blank forms puzzle

evvo posted this at 10:23 — 21st March 2003.

Joined: Nov 2001

Our site has a series of application forms that are coded in coldfusion and have validation on each step to check that mandatory fields are completed before it can be submitted (or proceed to next step).

However on the odd occasion we are receiving a few blank forms into the mailbox. I cannot replicate this thru testing, i am always prompted to complete the form step and the required fields are highlighted.

So 2 things really, any idea how users are managing to submit these forms with no details? i suspect something must be happening at time of submit that wipes everything out but no idea what...

More importantly, what solution can i put in place to solve this problem? Even a few lost customers is too many.

Thanks.

Suzanne posted this at 17:30 — 21st March 2003.

She has: 5,507 posts

Joined: Feb 2000

I don't know the solution, but I'm having the same issue on a site. The submissions are controlled on the client-side by JavaScript, and on the server-side by PHP validation and checking that the referrer is accurate. I'd be interested in a solution as well.

What are you using for yours?

Busy posted this at 09:48 — 22nd March 2003.

He has: 6,151 posts

Joined: May 2001

Sometimes if the form or forms validation needs javascript and/or cookies it can hicup if one or both are disabled.
Example I have cookies enabled but I choose which ones I want to except (cookiewall) so really I have them disabled.
Also some validation can cause the results to be 'interesting' if people use fancy characters or symbols etc.

samsm posted this at 12:45 — 22nd March 2003.

They have: 28 posts

Joined: Feb 2003

My suspicion in both cases is that dubious means of checking the data are chocking the process.

Perhaps the data is being checked once, and after one positive allows negatives to slip by. Perhaps a variable is being checked with isset and although the variable exists, it is empty.

There are many possibilities. I'd like to see the code behind the validation (although I can't be sure I'd be able to pick apart the Coldfusion).

Suzanne posted this at 17:13 — 22nd March 2003.

She has: 5,507 posts

Joined: Feb 2000

Well, no, not in my case, the data checking is standard and weak validation, to ensure that there is data only.

There are no cookies needed, and if JavaScript is disabled, PHP handles the same functions. When I disable cookies and JavaScript, I can't replicate the error. No one can actually replicate the error, but still, the occasional blank comes in.

samsm posted this at 17:44 — 22nd March 2003.

They have: 28 posts

Joined: Feb 2003

Interesting. Well, obviously something is going wrong.

How are you testing your variables?

Like this?:

if (!$var)
{
// error message
}

Or what? Are the blanks in your database NULL or perhaps a valid but meaningless responce such as one space?

Suzanne posted this at 17:54 — 22nd March 2003.

She has: 5,507 posts

Joined: Feb 2000

interesting, one space. they aren't going into a database in my case, but just through email. I have to step out for a number of hours, but I'll post it all when I return (minus sensitive data) and you can have at it! thanks!

samsm posted this at 17:29 — 23rd March 2003.

They have: 28 posts

Joined: Feb 2003

Regular expressions are good for this sort of thing. You can have one in place like this (just tests for the presence of a letter or number):

 if (!preg_match('/\w/', $source))
{
   // whoa! Not even one letter or number?
   // that can't be right!
} 

'
If you have structured data you can adjust the expression to ensure more accurate data. For email addresses and telephone numbers you can find such expressions already made and tested.

Suzanne posted this at 21:10 — 23rd March 2003.

She has: 5,507 posts

Joined: Feb 2000

Good call! I did have it just as !$name and !$email. Now the question is, why would people use spaces?

necrotic posted this at 21:20 — 23rd March 2003.

He has: 296 posts

Joined: May 2002

'Cause they're idiots? I hate it when people use an email address that they NEVER check and then complain to me because they can't login at all.

zollet posted this at 21:31 — 23rd March 2003.

He has: 1,016 posts

Joined: May 2002

Another way is to do a trim($var); first to remove any spaces in the begining and/or the end of a variable. This way, if the user has typed in " user name ", the result will be "user name" and if they have only typed in spaces, the result will be an empty var.

samsm posted this at 05:00 — 24th March 2003.

They have: 28 posts

Joined: Feb 2003

Users are totally unpredictable! Or (more accurately) you have to predict that they will do anything!

Validation strings for email are about the most common regular expressions you can find. Nearly every tutorial about regular expressions involves email validation.

Keeping in mind that far more complete expressions exist, consider this:

 if (!preg_match('/.+@.+\..+/', $source))
{
   // bad email!!
}

' All that says is: make sure the text entered contains characters followed by a @ folled by characters followed by a period followed by more characters.

A nice little bit of validation... not the most restrictive: a user could still enter illegal characters like backslashes and such, but it covers most situations without risking being so restrictive that new domains or foreign characters cause it to balk on false negatives.

Suzanne posted this at 06:14 — 24th March 2003.

She has: 5,507 posts

Joined: Feb 2000

I have been using simple regular expressions on my own sites for some limited applications, though I confess they still give me the heebie jeebies, but I'm getting there. I haven't done my own server-side form validation, having not needed any forms in the last couple of years that weren't part of larger applications.

This site (for me) that's an issue has been programmed by at least two other people, neither of which seeme to care about a) concise scripting, b) validation, c) commenting their work -- so I'm having a bit of trouble finding all the little problems, this was one of them.

I really appreciate the feedback on this, hopefully the original poster has had his problem revealed as well. It's really helping me get up to speed as well, as it seems like I'm going to have to get into form validation from the server-side on a number of projects for lack of willing wallets to pay for programmers. :-/

Busy posted this at 08:42 — 24th March 2003.

He has: 6,151 posts

Joined: May 2001

if you want to really validate it you need to check for things like   as well, also make sure people aren't using html )or any language) tags in what they submit.

$search = array ("'&lt;script[^&gt;]*?>.*?&lt;/script&gt;'si",  // Strip out javascript
                 "'<[\/\!]*?[^<>]*?>'si",           // Strip out html tags
                 "'([\r\n])[\s]+'",                 // Strip out white space
                 "'&(quot|#34);'i",                 // Replace html entities
                 "'&(amp|#38);'i",
                 "'&(lt|#60);'i",
                 "'&(gt|#62);'i",
                 "'&(nbsp|#160);'i",
                 "'&(iexcl|#161);'i",
                 "'&(cent|#162);'i",
                 "'&(pound|#163);'i",
                 "'&(copy|#169);'i",
                 "'&#(\d+);'e");                    // evaluate as php

$replace = array ("",
                  ".",
                  "\\1",
                  "\"",
                  "&",
                  "",
                  "",
                  "",
                  chr(161),
                  chr(162),
                  chr(163),
                  chr(169),
                  "chr(\\1)");
                                    
$item = preg_replace ($search, $replace, $item);       