The Web Design Group

... Making the Web accessible to all.

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> My trial.php, Doesn't check if anything has been inputted in fields
DS1
post Mar 1 2012, 03:14 PM
Post #1





Group: Members
Posts: 4
Joined: 1-March 12
Member No.: 16,611



I am learning html on the fly and i have had my share of problems.. I have solved many issues by just searching online. However, this one requires a much more hands on approach.

I have been getting a rash of submit responses lately that are totally blank. As follows:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - - - - - - - - -- - - - - - -- - - - -- - - - - -- -
The following request has been submittedEmail:
First Name:
Last Name:
Phone:
Address Line 1:
Address Line 2:
City:
State / Province:
Country:
Selected Offers:
Years In Market
Portfolio Size:
Broker Type: vMailing List:
- - - - - - - - - - - - - - - - - -- - -- - -- -- - - - - - - - - - - - - - - - -- - - - - - - - - - - - - -

It seems that visitors to the site have figured out how to submit a blank submit form.

Can someone please review my code and instruct me on how to prevent this from happening?

Here is the url

http://www.stocktraderspress.com/trial.php


Thank you
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Darin McGrew
post Mar 1 2012, 03:18 PM
Post #2


WDG Member
********

Group: Root Admin
Posts: 8,365
Joined: 4-August 06
From: Mountain View, CA
Member No.: 3



Please see the FAQ entry How can I require that fields be filled in, or filled in correctly?

JavaScript form validation works only when JavaScript is enabled.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
DS1
post Mar 1 2012, 03:41 PM
Post #3





Group: Members
Posts: 4
Joined: 1-March 12
Member No.: 16,611



Thanks for your prompt response. i read the link you have provided and not only was it greek to me but one of the links doesn't work.

I am very new to this. I was hoping someone could take a look at my coding and see where it could be improved. i believe that there are errors in the page which causes the problem.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Darin McGrew
post Mar 1 2012, 05:02 PM
Post #4


WDG Member
********

Group: Root Admin
Posts: 8,365
Joined: 4-August 06
From: Mountain View, CA
Member No.: 3



The code that matters is the code in submit.php

We can't see that. We can see only the HTML it produces.

What kind of programming experience do you have?
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
DS1
post Mar 2 2012, 09:10 AM
Post #5





Group: Members
Posts: 4
Joined: 1-March 12
Member No.: 16,611



I have absolutely no programming experience. The tech guy we had resigned and, until our finances improved, I am left to do what I can. Everything I have learned thus far about html and php etc i have learned on the fly and from browsing forums.

Here is the Submit.php (notice the mess with the question marks, i am also trying to figure out how to clean that up, it looks fine in the original html though)

http://www.stocktraderspress.com/submit.php

This post has been edited by DS1: Mar 2 2012, 09:16 AM
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Dancing_Napkin
post Mar 2 2012, 12:02 PM
Post #6





Group: Members
Posts: 4
Joined: 2-March 12
Member No.: 16,622



QUOTE(DS1 @ Mar 2 2012, 10:10 AM) *

I have absolutely no programming experience. The tech guy we had resigned and, until our finances improved, I am left to do what I can. Everything I have learned thus far about html and php etc i have learned on the fly and from browsing forums.

Here is the Submit.php (notice the mess with the question marks, i am also trying to figure out how to clean that up, it looks fine in the original html though)

http://www.stocktraderspress.com/submit.php



DS1,

Darin is asking you for the actual file. He wants to see the code behind that file that so that he can potentially provide a solution.
Not a link to Submit.php, but actually open that file on your server and copy & paste the PHP code so that we can see it.

User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Darin McGrew
post Mar 2 2012, 12:15 PM
Post #7


WDG Member
********

Group: Root Admin
Posts: 8,365
Joined: 4-August 06
From: Mountain View, CA
Member No.: 3



The point is, right now you're using JavaScript in trial.php to block blank submissions. That's fine as a favor to the user, but it doesn't really protect anything. All I have to do is turn off JavaScript (via browser preferences or via a plugin like NoScript), and I can submit whatever I like. Or I can copy the form on trial.php to a local document, edit the local document so the form submits to submit.php just like your original form, and have that document submit whatever I want.

The only way to protect yourself from bad data is to have submit.php reject any submissions that have bad data.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Darin McGrew
post Mar 2 2012, 12:15 PM
Post #8


WDG Member
********

Group: Root Admin
Posts: 8,365
Joined: 4-August 06
From: Mountain View, CA
Member No.: 3



Please see the FAQ entry Where can I learn about PHP?
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Dancing_Napkin
post Mar 2 2012, 12:33 PM
Post #9





Group: Members
Posts: 4
Joined: 2-March 12
Member No.: 16,622



QUOTE(Darin McGrew @ Mar 2 2012, 01:15 PM) *

The point is, right now you're using JavaScript in trial.php to block blank submissions. That's fine as a favor to the user, but it doesn't really protect anything. All I have to do is turn off JavaScript (via browser preferences or via a plugin like NoScript), and I can submit whatever I like. Or I can copy the form on trial.php to a local document, edit the local document so the form submits to submit.php just like your original form, and have that document submit whatever I want.

