bcoffin Posted March 6, 2007 Share Posted March 6, 2007 Hi All, I've written a bunch of contact forms in the past, and one in particular has been getting a ton of abuse. The fields are: NAME EMAIL PHONE SUBJECT MESSAGE and a few other more specific questions.. The form is submitted via a javascript function (.submit()). Can any one recommend any tricks to limit this type of abuse? Thanks, Benny Quote Link to comment Share on other sites More sharing options...
bob_the _builder Posted March 6, 2007 Share Posted March 6, 2007 Hi, Validate fields, mostly email addresses, then also maybe incorperate captcha Quote Link to comment Share on other sites More sharing options...
bcoffin Posted March 6, 2007 Author Share Posted March 6, 2007 All fields are validated, and succeed. Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted March 6, 2007 Share Posted March 6, 2007 Read the following articles: Email Header Injection Exploit Spoofed Form Submissions Ken Quote Link to comment Share on other sites More sharing options...
rcorlew Posted March 6, 2007 Share Posted March 6, 2007 Just a suggestion, try using different varaible names. You can also try using regex in any field(s) that someone could squeeze code into. If memory serves me correct, most spammers just insert their code inot the message field and then their code would take over the script. So rexex(ing) the form before anything else would help to eliminate that. Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted March 6, 2007 Share Posted March 6, 2007 Also, don't trust Javascript for validation as most spammers aren't using your code. They did a "show source" to see the form variables the form is sending then wrote their own code to send those variables to your processing script. Ken Quote Link to comment Share on other sites More sharing options...
bcoffin Posted March 7, 2007 Author Share Posted March 7, 2007 I'll try changing email to myemail, message to mymessage (or something like that) to see if that resolves the issue. Thanks for the links too, you guys. I really appreciate your brilliance. Benny Quote Link to comment Share on other sites More sharing options...
rcorlew Posted March 11, 2007 Share Posted March 11, 2007 I dont't know why I did not share this earlier, I simply set a really wierd $var in the header of my page, since my page is made up of many parts, the only way that the form would work is to actually load the whole page. I know that may not be the most secure, but I have not thaught of anything better, so here goes my example: <?php //inside my page other than inside the mailpage itself i set variable $myfunkyvar = "nose"; //then before the actuall sendmail part of the script can be used I require that variable if($myfunkyvar == nose) { //script will execute here } else { //script will not function and user is redirected to another page or even site, the meaner the better header( 'Location: http://www.yoursite.com/index.php' ) ; } ?> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.