Re: email form injection
- From: gordonb.odg2g@xxxxxxxxxxx (Gordon Burditt)
- Date: Mon, 05 Jan 2009 02:42:16 -0600
[sanitising contact form fields]
You can also do something very simple. Name the fields some generic
name like field01, field02, field03... and code a hidden field like
"ZIP" with no default value. If your action script sees this field with
a value, you know the form was filled by a bot.
Client side "security" is less than worthless.
This isn't really client side security. Client side security would
refusing to submit the form if so. Here, the check is on the server.
Occasionally you can get the bad guy (bot) to rat himself out. It
is worthwhile to do this when you have no hard and fast security
rules to filter out the good from the bad. It's not 100% effective,
but neither are spam filters in email. This one is interesting in
that it doesn't inconvenience the real users and it's difficult for
real users to erroneously be called a bot.
If a human fills out
the form and sends spam, reporting that is harder other than banning
that IP block. So far, the hidden field trick has worked on my contact
How do you know it has "worked"?
Let's assume that a human not trying to play tricks DOESN'T fill in
hidden fields. Then every form submission he gets with the form filled
in "worked", to the extent that his server blocked the request from
something presumably not human.
If that doesn't work, you may have to go to a CAPTCHA:
This is a joke, right?
Someone told me that he had some interesting results from throwing
up a CAPTCHA, with a field below it labelled "please leave this
field blank". Apparently he had some users who had trouble with
filling in the CAPTCHA correctly (and occasionally I will run across
one where I'm guessing between two or three alternatives after
staring at it for a couple of minutes. The difference between i,
I, 1, and l can be confusing when they're warped. The same goes
for o, O, and 0. And depending on how you warp them, other letters
can look alike).
One of the complainers was his boss, so he re-did the check 2 days
later and re-titled the field. Now it fails if you fill in
*anything*. It seems the bots (presumably humans won't bother
filling in a field they are told not to) initially kept filling in
the wrong answer (the letters and numbers in the CAPTCHA), but
gradually got better at filling in the field with the "correct
answer". And he said it worked better than the CAPTCHA check the
way it's "supposed" to be done. A few humans, especially those who
saw the form with the original CAPTCHA, got tricked at first. That
shouldn't happen if the field is made hidden.