PHP contact form submitting 1's in all fields

Question

I've recently developed a website for a freelance client of mine, and within their website is a Contact Form and a Request for Estimate form.

Once a day, both forms are being submitted and emailed to the designated email address. However, the submitted forms are clearly not from a real user, this is because all of the fields contain the number 1. For example, the name field will be Name:1, and the address field will be Address:1. The number 1 is repeated for all input text fields, and even radio and check box form fields.

Below is a copy of the PHP file that I am using to submit the Request for Estimate form.

<?
$subject="Associated Sennott Contractors Request For Estimate From:".$_GET['firstname'];
$headers= "From: ".$_GET['email']."\n";
$headers.='Content-type: text/html; charset=iso-8859-1';
mail("email@gmail.com", $subject,  "
    <html>
        <head>
            <title>Associated Sennott Contractors Request For Estimate</title>
    </head>
<body>
    <p><strong>Associated Sennott Contractors Request For Estimate</strong></p>
    <p>
        First Name: ".$_GET['firstname']." <br />
        Last Name: ".$_GET['lastname']." <br />
        Company Name: ".$_GET['company']." <br />
        Address 1: ".$_GET['address1']." <br />
        Address 2: ".$_GET['address2']." <br />
        City: ".$_GET['city']." <br />
        State: ".$_GET['state']." <br />
        Zip: ".$_GET['zip']." <br />
        Phone: ".$_GET['phone']." <br />
        Fax: ".$_GET['fax']." <br />
        Email: ".$_GET['email']." <br /><br />

        <strong>Property Type:</strong><br />
        Residential Single Family: ".$_GET['singlefamily']." <br />
        Residential Multi-Family: ".$_GET['multifamily']." <br />
        Residential Out-Building : ".$_GET['outbuilding']." <br />
        Commercial Office: ".$_GET['commercial']." <br />
        Retail Store: ".$_GET['retail']." <br />
        Restaurant: ".$_GET['restaurant']." <br />
        Industrial Building: ".$_GET['industrial']." <br /><br />

        <strong>Requested Services:</strong><br />
        Fire, Water or Wind Damage Restoration: ".$_GET['restoration']." <br />
        Scope of Loss Estimate to Insurance Company: ".$_GET['scope']." <br />
        Smoke Odor Remediation: ".$_GET['smoke']." <br />
        Exterior Remodeling or Siding: ".$_GET['exterior']." <br />
        Interior Remodeling: ".$_GET['interior']." <br />
        Hardwood and Laminate Flooring: ".$_GET['flooring']." <br />
        Finish Carpentry: ".$_GET['carpentry']." <br />
        Demolition and Debris Removal: ".$_GET['demo']." <br />
        Exterior Decks, Patios and Fencing: ".$_GET['patio']." <br />
        Other: ".$_GET['other']." <br /><br />

        <strong>Additional Information:</strong><br />
        Message: ".$_GET['info']."
    </p>  
</body>
</html>" , $headers);
header( 'Location: thankyou.html' ) ;
?>

You can also view the PHP code by follow the link here: http://sennottcontractors.com/home-repair-estimate/quote-code.html

You can then view the HTML code for the actual form below:

<!DOCTYPE>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Request An Estimate Form</title>
<script type="text/javascript">
function formSubmit()
{
document.getElementById("estimate-form").submit();
}
</script>

