Hi, guys. Along with ‘normal’ emails my html+php contact form sends blank messages to the inbox. Thought the prob was with lack of condition for ‘not sending a message, unless the fields are filled in’, but, in fact, the condition is in place. Could you briefly look through the code and kindly suggest any corrections, so I get rid of numerous blank emails (btw, I’m not that good at html and php, so hope your advice helps). Thanks in advance, would be of much help!
Do the same check in your PHP code. Make sure all fields have a value before you fire the mail() command.
What’s likely happening is a semi-careless search bot is crawling your website, seeing a form pointing to a URL, and going to that URL without actually sending form data.
Actually, the “condition” (required) is in place for “your” form. Nothing says a POST request has to come from your form. As pointed out, you need to validate the required fields in your processing code.
One thing that was not mentioned is that you need to TRIM the POST array before the checks. Blank spaces will bypass an empty check.
Furthermore, you may use as per the following code, to check empty condition, to trim the POST array and to stripslaces POST array as well as htmlspecialchars().
<?php
// define variables and set to empty values
$nameErr = $emailErr = $genderErr = $websiteErr = "";
$name = $email = $gender = $comment = $website = "";
if ($_SERVER["REQUEST_METHOD"] == "POST") {
if (empty($_POST["name"])) {
$nameErr = "Name is required";
} else {
$name = test_input($_POST["name"]);
}
if (empty($_POST["email"])) {
$emailErr = "Email is required";
} else {
$email = test_input($_POST["email"]);
}
if (empty($_POST["website"])) {
$website = "";
} else {
$website = test_input($_POST["website"]);
}
if (empty($_POST["comment"])) {
$comment = "";
} else {
$comment = test_input($_POST["comment"]);
}
if (empty($_POST["gender"])) {
$genderErr = "Gender is required";
} else {
$gender = test_input($_POST["gender"]);
}
}
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
?>
The htmlspecialchars() function converts special characters to HTML entities. This means that it will replace HTML characters like < and > with < and >
@iflameinstitute, That code is just all kinds of wrong. Since it is pretty much every line I am not going to get into every problem. Perhaps someone else will.
While I would do some of the steps differently / use some different naming, the overall flow of the code is not “all kinds of wrong”, in terms of the end result it achieves.
Please elaborate on what you find wrong with it, otherwise your post is just trolling.
In any case, lets start with the first 75%. The CODE sets TWO strings of completely unnecessary strung together empty strings of variables, one of which doesn’t even exist in the code. ($websiteErr). Then it goes through blocks of empty checks without trimming the post array even though it is mentioned in the post which which will completely fail when spaces are entered. Then if the POST’ed fields are actually empty errors, variables are set that do absolutely nothing and should actually be put into an array anyways. Then the entire REQUEST_METHOD block doesn’t go anywhere whatsoever. Then the incorrectly named test_input function is obviously grabbed from a 1990s database output function that is just floating around unused.
The only thing right about the CODE is the check for the REQUEST_METHOD. So like I said, just about every line. With all that, it does qualify as “all kinds of wrong”.
Indeed it’s not, but that’s not what you were doing. You were calling the code “all kinds of wrong” without bothering to explain why. That really doesn’t help anyone. People who know what you mean will know, but people who aren’t that versed in PHP will be left confused and probably annoyed.
So it’s not about what you said, it’s about how you said it.
Regarding your comments, the setting of variables at the beginning of the script is you can refer to any of those variables after the if block without using isset all the time, because you’re know they’re defined with an empty value by default. The $websiteErr is indeed not that nice, but I’ve seen worse things.
Personally I’d create an array $errors and push any new errors in that array, but this should work too.
trimming of values before checking is good, but notice that the OP never made such a request, you added that.
I agree that checking for REQUEST_METHOD would be better.
I agree. At the time I was on my phone and not inclined to get into details at the time.
My reply was not to the OP, it was directly to the one that posted that code who did in fact mention it.
That’s the thing, There isn’t anything after the if blocks in the posted code which I pointed out. I realize the code is supposed to be a partial example but it will only cause confusion to those that don’t know better.