PHP POST security

Question

My web form is on a HTTPS page, has JavaScript validations and back end PHP validations checking for blank fields. The form works (sends email) and returns errors as expected.

I have gotten a blank email about once a day. The only thing I can think of is the POST is vulnerable.

How do you secure a POST action="URL" ? Or is this not vulnerable?

My form (Shortened):

<form id="itsp-form" method="post" action="http://www.website.com/save_itsp.php">
<label class="custom">Company name</label>
<input id="company_name" type="text" name="company_name" />
...           
<input type="submit" id="submit" value="Submit" />
</form>
<div id="errors"></div>
</div>
 <script>
  $('#submit').click(function() {
    $('.error').hide();

    var hasError = false;
    var emailReg = /^([\w-\.]+@([\w-]+\.)+[\w-]{2,4})?$/;

    if (($("#company_name").val() == '') || ($("#type_of_business[]").val() == '')) {
       $("#errors").after('<span class="error">Please enter your Company name.</span>');
       hasError = true;
    }
  if(hasError == true) { return false; }
});

My PHP file:

function died($error) {
echo "We are very sorry, but there were blank fields found with the form you
   submitted. ";
$link_address = 'http://www.website.com/url/itsp';
echo "<a href='".$link_address."'>Click to Go Back<br/></a>";
die();
}

if (isset($_POST['company_name'])) 
{
$errors = "";

//validate and sanitize company name
if ($_POST['company_name'] != "")
{
  $_POST['company_name'] = filter_var($_POST['company_name'], FILTER_SANITIZE_STRING);
  $company_name = $_POST['company_name'];
}
else 
died();

 /*****Email*****/
$to = "email";
$subject = "New ITSP Submission";
$message1 = "A new ITSP has submitted their information:
<br/>Company Name: " . $company_name . "
<br/>"; // . . .

$headers = "MIME-Version: 1.0\n";

mail($to,$subject,$message1,$headers);
header("location: http://www.website.com/dir/itsp-confirmation/");

Answer 1

First you check if it is !="" then you strip out all tags, so if it was HTML it would be !="" but after filter_var it would be =="". So filter before you check for !="".

//validate and sanitize company name
$company_name = filter_var($_POST['company_name'], FILTER_SANITIZE_STRING);
if(empty($company_name))
{
    died();
}

Answer 2

The only thing that can really get through this is more than one space character in series. I suggest reviewing the length of the string that is posted back and ensure it is actually a zero length string before assuming it is empty.

Some email clients and even spam filtering systems will strip leading white space characters in emails to prevent the exploitation of certain bugs in spam detection systems.