Page 2 of 2

Re: Email Validation Error

Posted: Sun Mar 30, 2008 2:30 am
by matthijs
I think a problem is that there is no input validation for any of the form fields posted. So $mailmessage, $_POST['field_1'] and $_POST['field_2'] should have at least some basic input filtering/validation.

As to the spam: you could also try something with an extra input field and a basic simple question. Like "Please uncheck the following checkbox to show this is not spam". Or "Who is bigger a cat or a dog?". Most spambots will choke on those.

But I do understand that, just as with the captcha, something like that makes your form harder to use.

Re: Email Validation Error

Posted: Sun Mar 30, 2008 7:07 pm
by nootkan
I thought that was taken care of with js in form.html. I have since blacklisted the ip address of the offenders and haven't recieved any spam lately so that is a good (but temporary) thing I guess.
Nootkan

Re: Email Validation Error

Posted: Mon Mar 31, 2008 2:12 am
by matthijs
You can not rely on javascript validation. Never. Javascript can be turned of by the user/attacker and as fas as I know bots don't even care about it. Always have solid validation on the server side. Javascript validation is there only for convenience (no page reload needed to show form errors) for the users that have js on.

Re: Email Validation Error

Posted: Mon Mar 31, 2008 10:56 pm
by nootkan
Thanks for all your input. I guess I'll have to scrap the form idea to replace email addresses on my websites as I am unable to figure out how to secure the script. :oops: Some day maybe. Thanks again.
Nootkan