Strange emails from contact form

bcalagoure · January 27, 2014, 1:05pm

My contact form relies on HTML5 for validation and a very simple anti-spam method. Still I occasionally get a blank email with nothing but Contact Form in the subject line. I have 2 questions: Is HTML5 sufficient for validation, and why am I getting blank emails from the form? I figure someone is playing with it but how? Here’s the code:

<form method="post" action="sendemail.php">
  <fieldset>

   <div>  
    <label>Name:</label>
    <input name="name" id="name" type="text" required>
   </div>

   <div>       
    <label>Email:</label>
    <input name="email" id="email" type="email" required>
   </div> 

   <div>        
    <label>Message:</label>
    <textarea name="message" id="message" placeholder="Type Here" required></textarea>
    </div>

	<div class="nospam">
	<label>*What is 2+2? (Anti-spam)</label>
    <input name="human" placeholder="Answer Here" required>        
   </div>
   
   <div class="shortinput">
	<input type="submit" id="submit" value="Send"><input type="reset" value="Clear">
 </div>
   </fieldset>    
</form>

<?php 
    $name = $_POST['name'];
    $email = $_POST['email'];
	$content = $_POST['message'];
	$message = wordwrap($content, 70, "\\r\
");
	$formcontent="From: $name \
 Message: $message";
	$recipient = "me@work.com";
	$subject = "Contact Form";
	$mailheader = "From: $email \\r\
";
	$success_message = "Your message has been sent, thank you.";
	
	mail($recipient, $subject, $message, $mailheader);
	echo $success_message;
?>

StarLion · January 27, 2014, 1:22pm

I see no validation.

bcalagoure · January 27, 2014, 1:26pm

Validation in terms of making sure that certain inputs have to be filled in and the email is in the correct format.

StarLion · January 27, 2014, 4:14pm

Well, lets throw this out the window right now. Type = email does not guarantee that the email is in the correct format. In fact, all it checks for is that “there is some (semi-validated) text, then a @, then some more text.”
The implementation of it will vary from browser to browser. For example, in the version of Chrome i’m using at the moment, using a period as the first or last character is acceptable; so is using 2 periods in a row. (Both of these are unacceptable local parts of an email address from RFC 5322). It was perfectly happy to let me submit “…@m” as an email address.

And that’s assuming the person’s browser is HTML5 compliant.

But let’s turn to the more likely scenario for the cause of your blank emails: The back button.

Quite simply, more than likely the back button was pushed after someone filled out the form, and they chose not to resubmit data. Also if a web spider happened to crawl your PHP page.

How to prevent?
Wrap your PHP in an if(isset($_POST[‘name’])) {}.