Search:

Have a look at the very first post in this thread. It contains the PHP code of the modified Redirect function. It passes the user message as the URL parameter msg to the custom page.

Here is a...

I now added a PHP wrapper around formmail.php which does the following additional sanity checks:

- Must be a POST request
- Referrer can be empty but if set must match our domain
- Check that...

Russell,

I did run into a snag with having the required parameter in the ini file: The ini file required parameter overrides the form hidden field parameters.

For most forms I have different...

Thank you for your suggestions.



Good idea, will be done ASAP.

Won't work as deriving field cannot be configured in ini files and they post directly to formmail.php.

PB

Unfortunately the junk is not in the normal fields, only in the referrer field.

I have two cases:

a) Two fields submitted: email and realname both empty, a long "junky" URL in the referrer. I...

Thank you for your consideration.

As said above, I patched the current version so its not urgent for me, but ideally like to use the "out-of box" version.

Probably not a lot of real people...

)Yes I agree, since swapping over from nms Formmail to your Aussie product a fortnight ago, I reduced heaps of URL spam.

But on a daily basis I have people calling the formmail.php script directly...

I know that formmail.php contains this comment and this is technically correct:


// Note that HTTP_REFERER is easily spoofed, so there's no point in
// using it for security.But a lot of...

I suggest to pass on the user info message to the attack detection URL either as a POST or GET variable. Example see below.

Currently I manually changed the formmail.php code (8.23) from:
...