</head>
<body>
<fieldset>
<legend><h3>Request a Home Restoration Estimate</h3></legend>
    <form id="estimate-form" name="estimate-form" target="_parent" method="get" action="quote.php" onsubmit='return formValidator()'>
        <p><strong>Contact Information</strong></p>
            <p>First Name: *<br />
            <input type="text" size="40" name="firstname" id="firstname" /></p>
            <p>Last Name: *<br />
            <input type="text" size="40" name="lastname" id="lastname" /></p>
            <p>Company Name:<br />
            <input type="text" size="40" name="company" id="company" /></p>
            <p>Address 1: *<br />
            <input type="text" size="40" name="address1" id="address1" /></p>
            <p>Address 2:<br />
            <input type="text" size="40" name="address2" id="address2" /></p>
            <p>City: *<br />
            <input type="text" size="30" name="city" id="city" /></p>
            <p>State: *<br />
            <input type="text" size="5" name="state" id="state" /></p>
            <p>Zip: *<br />
            <input type="text" size="10" name="zip" id="zip" /></p>
            <p>Phone: *<br />
            <input type="text" size="20" name="phone" id="phone" /></p>
            <p>Fax:<br />
            <input type="text" size="20" name="fax" id="fax" /></p>
            <p>Email: *<br />
            <input type="text" size="40" name="email" id="email" /></p>
        <br />
        <p><strong>Property Type</strong> *</p>
            <p><input type="checkbox" name="singlefamily" id="singlefamily"/> Residential Single Family</p>
            <p><input type="checkbox" name="multifamily" id="multifamily"/> Residential Multi-Family <em>(Condominium, apartment, town house, ect)</em></p>
            <p><input type="checkbox" name="outbuilding" id="outbuilding"/> Residential Out-Building <em>(Garage, shed, ect)</em></p>
            <p><input type="checkbox" name="commercial" id="commercial"/> Commercial Office</p>
            <p><input type="checkbox" name="retail" id="retail"/> Retail Store</p>
            <p><input type="checkbox" name="restaurant" id="restaurant"/> Restaurant</p>
            <p><input type="checkbox" name="industrial" id="industrial"/> Industrial Building</p>
        <br />
        <p><strong>Requested Services</strong> *</p>
            <p><input type="checkbox" name="restoration" id="restoration"/> Fire, Water or Wind Damage Restoration</p>
            <p><input type="checkbox" name="scope" id="scope"/> Scope of Loss Estimate to Insurance Company</p>
            <p><input type="checkbox" name="smoke" id="smoke"/> Smoke Odor Remediation</p>
            <p><input type="checkbox" name="exterior" id="exterior"/> Exterior Remodeling or Siding</p>
            <p><input type="checkbox" name="interior" id="interior"/> Interior Remodeling</p>
            <p><input type="checkbox" name="flooring" id="flooring"/> Hardwood and Laminate Flooring</p>
            <p><input type="checkbox" name="carpentry" id="carpentry"/> Finish Carpentry</p>
            <p><input type="checkbox" name="demo" id="demo"/> Demolition and Debris Removal</p>
            <p><input type="checkbox" name="patio" id="patio"/> Exterior Decks, Patios and Fencing</p>
            <p><input type="checkbox" name="other" id="other"/> Other</p>
        <br />
    <p><strong>Additional Information</strong><br />
    Please provide any information regarding details of your home restoration project or additional information to your requested services.</p>
    <p><textarea rows="10" cols="65" id="info" name="info"></textarea></p>
    <button type="submit" id="submit" onclick="formSubmit()">Submit</button>
    </form>
    <p>* Required Fields</p>
</fieldset>
</body>
</html>

The Request an Estimate form that is using the PHP file and code mentioned above you can view by following the link here: http://sennottcontractors.com/home-repair-estimate/index.html

Again, both the Request an Estimate form and the Contact Form are being submitted once a day, everyday, with the number 1 in every form field.

My guess is that this may be an issue with the PHP file itself, or it may be an issue from the server side of the hosted website.

Please help!!!

Answer 1

There's nothing technically wrong with your form. You said the cause of the issue yourself: "... the submitted forms are clearly not from a real user ...". So the solution is to make your form anti-bot. See this question on the pro Webmasters site for how you can do this: Make your site anti-bot?

Answer 2

One part of this problem is that you need to use a form nonce or "token".

Form.php

<?php
session_start();

$_SESSION['token'] = md5(mt_rand() . unique_id('form', TRUE));

...

?>
<form>
<input type="hidden" value="<?php print $_SESSION['token']; ">
...
</form>

process.php

<?php
session_start();

if($_SESSION['token'] !== $_POST['token'])
{
    die('They did not load the form!');
}

...

(validation)

...

$db->insert($record);

Answer 3

You're not doing any validation. What do you expect?

Anyone could just grab the form fields, create the URL (because you're using GET instead of POST), and submit it ad nauseum if they wanted to. What you're probably encountering is a bot trying to figure out if it can hijack your form to send emails where it wants to send them.

What you should do is switch to using POST and check the $_SERVER['HTTP_REFERER'] variable to make sure it's coming from your form (at least). You could also use a CAPTCHA, but those are becoming increasingly unreliable. You could take this further and use a validation class to set rules for each field and what kind of data is allowed to be in each one.

Forms are easily manipulated, so if you expect to have any integrity in your form submissions, you should be doing the validation on the server-side. Client-side validation doesn't hurt, but only use it for user experience purposes, not to ensure data integrity.