bad_url not working if detectattacks is true

[mstewart14]

I'm new to formmail so please forgive any newbie ignorance that maybe evident in the following.

It's possible this should be posted as a bug, but I'm posting it here to see if others have similar issues.

I successfully had "good_url" work and thought I should setup "bad_url".

Didn't work when all the form elements had identical data, spent a PILE of time sniffing through the code trying to figure out the issue and came to the conclusion that attack detection happens before "parseInput(array)" is called. Also noticed that detectattacks automatically does a "createpage" without checking for "bad_url" or "bad_template".

I solved the problem for myself, however this introduces an upgrade issue for me.

The solution I went for was to change in the function detectAttacks() the createpage() to UserError() and if an attack is detected to parseInput before throwing the UserError.

Is this an issue others have encountered? Does this seem like a good solution to others?

[russellr]

Hi,

Test with real data. If you just put in repeating junk into your forms, FormMail will think this is a spammer trying to send spam to you.

You can disable attack detection if you want by setting ENABLE_ATTACK_DETECTION to false, and then enable it again later when you're putting it into production.

I don't recommend changing the code.

[mstewart14]

The point of the excercise was to test "bad behaviour" and how the script handles it.

I discovered that it didn't behave as I would like. detectattacks doesn't allow for showing the results of the error (if someone is stupid and as you know, people will always behave worse than we can imagine as programmers) in *my* look and feel. I suppose I could have learned to use the handler you have provided but I chose to learn about the code instead.

I solved the problem. I thought you and others might be interested in the solution I came up with.

[DanMurphy]

To force FormMail to display my bad_url page if the form input looks like an attack, I set the ATTACK_DETECTION_URL equal to the bad_url value. So whether the user made an error or attempted an attack, they get the same friendly, formatted error message. This minor customization shouldn't present a problem for upgrades to FormMail.