my domain name, or the precise URL of the form page, or --?
Thanks in advance for the clarification.
For your reference, here's what I've got in my current processor.php file:
<?php
$where_form_is="http://".$_SERVER['SERVER_NAME'].strrev(strstr(strrev($_SERVER['PHP_SELF']),"/"));
// File upload handling
if($_FILES['field_10']['name']!=''){
$field_10_filename = "file_10_".date("sihdmY").substr($_FILES['field_10']['name'],strlen($_FILES['field_10']['name'])-4);
if(!move_uploaded_file($_FILES['field_10']['tmp_name'], "./files/".$field_10_filename)){
die("File " . $_FILES['field_10']['name'] . " was not uploaded.");
}
}
$from_email = $_POST['field_9'];
$headers = 'From: ' . $from_email . "\r\n" .
'Reply-To: ' . $from_email;
mail("web_inquiry@1stmetropolitan.info","Email from your website","Name: " . $_POST['field_1'] . "
Company: " . $_POST['field_2'] . "
Address: " . $_POST['field_3'] . "
City: " . $_POST['field_4'] . "
State or Province: " . $_POST['field_5'] . "
Zip or Postal Code: " . $_POST['field_6'] . "
Phone Number: " . $_POST['field_7'] . "
Fax Number: " . $_POST['field_8'] . "
Email Address: " . $_POST['field_9'] . "
Comments: " . $_POST['field_10'] . "
Attach document: ".$where_form_is."files/".$field_11_filename." (original file name: " . $_FILES['field_11']['name'] . ")
",$headers);
include("thankyou.htm");
?>
1.) Right at the top
2.) Use 1stmetropolitan.info
I too am having these same issues with receiving mostly blank forms with spammy type messages. I followed TNTEverett's suggestion to add a check in the processor.php file and it does not allow blank fields to be sent, but it also doesn't allow any forms, even filled out ones, to be sent. Below is my process-fran.php form (which is my processor.php form). Does it look like I am missing something or have the check script wrong? If I remove the check script it sends fine.
<?php
// Check for FranchiseMassageHeights.com in the referrer variable.
if (strpos("FranchiseMassageHeights.com",$_SERVER[HTTP_referer])==0) {
echo "You are not using this form the way it was intended. Use the 'back' button on your browser and fill in the required fields.";
die;
}
$where_form_is="http://".$_SERVER['SERVER_NAME'].strrev(strstr(strrev($_SERVER['PHP_SELF']),"/"));
session_start();
if( ($_SESSION['security_code']==$_POST['security_code']) && (!empty($_POST['security_code'])) ) {
mail("production@fullfusion.net","Franchise Inquiry","Message to MH Corporate Headquarters
Source: FranchiseMassageHeights.com domain
-----------------------------------------------------------------
PLEASE NOTE: Do not just hit 'reply' -- you must send your reply to: " . $_POST['field_8'] . "
--------------------------------------------------------------------------------------
Name: " . $_POST['field_1'] . "
Address: " . $_POST['field_2'] . "
City: " . $_POST['field_3'] . "
State: " . $_POST['field_4'] . "
Zip Code: " . $_POST['field_5'] . "
Day Phone: " . $_POST['field_6'] . "
Best Time To Call: " . $_POST['field_7'] . "
Email: " . $_POST['field_8'] . "
Your Net Worth: " . $_POST['field_9'] . "
Available Liquid Investment Capital: " . $_POST['field_10'] . "
Desired Business Location (City and State): " . $_POST['field_11'] . "
Time Frame For Starting Business: " . $_POST['field_12'] . "
Questions or Comments?: " . $_POST['field_13'] . "
{3E748D77-46E6-4c21-A0CD-1C452817A83E}
","From: no-reply@franchisemassageheights.com");
header("Refresh: 0;url=http://www.franchisemassageheights.com/apply-success.php");
}
else {
echo "ERROR---------- You did not type the correct validation code. Use the 'back' button on your browser and try again.";
}
?>
It does not look like you are using the strpos function correctly. Take a look at this page to see an example.
http://www.php.net/strpos
FYI,
All forms are subject to spam, no matter how good the security is. The spammer must have some reason for targeting your form. If the spam has no purpose then you would have to ask yourself why would someone have any interest in your form.
