tags:

views:

61

answers:

3
Q: 

"ghost" form submissions

I have a 3-part registration form using PHP:

page 1 : collects info - has client & server side validation (for blank and invalid fields)
page 2 : collect more info - has server side validation (for blank and invalid fields)
page 3 : saves (db) and sends (email) the registration information

More info:

page 1 : saves all form information into session[registration] before going to page 2
page 2 : redirects to page 1 if session[registration][email] is blank
page 3 : redirects to page 1 if session[registration][email] is blank; destroys session after registration is successful

This has been working fine for the past months until yesterday when around 25 emails were sent to me, with few seconds interval for each. I also checked the database and those registrations were saved. And the registration information are all BLANK (except the auto generated fields like date_added)

I'm puzzled because the email sending and db saving are not supposed to work because of the redirection.

Do you have any idea as to what just happened?

Thanks

+2  A: 

How are you checking that the data fields aren't blank before inserting them into the db. Make sure to use empty() to check that the field is blank. If you're using string comparison operator (ie. if ($str != "") ), it can cause unexpected results if the value of $str is false, null, 0, etc...

Edit: empty() description from manual: http://us.php.net/manual/en/function.empty.php Return Values

Returns FALSE if var has a non-empty and non-zero value.

The following things are considered to be empty:

* "" (an empty string)
* 0 (0 as an integer)
* "0" (0 as a string)
* NULL
* FALSE
* array() (an empty array)
* var $var; (a variable declared, but without a value in a class)

edit2:

isset() only checks if a variable was assigned a value. If the variable contains an empty string, isset() will return true, because even an empty string has a value ('\0' marks the end of a string in php).

isset() description from manual : http://us3.php.net/manual/en/function.isset.php

isset() will return FALSE if testing a variable that has been set to NULL. Also note that a NULL byte ("\0") is not equivalent to the PHP NULL constant.

comment from manual :

isset doesn't reliably evaluate variables with blank strings (not necessarily NULL). i.e. $blankvar = ""; // isset will return true on this.

This is a very common pitfall when handling HTML forms that return blank text fields to the script. You're better off doing this:

if ($var != "") return true; else return false;

This more of a programming practice rather than the function's shortcomings. So if you have a habit of initializing variables you're likely to run into problems with isset() if your code or php project become very large.

John Himmelman  2009-11-13 01:05:32
i used isset($var) to check if the email was set. if not, go to page 1. is using isset() in this case ok?
Obay  2009-11-13 13:38:53
No, isset() only checks if a variable was assigned a value. If the variable contains an empty string, isset() will return true, because even an empty string has a value ('\0' marks the end of a string in php).isset() from manual : http://us3.php.net/manual/en/function.isset.phpisset() will return FALSE if testing a variable that has been set to NULL. Also note that a NULL byte ("\0") is not equivalent to the PHP NULL constant. <?php$var = '';// This will evaluate to TRUE so the text will be printed.if (isset($var)) { echo "This var is set so I will print.";}?>
John Himmelman  2009-11-13 17:41:39
+1  A: 

The problem is definitely in page 3. As an educated guess I would say, that your "blank"-check if flawed.

You should use ie. a good regexp to test if the email is valid and make sure to remove whitespace before checking the length of the fields (ie - a space is not the same as an empty/blank field)

Niko  2009-11-13 01:07:47
the regexp is good. i've tried all possible erroneous email address / strings i could think of, including the blank check.
Obay  2009-11-13 13:23:18
by the way, my regexp is in page 1. in page 3: if(!isset($_SESSION['registration']['email'])) {header('Location: register.php');}
Obay  2009-11-13 13:24:51
+1  A: 

Is it possible that all those emails were generate by a bot crawling your site?

Can you reproduce the problem by calling curl on any of your pages?

Do any actions require a POST, or are you taking action with a GET?

Moishe  2009-11-13 01:10:37
wow, i was able to reproduce it by calling curl on page 3. why did it work? wasn't the script supposed to redirect the "curl" to page 1 when it noticed the session[registration][email] was not defined?
Obay  2009-11-13 13:22:34
no, there are no GETs in my script. all POSTs and SESSIONs. and yes, it might have been a bot.
Obay  2009-11-13 13:41:51

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases