The contact form on my website keeps sending me blank emails!

dragon42tt · March 23, 2016, 4:58pm

Hi everyone.

I read somewhere that Google crawler triggers the contact form to send blank emails.

I believe a validation of the fields will stop this from happening, but I couldn’t solve this problem to save my life, my php skills are very poor.

Here is the code, I hope someone can help, any help is appreciated.

[php]<?php
ob_start();
session_start();
include(‘class.phpmailer.php’);
include(‘admin/includes/config.php’);
$name=isset($_POST[‘name’]) ? addslashes($_POST[‘name’]) : ‘’;
$email=isset($_POST[‘email’]) ? addslashes($_POST[‘email’]) : ‘’;
$phone=isset($_POST[‘phone’]) ? addslashes($_POST[‘phone’]) : ‘’;
$comment=isset($_POST[‘comment’]) ? addslashes($_POST[‘comment’]) : ‘’;

    $row=mysql_fetch_array(mysql_query("SELECT * FROM `fds_tbladmin` WHERE `id`='1'")); 

 
$admin_email=$row['email']; 
 
    $Subject1 ="Someone Has Contacted You"; 
     
    $TemplateMessage.="<br/><br />Hi Admin"; 
     
    $TemplateMessage.=""; 
     
    $TemplateMessage.="<br><br>"; 
    $TemplateMessage.=" Name :".$name; 
     

    $TemplateMessage.="<br><br>"; 
    $TemplateMessage.="Email :".$email; 

    $TemplateMessage.="<br><br>"; 
    $TemplateMessage.="Phone :".$phone; 

     
    $TemplateMessage.="<br><br>"; 
    $TemplateMessage.="Comment :".$comment; 
     
    $TemplateMessage.="<br><br><br/>Thanks & Regards<br/>"; 
     
    $TemplateMessage.="Flash Driving School"; 
     
    $TemplateMessage.="<br><br><br>This is a post-only mailing.  Replies to this message are not monitored 
    or answered."; 
     
    $mail1 = new PHPMailer; 
     
    $mail1->FromName = "flashdrivingschool.com"; 
     
    $mail1->From    = "[email protected]"; 
     
    $mail1->Subject = $Subject1; 
     
    $mail1->Body    = stripslashes($TemplateMessage); 
     
    $mail1->AltBody = stripslashes($TemplateMessage); 
     
    $mail1->IsHTML(true); 
     
    $mail1->AddAddress($admin_email,"flashdrivingschool.com");//[email protected] 
     
    $mail1->Send();

header(‘location:thankyou.php’);
exit();

?>[/php]

Topcoder · March 23, 2016, 7:04pm

I don’t see any"IF" statements preventing it from sending you an email when the fields are blank.

Instead of coding it all for you, take a look at what I did below, it will prevent it from sending emails to you when an email address is not provided. You should prevent it from sending you an email when all the required fields are not filled out. Follow the example below and you should be able to finish the rest. You also need to think about alerting the user when all the fields are not filled out properly.

You should really put javascript code on the form to make sure all fields are filled out and display a nice message to the user when it’s not.

[php] ob_start();
session_start();
include(‘class.phpmailer.php’);
include(‘admin/includes/config.php’);
$name=isset($_POST[‘name’]) ? addslashes($_POST[‘name’]) : ‘’;
$email=isset($_POST[‘email’]) ? addslashes($_POST[‘email’]) : ‘’;
$phone=isset($_POST[‘phone’]) ? addslashes($_POST[‘phone’]) : ‘’;
$comment=isset($_POST[‘comment’]) ? addslashes($_POST[‘comment’]) : ‘’;

if ($email !=’’) {
$row=mysql_fetch_array(mysql_query(“SELECT * FROM fds_tbladmin WHERE id=‘1’”));

 $admin_email=$row['email']; 
  
     $Subject1 ="Someone Has Contacted You"; 
      
     $TemplateMessage.="<br/><br />Hi Admin"; 
      
