required fields

[A77]

I use javascript to make my fields required. The script is visible and anyone can see it.
I have seen worry posts from people suggesting to use ini files to make the fields requierd.

I don't understand the problem to have such a script visible. If they don't know the recipients mailaddress why shuld I be worried ?

Please help me to understand more about this.

Andre

[russellr]

Hi,

Spammers do 3 things:

1. Harvest email addresses from HTML pages (especially forms). Hiding your email addresses with JavaScript doesn't work anymore. Hiding your email addresses with FormMail's AT_MANGLE can work fine, but it isn't perfect because a human being can usually figure out the AT_MANGE string (and, depending on what your AT_MANGLE is, this *might* be possible automatically).
2. Try to send email to anyone in the world via your FormMail script. They are now attempting this by interpreting your HTML form. Tectite FormMail is completely invulnerable to this if you set $TARGET_EMAIL correctly. They'll bypass the JavaScript to achieve this. JavaScript does not protect you.
3. Try to send you, the website owner, spam using your FormMail script. They'll bypass the JavaScript to achieve this. JavaScript does not protect you.

The INI file means the spammer cannot bypass any rules you set and it means you can protect your email addresses 100%.

[A77]

Hi !
Thank you for a quick answer.

I don't protect my email address with javascript. I use ini-file and I keep it safe.
I use javascript only to make some fileds required.

To become a spam gateway is I think another case.But I use CAPTCHA to reduce the risks.
Waht I ment was why shuld I be worried if people can see my code making my fileds required.Seriously users will fill the required fields and I will get the data when they submit the form. In other case I will not receive anything because they don't know my E-mail receiving the form result. Do I miss something or what?

Your Sincerely
Andre

[russellr]

Hi,

To become a spam gateway is I think another case.

That's my #2 case above.

Captcha for autoresponding is a requirement to prevent this too.

Captcha for normal form submissions just protects you from spam.

Tectite FormMail cannot be used as a spam gateway if you set $TARGET_EMAIL properly, unless you also configure the autoresponder feature (and the captcha is designed to protect you with that).

Waht I ment was why shuld I be worried if people can see my code making my fileds required.Seriously users will fill the required fields and I will get the data when they submit the form.

You don't need to hide required fields from normal users. They don't try to break your form validations.

Spammers trying to send you spam will often try to bypass your required fields. Required fields in the INI file cannot be bypassed. That's all.

In other case I will not receive anything because they don't know my E-mail receiving the form result. Do I miss something or what?

They can't see your email address, but they can fake a form submission that looks exactly like your form to FormMail.

So, the "recipients" will be specified (that is, you) and what's protecting you from that spam is your field validations (in the INI file) and FormMail's builtin attack detection.

[A77]

Hi again Mr Robinsson.
This is very important things you lern me and other users shuld read this too.

Spammers trying to send you spam will often try to bypass your required fields.

They can't see your email address, but they can fake a form submission that looks exactly like your form to FormMail.

So, the "recipients" will be specified (that is, you) and what's protecting you from that spam is your field validations (in the INI file) and FormMail's builtin attack detection.

What I understand from this is that spammers can send ME spam even if they don't see my E-mail address which I have into INI file. How can the recipients be specified ?

Your Sincerely
Andre

[russellr]

Hi,

What I understand from this is that spammers can send ME spam even if they don't see my E-mail address which I have into INI file. How can the recipients be specified ?

They just copy all the fields from your HTML form and try to fake the data entry fields.

Whether the recipients are specified in the HTML or in the INI file, doesn't matter. Either way FormMail cannot tell the difference between a real form and a faked submission.

Except, of course, FormMail runs validations (which you can keep secret in your INI file) and looks for attacks. You should review the attack detection settings starting here. Especially, ATTACK_DETECTION_MANY_URLS and ATTACK_DETECTION_MANY_URL_FIELDS.

[A77]

Hi !
Ok I understand now and thanx for your big patience.
I have required fileds into INI file and I will look for attacks.

But what do you think about this:
I really want the javascript to make my fileds required because it popup a message without leaving the page. Very easy for my users.
I have my fileds required into INI file and I ALSO use javascript for the same fields to make them required. The form is working perfectly,the javascript tells me about the required fileds and when I disable javascript I can't bypass the fileds because they are into INI file too.

Can I disable formmail to send me e-mail when users enter wrong verify characters ? I don't mean DEF_ALERT I also receive e-mail to the $TARGET_EMAIL

Thank you very much for all help
Andre

[russellr]

Hi,

But what do you think about this:
I really want the javascript to make my fileds required because it popup a message without leaving the page. Very easy for my users.
I have my fileds required into INI file and I ALSO use javascript for the same fields to make them required. The form is working perfectly,the javascript tells me about the required fileds and when I disable javascript I can't bypass the fileds because they are into INI file too.

Yes, that's exactly how we recommend you use JavaScript and FormMail.

Can I disable formmail to send me e-mail when users enter wrong verify characters ? I don't mean DEF_ALERT I also receive e-mail to the $TARGET_EMAIL

If you're using imgverify, FormMail will not send the form results email unless there is a match. The user gets an error which they need to correct.

[A77]

Hi !

If you're using imgverify, FormMail will not send the form results email unless there is a match. The user gets an error which they need to correct.

But that is exactly what happend and I don't understand why.
When the chracters dismatch I get error messaage to a specific e-mail ( $DEF_ALERT) says:
The following error occurred in FormMail :
ar_verify
Error=Your entry did not match the image
That's how I wanted but I also receive form result to the $TARGET_EMAIL when chracters dismatch.
I use verifyimg.php version 1.04 and Formmail version 7.15

Thank you again for taking your time.
Andre

[russellr]

Hi,

This is a support question now (not a features question), so we'd appreciate it if you would subscribe here: http://www.tectite.com/vbforums/payments.php

You need to be using "imgverify" instead of "arverify".