The other thing about creating some sort of spam blocker is that you must fully understand how the spammer is using your form. Until you know this there is no way to come up with a method of blocking a particular method of abuse.
I'm trying to implement the checking script that you already gave above to prevent spammers from using the processor.php file. I don't know for sure that that is what they are doing, but it seems likely and your solution seems like a good one, but I can't get the script to work. In my previous post I gave you the example of how I am using it and you said it looks like I am not using it correctly. I don't understand how I am not using it correctly? I thought I just followed your instructions you gave to rhg328 above. I don't know php enough to understand how to make this work. I appreciate the reference link, but it is over my head at this point.
We do have the captcha security feature in place as well.
OK,
#1) My mistake for posting a piece of code that someone else wrote. The code does not work for you because of a lack of information on how to use the function. It could work but is probably not the easiest way to accomplish the task. What you really need to do is just match any part of the string returned by $_SERVER['HTTP_REFERER'] with any part of your forms URL.
I would put this in the code temprarily just so you see what is returned.
echo $_SERVER['HTTP_REFERER'];
It should return something like this:
http://www.url.com/formgen/use/test_referer/form1.html
depending on the exact location anyway.
Change this code you already have
if (strpos("FranchiseMassageHeights.com",$_SERVER[HTTP_referer])==0)
to this
if (stristr($_SERVER[HTTP_referer],'FranchiseMassageHeights') === FALSE)
I have the same problem. I'm receiving blank emails and blank posts in the database sometimes. I suspect that someone has bookmarked the confirmation-page, and as soon as they go back the scripts kicks in.
I've tried both the suggestions in this thread and with no luck. Every time I use the form now, it echoes "You are not using this form the way it was intended"
Tried;
// Check for MyURL.com in the referrer variable.
if (strpos("MyURL.com",$_SERVER[HTTP_referer])==0) {
echo "You are not using this form the way it was intended";
die;
}
And also;
// Check for yourURL.com in the referrer variable.
if (stristr($_SERVER[HTTP_referer],'MyURL') === FALSE) {
echo "You are not using this form the way it was intended";
die;
}
I've did put that code in top in processor.php.
Is there any workaround for this type of problem?
Any help is much appreciated.
First, strpos — Find position of first occurrence of a string
this will return a number not a string match true/false result.
Second, stristr ---- Returns the matched substring
This will return a string not a string match true/false result.
Third,
HTTP_REFERER'
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
Use this search string in Google to find some good examples and explanations on the reliability of doing this.
"php check HTTP_referer"
I have the same problem. I'm receiving blank emails and blank posts in the database sometimes. I suspect that someone has bookmarked the confirmation-page, and as soon as they go back the scripts kicks in.
I've tried both the suggestions in this thread and with no luck. Every time I use the form now, it echoes "You are not using this form the way it was intended"
Tried;
// Check for MyURL.com in the referrer variable.
if (strpos("MyURL.com",$_SERVER[HTTP_referer])==0) {
echo "You are not using this form the way it was intended";
die;
}
And also;
// Check for MyURL.com in the referrer variable.
if (stristr($_SERVER[HTTP_referer],'MyURL') === FALSE) {
echo "You are not using this form the way it was intended";
die;
}
I've did put that code in top in processor.php.
Is there any workaround for this type of problem?
Any help is much appreciated.
My appologies if I gave a bad example for checking HTTP_REFERER but customizing your code needs to be targeted at a specific function/feature and finally it needs to be tested before you use it live.
If you need more help then send me your complete form and tell me what function you are looking for.