Home/ Questions/Q 9220775
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-18T03:25:39+00:00

I have a contact form on my site. I have a dropdown with the

  • 0

I have a contact form on my site. I have a dropdown with the “allowed” subjects. However, I’ve been getting emails sent from the form with subjects that are not in my dropdown form.

The form is an ExpressionEngine template and it submits to itself with an added url segment .i.e ‘/contact/submit’. The template checks for the submit segment and then sends the values to an EE plugin that builds the email and sends it. The form’s method is a POST.

How could they be circumventing the subject dropdown?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    What’s probably going on is that they’re injecting their own subject. If your dropdown values are strings and you’re just using them as is, it’s pretty easy to use your own subject.

    As a fix, you could tie a numerical ID to each dropdown value, then on the backend, do a switch between the possible values. For example (in PHP)

    <?php
$reject = false;
if(isset($_POST['subject']))
{
    switch(intval($_POST['subject']))
    {
        case 1: // General inquiry:
           $subjectStr = "General Inquiry";
           break;
        ...
        default: 
           $reject = true;
           break;
    }
}
else
{
    $reject = true;
}
if(!$reject)
{
    // Process email
}
?>
    • 0