Form on my website being sent automatically every night!

I’m new to PHP and coding in general so I may have just made a really dumb mistake. Pardon if so!

Every evening around 1:48 a.m. the form on my website is being submitted with all values “1”, which is not even possible for some of the values. Is it possible it’s the host company I use, FatCow, doing a test? Here’s the code I used to handle the form and any help really really appreciated.


$myemail = ‘,’; //<-----Put Your email address here.

$name = $_POST[‘name’];
$email_address = $_POST[‘email’];

$to = $myemail; 
$email_subject = "Delivery Request: $name";
$email_body = "You have received a new delivery request: ".
" Here are the details:\

Name: $name
Email: $email_address
Address1: $address1
Address2: $address2
Phone: $phone
Heard about us: $refer
Friend: $referrer
Starch: $starch
Hangars or Boxes: $shirts
Message: $message
Promo Code: $promo";

$headers = "From: $myemail"; 
$headers .= "Reply-To: $email_address";

//redirect to the 'thank you' page
header('Location: contact-form-thank-you.html');

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN” “”>
<title>Contact form handler</title>

<!-- This page is displayed only if there is some error –>
echo nl2br($errors);


Thanks everybody for the help. Validation solves the problem.

Looks like some kind of bot which

a) detects html inputs on your page
b) ignores your gui
c) submits a 1 in every input form element

This should be a very useful clarion call to you, people trying to break into your site will likely start off using automated bots to find out where your weaknesses are.

Your primary job is to a) be aware of this to protect yourself and your clients and b) thwart them.

Take the email address, that should conform to a particular pattern, and there are PHP tools to help you identify them check data filtering. Finding something like a 1 in that field should cause your script to abort, or return back the GUI with a message.

Email validation example from the manual

It looks to be related to SiteLock (given the descriptive names and IP address) for whom FatCow is listed as a “partner”.

Thanks for the help and link; I haven’t gotten to the field verification/Regex chapter in my PHP book yet. Guess I shouldn’t have gone live then.

Here’s one of the error logs, I can see in the middle here at 2010:01:48:08 where the 1’s are being sent but have no idea what’s doing it. - - [30/Jun/2010:01:48:07 -0400] “GET / HTTP/1.0” 200 9188 “” “SiteLockSpider [en] (WinNT; I ;Nav)” - - [30/Jun/2010:01:48:07 -0400] “GET /delivery.html?=submit&first_name=1&last_name=1 HTTP/1.0” 200 12903 “-” “SiteLockSpider [en] (WinNT; I ;Nav)” - - [30/Jun/2010:01:48:07 -0400] “GET /services.html HTTP/1.0” 200 4643 “-” “SiteLockSpider [en] (WinNT; I ;Nav)” - - [30/Jun/2010:01:48:07 -0400] “GET /style-wp.css HTTP/1.1” 404 1252 “-” “SiteLockSpider [en] (WinNT; I ;Nav)” - - [30/Jun/2010:01:48:08 -0400] “GET /contact-form-handler.php?=Send&address1=1&address2=1&email=1&message=%20&name=1&phone=1&promo=1&refer=null&referrer=1&shirts=1&starch=1 HTTP/1.0” 302 248 “-” “SiteLockSpider [en] (WinNT; I ;Nav)” - - [30/Jun/2010:01:48:08 -0400] “GET /delivery.html HTTP/1.0” 200 12903 “-” “SiteLockSpider [en] (WinNT; I ;Nav)” - - [30/Jun/2010:01:48:08 -0400] “GET /compare.html HTTP/1.0” 200 7804 “-” “SiteLockSpider [en] (WinNT; I ;Nav)” - - [30/Jun/2010:01:48:08 -0400] “GET /style.css HTTP/1.1” 200 7950 “-” “SiteLockSpider [en] (WinNT; I ;Nav)” - - [30/Jun/2010:01:48:08 -0400] “GET /about.html HTTP/1.0” 200 4280 “-” “SiteLockSpider [en] (WinNT; I ;Nav)” - - [30/Jun/2010:01:48:08 -0400] “GET /style-comments.css HTTP/1.1” 404 1252 “-” “SiteLockSpider [en] (WinNT; I ;Nav)” - - [30/Jun/2010:01:48:08 -0400] “GET /style-wp.css HTTP/1.1” 404 1252 “-” “SiteLockSpider [en] (WinNT; I ;Nav)” - - [30/Jun/2010:01:48:09 -0400] “GET /th1s_1s_a_4o4.html HTTP/1.0” 404 1252 “-” “SiteLockSpider [en] (WinNT; I ;Nav)”

Take a good look in your server logfiles for that particular moment, tell us what you find if you cannot work it out.

Remove anything which might identify your own server though, and as zalacius says, you have left yourself wide open for malicious attacks, unless you really upset someone in school and they really sit down every night at the same time enter 1,1,1,1,1 in all your form elements.

I knew kids like that.

You should do some serverside validation on the form values…

First you could check if the fields are empty, then atleast do a regex on the email, to make sure the email looks like a real email.

perhaps this link can point you in the right direction: