PHP contact form is sent always

Question

I have this form:

<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
  <div>
    <span><label>Name</label></span>
    <span><input name="userName" type="text" class="textbox"></span>
  </div>
  <div>
    <span><label>Email</label></span>
    <span><input name="userEmail" type="text" class="textbox"></span>
  </div>
  <div>
    <span><label>Phone</label></span>
    <span><input name="userPhone" type="text" class="textbox"></span>
  </div>
  <div>
    <span><label>Subject</label></span>
    <span><textarea name="userMsg"> </textarea></span>
  </div>
  <div>
    <span><input type="submit" value="Send!"></span>
  </div>
</form>

And the following PHP code on the same page because the action is <?php echo $_SERVER['PHP_SELF']; ?>:

<?php
if(isset($_POST)) {
    $name = htmlspecialchars($_POST['userName']);
    $email = htmlspecialchars($_POST['userEmail']);
    $phone = htmlspecialchars($_POST['userPhone']);
    $message = htmlspecialchars($_POST['userMsg'] . $phone);

    $message = wordwrap($message, 70, "\r\n");

    $to = 'myEmail';
    $subject = 'subject';
    $headers = "From: $email" . "\r\n" .
        "Reply-To: $email" . "\r\n" .
            'X-Mailer: PHP/' . phpversion();
    mail($to, $subject, $message, $headers);
}
?>

But when a user hasn't submitted the form and just visits the contact form page, I get a blank email.

How can I fix this?

How did you find out you get a blank email? What did you do to reproduce that problem? Hitting F5 after a real POST or just visiting this page without having been there before. — putvande, Aug 12 '14 at 10:30
@putvande >> How did you find out you get a blank email? - Well... all the emails go to my email address. And I don't hit F5, I am visiting the page just by clicking on the link in the menu, I don't reload it. — William, Aug 12 '14 at 10:32
Well I wrote how to solve it, check `if(isset($_POST['userName']))` instead of just `if(isset($_POST))` since $_POST is predefined variable which is always set. — Dexa, Aug 12 '14 at 10:33
Take a look at csrf, might help you secure your form a little. https://www.owasp.org/index.php/PHP_CSRF_Guard — Oliver Bayes-Shelton, Aug 12 '14 at 10:34

score 2 · Accepted Answer · edited May 23 '17 at 10:33

Change your if statement to

if(isset($_POST['userEmail'])

As $_POST will be set anytime you visit the site, see PHP doc for isset

Also see empty() as you will also be able to do this:

if(!empty($_POST))

You can see in the doc:

[empty()] Returns FALSE if var exists and has a non-empty, non-zero value. Otherwise returns TRUE.

The following things are considered to be empty:

"" (an empty string)

0 (0 as an integer)

0.0 (0 as a float)

"0" (0 as a string)

NULL

FALSE

array() (an empty array)

$var; (a variable declared, but without a value)

OR in this question, Nemoden's answer suggests using $_SERVER['REQUEST_METHOD'] == 'POST' - It's pretty self-explanatory: if the page was requested by the POST request method, this statement will be true, however if you have multiple forms on the same page I suggest naming each submit button and checking for that.

This would still send an email if the username (or email ) is empty — feeela, Aug 12 '14 at 10:32

score 1 · Answer 2 · answered Aug 12 '14 at 10:30

Just do not send the form if there was no form data sent.

The condition if(isset($_POST)) checks whether there is a variable $_POST not if there is something in that variable. The $_POST array is one of PHP's automatically created superglobals and does always exist.

You need to check if there are some post-variables in that array; e.g.

if( !empty( $_POST ) )

or better

if( !empty( $_POST['userEmail'] ) )

…since the post array may have members (i.e. form fields) but those could be empty.

score 0 · Answer 3 · answered Aug 12 '14 at 10:31

$_POST is just an empty predefined array, so when they load the page, $_POST is defined. What you need to do is isset($_POST['name'])

<?php
if(isset($_POST['name'])) {
    $name = htmlspecialchars($_POST['userName']);
    $email = htmlspecialchars($_POST['userEmail']);
    $phone = htmlspecialchars($_POST['userPhone']);
    $message = htmlspecialchars($_POST['userMsg'] . $phone);