     $TemplateMessage.=""; 
      
     $TemplateMessage.="<br><br>"; 
     $TemplateMessage.=" Name :".$name; 
      

     $TemplateMessage.="<br><br>"; 
     $TemplateMessage.="Email :".$email; 

     $TemplateMessage.="<br><br>"; 
     $TemplateMessage.="Phone :".$phone; 

      
     $TemplateMessage.="<br><br>"; 
     $TemplateMessage.="Comment :".$comment; 
      
     $TemplateMessage.="<br><br><br/>Thanks & Regards<br/>"; 
      
     $TemplateMessage.="Flash Driving School"; 
      
     $TemplateMessage.="<br><br><br>This is a post-only mailing.  Replies to this message are not monitored 
     or answered."; 
      
     $mail1 = new PHPMailer; 
      
     $mail1->FromName = "flashdrivingschool.com"; 
      
     $mail1->From    = "[email protected]"; 
      
     $mail1->Subject = $Subject1; 
      
     $mail1->Body    = stripslashes($TemplateMessage); 
      
     $mail1->AltBody = stripslashes($TemplateMessage); 
      
     $mail1->IsHTML(true); 
      
     $mail1->AddAddress($admin_email,"flashdrivingschool.com");//[email protected] 
      
     $mail1->Send(); 
      }

header(‘location:thankyou.php’);
exit();
[/php]

dragon42tt · March 24, 2016, 12:04am

Thank you Topcoder.

I appreciate the help however I can’t finish what you have have sent me, my coding skills are zero.

Also if you check out my website wwww.flashdrivingschool.co.uk if any fields are empty it doesn’t allow you to submit anyway, so I guess there is some sort of validation, when one field is left blank and you click submit then the blank field gets highlighted.

Topcoder · March 24, 2016, 4:13am

Great, nice looking website.

You do have Javascript validation (The hard part is done)

Just replace your code sample with the one I provided above and it should prevent the blank emails.

dragon42tt · March 24, 2016, 8:54am

Thanks I’ll do that now. I’ll let you know how it goes.

benanamen · March 25, 2016, 4:05am

You have numerous security issues with your server and are vulnerable to a Click-Jacking attack.

dragon42tt · March 25, 2016, 11:34pm

Hey Kevin

What exactly does that mean and how do I fix it ?

dragon42tt · March 25, 2016, 11:38pm

Topcoder,

I don’t know how but now I am getting spam emails in bulk, since the blank email fix (which works nicely) I have received over 1000 spam emails, all with random text that.

Any idea why this might be ?

Before the fix I use to get around 10 blank emails a day and maybe 2-3 spam emails a week, now it has sky rocketed.

Do you think the fix may have opened up a vulnerability? Maybe this is what Kevin was talking about, click-jacking?

astonecipher · March 25, 2016, 11:55pm

From what I am seeing, you are not checking or validating captcha. Being as this form is a WordPress plugin, was that previously handled before you (or whomever) changed it to utilize PHPMailer?

dragon42tt · March 26, 2016, 12:14am

Your right there is no captcha validation, I guess that will be the ultimate solution.

The person who made the website for me set everything up, so I guess he set up the PHPMailer.

How do you suggest I proceed?

astonecipher · March 26, 2016, 3:59pm

What contact form plugin are you using?

Topcoder · March 28, 2016, 2:04pm

The change I suggested made sure someone filled in the email address, before it was submitted. It didn’t open any new vulnerabilities.

What happens is this, since you are using “wordpress”, it’s very popular. Some people scan for plug-ins that have vulnerabilities, once they find those sites, the spam them with offers. Some people would try to use your website as an open relay, sending other people emails from your sever. But since you have your email address hard-coded, you will get the spam.

It happens to everyone and then you have to prevent it by implementing a good captcha.

dragon42tt · March 30, 2016, 11:01pm

well since that first day receiving 1300 messages it hasn’t happened again. Thanks for all your help Topcoder and everyone else.