The only way to protect yourself from bad data is to have submit.php reject any submissions that have bad data.


Honestly, client-side validation is becoming more and more popular and accepted as a standard.
Sure, you can screw around, disable Javascript and even exploit my form. And I can also prevent any non-Javascript users from viewing my website, period. It all depends on how you want to handle your users.

For the novice, client-side validation is fine when learning to use forms, as sever-side validation is bit out of their reach. Server-side validation is not the only way to protect yourself from "bad data".

This post has been edited by Dancing_Napkin: Mar 2 2012, 12:34 PM
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
DS1
post Mar 2 2012, 12:54 PM
Post #10





Group: Members
Posts: 4
Joined: 1-March 12
Member No.: 16,611



Here is the submit.php file:

}
fclose($myFile);

/*******************************
* Assemble the user email...
*******************************/
$body = "Dear {$_POST['fn']} {$_POST['ln']},
<p>Thank you for your interest in Stock Traders Press (STP).</p>

<p>STP is an independent, unbiased financial research firm. We employ fundamental (not technical) analysis when selecting stocks. Each year we recommend about 12 undervalued stocks; including specific entry and exit points (when to buy and when to sell). We have provided you with two of our most recent research reports. If you have any questions or comments, we encourage you to call our office and speak with one of our account executives. Here is our performance matrix for the past ninet years which has consisted of the following: 114 Recommendations and 93 (82%) were highly successful.
<ul>
<li>Our Performance 2003, 17 Recommendations and 16 (94%) were highly successful
<p>
<li>Our Performance 2004, 12 Recommendations and all 12 (100%) were highly successful
<p>
<li>Our Performance 2005, 14 Recommendations and 11 (79%) were highly successful
<p>
<li>Our Performance 2006, 10 Recommendations and 6 (60%) were highly successful
<p>
<li>Our Performance 2007, 5 Recommendations and 3 (63%) were highly successful
<p>
<li>Our Performance 2008, 18 Recommendations and 17 (94%) were highly successful
<p>
<li>Our Performance 2009, 14 Recommendations and 10 (72%) were highly successful
<p>
<li>Our Performance 2010, 11 Recommendations and 5 (73%) were highly successful
<p>
<li>Our Performance 2011, 10 Recommendations and 8 were highly successful

</ul>

<p>Along with these research reports, we also offer a 30 day trial subscription (for a modest fee). You will receive weekly reports via email. An Account Executive will telephone you on a regular basis to go over the reports with you and to answer any of your questions. We will also provide you with member access to our website, where you will find full details of our recommendations. We are offering this 30 day discounted trial subscription to give you a better opportunity to get to know us and understand our philosophy on investing. Please call our office and ask to speak to an account executive to begin your 30 day subscription today.

<p>Sincerely,<br>
Christopher F. Castaldo President / CEO
<p>www.StockTradersPress.com<br>
1-866-STP-NEWS (1.866.787.6397)<br>
PH1 516-656-0217<br>
PH2 516-656-9523<br>
FAX (8:45am - 6:30pm) Monday - Friday";

/********************************
* Send the user email message...
********************************/
$mail = new PHPMailer();
$mail->Host = "smtp.gmail.com"; // Set the mail hostname here
$mail->Mailer = "smtp";
$mail->SMTPAuth = true;
$mail->Username = "stocktraderspress@stocktraderspress.com"; // Set the email account username here
$mail->Password = "stock135"; // Set the email account password here
$mail->From = 'info@stocktraderspress.com';
$mail->FromName = 'STP Website';
$mail->AddAddress($_POST['em']);
$mail->WordWrap = 100;
$mail->Subject = 'Thank you for your interest in Stock Traders Press';
$mail->Body = $body;
$mail->IsHTML(true);
$mail->AltBody = @strip_tags($body); // This is a 'text-only' version of the message...
if(!$mail->Send())
{
echo "Mailer error: ". $mail->ErrorInfo;
//exit;
}