    $message = wordwrap($message, 70, "\r\n");

    $to = 'myEmail';
    $subject = 'subject';
    $headers = "From: $email" . "\r\n" .
        "Reply-To: $email" . "\r\n" .
            'X-Mailer: PHP/' . phpversion();
    mail($to, $subject, $message, $headers);
}
?>

score 0 · Answer 4 · answered Aug 12 '14 at 10:31

you can fixe it like that :

<?php
if(isset($_POST['userName']) && isset($_POST['userEmail']) && isset($_POST['userPhone']) && isset($_POST['userMsg'])) {
    $name = htmlspecialchars($_POST['userName']);
    $email = htmlspecialchars($_POST['userEmail']);
    $phone = htmlspecialchars($_POST['userPhone']);
    $message = htmlspecialchars($_POST['userMsg'] . $phone);

    $message = wordwrap($message, 70, "\r\n");

    $to = 'myEmail';
    $subject = 'subject';
    $headers = "From: $email" . "\r\n" .
        "Reply-To: $email" . "\r\n" .
            'X-Mailer: PHP/' . phpversion();
    mail($to, $subject, $message, $headers);
}
?>

you can however add

if(!empty($_POST['userMsg'])

to test if the variable is empty or not...

mathf · Answer 5 · 2014-08-12T10:37:36.073

0

You can give the submit button a name and check if it is clicked or not. This will prevent to send a email whenever the page is loaded.

if (isset($_POST["submit"])) {
   // your code
}

Edit the HTML of your submit button like this:

<input type="submit" value="Send!" name="submit">

edited Aug 12 '14 at 10:37

answered Aug 12 '14 at 10:32

mathf

316
2
10

There is no field `submit`; you should explain where that came from… – feeela Aug 12 '14 at 10:33
@feeela he is mentioned that `give the submit button a name` – Satish Sharma Aug 12 '14 at 10:34

score 0 · Answer 6 · answered Aug 12 '14 at 10:33

0

give the name of your submit button like

 <span><input type="submit" value="Send!" name="submit"></span>

AND check it in php like

if(isset($_POST['submit']))
{
        // your code
}

answered Aug 12 '14 at 10:33

Satish Sharma

9,547
6
29
51

score 0 · Answer 7 · answered Aug 12 '14 at 10:34

0

This is not a good practice. I strongly advice you to start using a PHP framework.

Nevertheless...

The $_POST will always exist, so you can not test it like if(isset($_POST)). To test if your form was submitted you must check if some of the expected POST var do exist.

In your case, something like if(isset($_POST['userEmail'])) would do the trick or you can add a name attribute to your submit button and test it if(isset($_POST['mySubmitButtonName']))

answered Aug 12 '14 at 10:34

PauloASilva

1,000
1
7
19

I hate PHP frameworks, I like to do everything myself ;) Thanks though. – William Aug 12 '14 at 10:42
I don't think that mixing HTML and PHP is a good idea mainly because of maintenance and application security – PauloASilva Aug 12 '14 at 14:19

score 0 · Answer 8 · answered Aug 12 '14 at 10:35

you need to add the name of submit button

<input type="submit" value="Send!" name="send">

then u can write the condition when the button is pressed the mail will be send like

if(isset($_REQUEST['send'])){

    $name = htmlspecialchars($_POST['userName']);
    $email = htmlspecialchars($_POST['userEmail']);
    $phone = htmlspecialchars($_POST['userPhone']);
    $message = htmlspecialchars($_POST['userMsg'] . $phone);

    $message = wordwrap($message, 70, "\r\n");

    $to = 'myEmail';
    $subject = 'subject';
    $headers = "From: $email" . "\r\n" .
    "Reply-To: $email" . "\r\n" .
        'X-Mailer: PHP/' . phpversion();
    mail($to, $subject, $message, $headers);
}

score 0 · Answer 9 · answered Aug 12 '14 at 10:36

0

this could be for the $_SERVER['PHP_SELF']; acting on the form, try adding the actual page directory or a better solution i would try is to check if is not empty for a specific required field

if (!empty($_POST['userMsg'])){}

answered Aug 12 '14 at 10:36

webpage_making1

3
2

PHP contact form is sent always

9 Answers9