Jump to content

Information on securing a web form ???


Elemental
 Share

Recommended Posts

Hey Folks, Not sure if this is the correct forum for this post, sorry if it's not and please let me know wher it should go.I've been working with a friend, helping him as I'm learning, to put up his site and he sent me the following; he received it as an email from his web based form:

Sent_From: Soups_Pageaddress: IsCuMxfJWhgmySwamount: 8city: GKrobVEmhBsxJVgGShbemail: nsiwho@hhtjwy.comfirstName: qjjsybcjlastName: qjjsybcjmessageBox: pyBn9A <a href=\"http://zyjuppuplozo.com/\">zyjuppuplozo</a>, [url=http://eqhiacduldlp.com/]eqhiacduldlp[/url], [link=http://eixdkbtfqkyb.com/]eixdkbtfqkyb[/link], http://wqejnetxelsg.com/state: CTzip: VnEtl

The form has an external javascript based validation script that requires the fields to be filled in, and also validates the email.So my question(s):How do I stop garbage like this from getting through?Would one of those graphic validating required fields (I don't know what you call them) help in preventing this from happening?What can I do / need to do, aside from learning more, to help him with this?The website, in case you want to look at the web form, forms are not very pretty, is: http://www.soupkitcheninc.com/contactUs.phpAny suggestions would be great.PeaceElemental

Link to comment
Share on other sites

Use PHP based validation, javascript can be deciphered by robots, or simply ignored.The methods of detecting robots are called CAPTCHA.A simple way to stop a robot is to ask a question that only humans would know. Have several questions that rotate randomly every time you refresh the page so that they can't just get it by testing thousands of random combinations.In order to know which question was asked put a hidden input with the number of the question displayed (All this is done with PHP). On the server side you can compare the answer given by the user to the answer corresponding to the question number.

Link to comment
Share on other sites

Use PHP based validation, javascript can be deciphered by robots, or simply ignored.The methods of detecting robots are called CAPTCHA.A simple way to stop a robot is to ask a question that only humans would know. Have several questions that rotate randomly every time you refresh the page so that they can't just get it by testing thousands of random combinations.In order to know which question was asked put a hidden input with the number of the question displayed (All this is done with PHP). On the server side you can compare the answer given by the user to the answer corresponding to the question number.
Ingolme, Thank you for the reply,Here's the thing, he got help from some that changed the site to PHP, but all that was done, from what I can see, was to change all the HTML ext to PHP.Granted, I don't know squat about PHP but I would think that there would be more than just that. The site is hosted by Godaddy and they have what I gather is a generic PHP form, the forms name and path are on the forms action field with post being the method, would this not be the correct way of doing it?So I take it I would need to learn PHP or find some one that does and place the forms validation on the server side of things?Do you know of any tutorials I can start reading so I can begin to grasp the PHP form validation method you suggested?Would I still use the javascript to locally validate the form or remove it once the PHP is in place?Sorry for all the questions Ingolme, any further help or suggestions would be appreciated.Peace,Elemental
Link to comment
Share on other sites

You can use Javascript to validate the form beforehand, just to not make the user wait as long, but you have to have a PHP one just in case the Javascript fails or they have it disabled.This is W3Schools, the best place to learn the basics is on this website, here's a pointer to the most important part of processing forms in PHP:PHP $_POSTWhile you're at it, if you don't know much about PHP you can look through the rest of the tutorial. You need to know about variables, if() conditions and other things in order to validate forms.

Link to comment
Share on other sites

You can use Javascript to validate the form beforehand, just to not make the user wait as long, but you have to have a PHP one just in case the Javascript fails or they have it disabled.This is W3Schools, the best place to learn the basics is on this website, here's a pointer to the most important part of processing forms in PHP:PHP $_POSTWhile you're at it, if you don't know much about PHP you can look through the rest of the tutorial. You need to know about variables, if() conditions and other things in order to validate forms.
Ingolme, Gracias amigo, much appreciated.Peace,Elemental
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...