/*********************************
* Create database message body...
*********************************/
$text = "Email: ".$_POST['em']."<br>";
$text .= "First Name: ".$_POST['fn']."<br>";
$text .= "Last Name: ".$_POST['ln']."<br>";
$text .= "Phone: ".$_POST['ph']."<br>";
$text .= "Address Line 1: ".$_POST['ad']."<br>";
$text .= "Address Line 2: ".$_POST['ap']."<br>";
$text .= "City: ".$_POST['ct']."<br>";
$text .= "State / Province: ".$_POST['st']."<br>";
$text .= "Country: ".$_POST['cn']."<br>";
$text .= "Selected Offers: ".@implode(',',$_POST['selected_offers'])."<br>";
$text .= "Years In Market ".$_POST['years']."<br>";
$text .= "Portfolio Size: ".$_POST['portfolio']."<br>";
$text .= "Broker Type: ".$_POST['broker']."v";
$text .= "Mailing List: ".$_POST['yes']."<br>";

/*******************************
* Create database email...
*******************************/
$mail->ClearAddresses();
$mail->AddAddress('clientservices@stocktraderspress.com');
$mail->AddCC('dstewart@stocktraderspress.com');
$mail->AddBCC('chriscastaldo@aol.com');
$mail->AddReplyTo('clientservices@stocktraderspress.com');
$mail->Body = 'The following request has been submitted'.$text;
if(!$mail->Send())
{
echo "Mailer error: ". $mail->ErrorInfo;
//exit;

}


/*******************************
* Miscellaneous BS below...
*******************************/
//--> New code for CoReg submission
// 08102006
// rd @ zacks.com
function CoRegSubmit($CoReg_vars,$follow=1)
{
$submit_url = 'http://register.zacks.com/ALS/als.php';
$ch = curl_init($submit_url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION,$follow);
curl_setopt($ch, CURLOPT_POSTFIELDS, $CoReg_vars);
curl_exec($ch);
curl_close($ch);
}

if (is_array($_POST[selected_offers]))
{
$CoReg_vars = array(
'pc' => 'STOP',
'ok' => '1',
'fn' => $_POST[fn],
'ln' => $_POST[ln],
'ad' => $_POST[ad],
'ap' => $_POST[ap],
'ct' => $_POST[ct],
'st' => $_POST[st],
'zp' => $_POST[zp],
'cn' => $_POST[cn],
'ph' => $_POST[ph],
'ex' => $_POST[ex],
'em' => $_POST[em],
'cURL' => implode(',',$_POST[selected_offers]));
//CoRegSubmit($CoReg_vars,0);
}
//--> end CoReg submission code
?>
</body>
</html>
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Christian J
post Mar 2 2012, 04:17 PM
Post #11


.
********

Group: WDG Moderators
Posts: 9,628
Joined: 10-August 06
Member No.: 7



QUOTE(DS1 @ Mar 1 2012, 09:14 PM) *

It seems that visitors to the site have figured out how to submit a blank submit form.

My guess is that such empty submissions come from spambots. Serious users wouldn't submit empty forms on purpose, especially if you already use javascript form validation. The only exception might be a user that both disabled javascript and submitted the form too early by mistake, but that's too unlikely to happen often.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Darin McGrew
post Mar 2 2012, 05:47 PM
Post #12


WDG Member
********

Group: Root Admin
Posts: 8,365
Joined: 4-August 06
From: Mountain View, CA
Member No.: 3



QUOTE
Honestly, client-side validation is becoming more and more popular and accepted as a standard.
Sure. But that doesn't make it something you can rely on.

QUOTE
And I can also prevent any non-Javascript users from viewing my website, period.
Like Googlebot?
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Christian J
post Mar 3 2012, 09:43 AM
Post #13


.
********

Group: WDG Moderators
Posts: 9,628
Joined: 10-August 06
Member No.: 7



QUOTE(Dancing_Napkin @ Mar 2 2012, 06:33 PM) *

Honestly, client-side validation is becoming more and more popular and accepted as a standard.

Nothing new about it, it's been in use for as long as javascript has existed.

QUOTE
Sure, you can screw around, disable Javascript and even exploit my form.

Many spambots are created for exactly that purpose.

QUOTE
And I can also prevent any non-Javascript users from viewing my website, period.

I sometimes use JS to prevent spambots from submitting forms or gather email addresses (by making them JS-dependent), but I can't stop malicious humans from circumvent such simple obstacles.

QUOTE
For the novice, client-side validation is fine when learning to use forms,

Client- and server-side validations are not mutually exclusive, rather they are used for different purposes. Server-side validation protects the web site (and/or its owner) --for example, prices in an online store should always be checked on the server-side so that customers can't change them at will. tongue.gif Client-side validation can be used as an optional courtesy, to save the user from having to resubmit an incorrect form.

QUOTE
as sever-side validation is bit out of their reach.

Why would it be that? Either the novice is using a ready-made server-side script - in which case the script should already contain the necessary validation if it's any good - or he's writing his own server-side script, in which case he should learn to add validation in the process.

User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



- Lo-Fi Version Time is now: 19th March 2024 - 02:44 AM