Re: Secure feedback form
- From: Jerry Stuckle <jstucklex@xxxxxxxxxxxxx>
- Date: Fri, 26 Jun 2009 19:39:57 -0400
Raymond Schmit wrote:
On Thu, 25 Jun 2009 17:14:11 -0400, Jerry Stuckle
<jstucklex@xxxxxxxxxxxxx> wrote:
Raymond Schmit wrote:On Thu, 25 Jun 2009 10:10:22 +0200, Karl-Arne GjersøyenThis can save a trip to the server, but you still need to perform the same test server side. NEVER trust anything client side! Not only may the user not have javascript enabled, but it might not even be your page which is being submitted - it could be one created by a hacker, for instance.
<post@xxxxxxxxxxxxxx> wrote:
Also I have not used empty() but rewrite it after advices from Jerry andYou may use (i know .. some people will ague that not everyone accept
javascript running ..however) ...you may use javascript in the form
just a submit time to check for empty fields or too short field or
other check you may find useful .. those check ..if per example the
"empty-field-check" can react on an empty field by issuing an
javascript "alert" command telling "Your adress mail must be filled".
Those checks will be done on the client machine - so your webserver
will only work with "all fields ok".
You should always tell the customer when an email is not sent. Otherwise a customer may think a message has been sent when it hasn't. And when you don't respond, what is the customer going to think?I test for additional fields that could be written in the body of the mail, and if so: A note are written to the spammer, and the mail will not be sent.IMHO a better protection against spammer is, effectively not sending
the mail :-) , but more secure by not telling the spammer that he is
doing spam(so he may think that the form have a bug).
I had not clearly exposed my point of view :-)
I agree with you ...always telling the customer the reason why the
mail will not be sent ...however i did not want to tell the spammer
that he is doing something ... in other words, i will not use when
the "crack" value is true this coding
{
// If crack discover additonal fields in the body,
// the mail will not be sent and this message are written to the
screen
echo "<h1 style=\"color:red;\">Spammer!</h1>";
echo "<p>You have no rights to use this feedback form!</p>";
}
How do you know it's a spammer? If I wanted to use your form for spamming, it would be a minor chore to determine which fields shouldn't have anything in them.
Better yet - just use cURL to fetch the page; figure out what data needs to be set and which cannot, and resubmit the form.
Tricks like this provide only a false sense of security.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@xxxxxxxxxxxxx
==================
.
- Follow-Ups:
- Re: Secure feedback form
- From: Raymond Schmit
- Re: Secure feedback form
- References:
- Secure feedback form
- From: Karl-Arne Gjersøyen
- Re: Secure feedback form
- From: Raymond Schmit
- Re: Secure feedback form
- From: Jerry Stuckle
- Re: Secure feedback form
- From: Raymond Schmit
- Secure feedback form
- Prev by Date: Re: performance of switch vs. elseif
- Next by Date: Stumped - query not working
- Previous by thread: Re: Secure feedback form
- Next by thread: Re: Secure feedback form
- Index(es):
Relevant Pages
|
