Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: required fields

  1. #1
    Join Date
    Apr 2007
    Posts
    21

    Default required fields

    I use javascript to make my fields required. The script is visible and anyone can see it.
    I have seen worry posts from people suggesting to use ini files to make the fields requierd.

    I don't understand the problem to have such a script visible. If they don't know the recipients mailaddress why shuld I be worried ?

    Please help me to understand more about this.

    Andre

  2. #2
    Join Date
    Dec 2003
    Posts
    3,980

    Default Re: required fields

    Hi,

    Spammers do 3 things:
    1. Harvest email addresses from HTML pages (especially forms). Hiding your email addresses with JavaScript doesn't work anymore. Hiding your email addresses with FormMail's AT_MANGLE can work fine, but it isn't perfect because a human being can usually figure out the AT_MANGE string (and, depending on what your AT_MANGLE is, this *might* be possible automatically).
    2. Try to send email to anyone in the world via your FormMail script. They are now attempting this by interpreting your HTML form. Tectite FormMail is completely invulnerable to this if you set $TARGET_EMAIL correctly. They'll bypass the JavaScript to achieve this. JavaScript does not protect you.
    3. Try to send you, the website owner, spam using your FormMail script. They'll bypass the JavaScript to achieve this. JavaScript does not protect you.
    The INI file means the spammer cannot bypass any rules you set and it means you can protect your email addresses 100%.
    Russell Robinson - Author of Tectite FormMail and FormMailDecoder
    http://www.tectite.com/

  3. #3
    Join Date
    Apr 2007
    Posts
    21

    Default Re: required fields

    Hi !
    Thank you for a quick answer.

    I don't protect my email address with javascript. I use ini-file and I keep it safe.
    I use javascript only to make some fileds required.

    To become a spam gateway is I think another case.But I use CAPTCHA to reduce the risks.
    Waht I ment was why shuld I be worried if people can see my code making my fileds required.Seriously users will fill the required fields and I will get the data when they submit the form. In other case I will not receive anything because they don't know my E-mail receiving the form result. Do I miss something or what?

    Your Sincerely
    Andre
    Last edited by A77; 29-Apr-2007 at 11:02 PM.

  4. #4
    Join Date
    Dec 2003
    Posts
    3,980

    Default Re: required fields

    Hi,

    To become a spam gateway is I think another case.
    That's my #2 case above.

    Captcha for autoresponding is a requirement to prevent this too.

    Captcha for normal form submissions just protects you from spam.

    Tectite FormMail cannot be used as a spam gateway if you set $TARGET_EMAIL properly, unless you also configure the autoresponder feature (and the captcha is designed to protect you with that).

    Waht I ment was why shuld I be worried if people can see my code making my fileds required.Seriously users will fill the required fields and I will get the data when they submit the form.
    You don't need to hide required fields from normal users. They don't try to break your form validations.

    Spammers trying to send you spam will often try to bypass your required fields. Required fields in the INI file cannot be bypassed. That's all.

    In other case I will not receive anything because they don't know my E-mail receiving the form result. Do I miss something or what?
    They can't see your email address, but they can fake a form submission that looks exactly like your form to FormMail.

    So, the "recipients" will be specified (that is, you) and what's protecting you from that spam is your field validations (in the INI file) and FormMail's builtin attack detection.
    Russell Robinson - Author of Tectite FormMail and FormMailDecoder
    http://www.tectite.com/

  5. #5
    Join Date
    Apr 2007
    Posts
    21

    Default Re: required fields

    Hi again Mr Robinsson.
    This is very important things you lern me and other users shuld read this too.
    Quote Originally Posted by russellr

    Spammers trying to send you spam will often try to bypass your required fields.

    They can't see your email address, but they can fake a form submission that looks exactly like your form to FormMail.

    So, the "recipients" will be specified (that is, you) and what's protecting you from that spam is your field validations (in the INI file) and FormMail's builtin attack detection.
    What I understand from this is that spammers can send ME spam even if they don't see my E-mail address which I have into INI file. How can the recipients be specified ?

    Your Sincerely
    Andre

  6. #6
    Join Date
    Dec 2003
    Posts
    3,980

    Default Re: required fields

    Hi,

    What I understand from this is that spammers can send ME spam even if they don't see my E-mail address which I have into INI file. How can the recipients be specified ?
    They just copy all the fields from your HTML form and try to fake the data entry fields.

    Whether the recipients are specified in the HTML or in the INI file, doesn't matter. Either way FormMail cannot tell the difference between a real form and a faked submission.

    Except, of course, FormMail runs validations (which you can keep secret in your INI file) and looks for attacks. You should review the attack detection settings starting here. Especially, ATTACK_DETECTION_MANY_URLS and ATTACK_DETECTION_MANY_URL_FIELDS.
    Russell Robinson - Author of Tectite FormMail and FormMailDecoder
    http://www.tectite.com/

  7. #7
    Join Date
    Apr 2007
    Posts
    21

    Default Re: required fields

    Hi !
    Ok I understand now and thanx for your big patience.
    I have required fileds into INI file and I will look for attacks.

    But what do you think about this:
    I really want the javascript to make my fileds required because it popup a message without leaving the page. Very easy for my users.
    I have my fileds required into INI file and I ALSO use javascript for the same fields to make them required. The form is working perfectly,the javascript tells me about the required fileds and when I disable javascript I can't bypass the fileds because they are into INI file too.

    Can I disable formmail to send me e-mail when users enter wrong verify characters ? I don't mean DEF_ALERT I also receive e-mail to the $TARGET_EMAIL

    Thank you very much for all help
    Andre

  8. #8
    Join Date
    Dec 2003
    Posts
    3,980

    Default Re: required fields

    Hi,

    But what do you think about this:
    I really want the javascript to make my fileds required because it popup a message without leaving the page. Very easy for my users.
    I have my fileds required into INI file and I ALSO use javascript for the same fields to make them required. The form is working perfectly,the javascript tells me about the required fileds and when I disable javascript I can't bypass the fileds because they are into INI file too.
    Yes, that's exactly how we recommend you use JavaScript and FormMail.

    Can I disable formmail to send me e-mail when users enter wrong verify characters ? I don't mean DEF_ALERT I also receive e-mail to the $TARGET_EMAIL
    If you're using imgverify, FormMail will not send the form results email unless there is a match. The user gets an error which they need to correct.
    Russell Robinson - Author of Tectite FormMail and FormMailDecoder
    http://www.tectite.com/

  9. #9
    Join Date
    Apr 2007
    Posts
    21

    Default Re: required fields

    Hi !
    Quote Originally Posted by russellr

    If you're using imgverify, FormMail will not send the form results email unless there is a match. The user gets an error which they need to correct.
    But that is exactly what happend and I don't understand why.
    When the chracters dismatch I get error messaage to a specific e-mail ( $DEF_ALERT) says:
    The following error occurred in FormMail :
    ar_verify
    Error=Your entry did not match the image

    That's how I wanted but I also receive form result to the $TARGET_EMAIL when chracters dismatch.
    I use verifyimg.php version 1.04 and Formmail version 7.15

    Thank you again for taking your time.
    Andre
    Last edited by A77; 02-May-2007 at 09:02 AM.

  10. #10
    Join Date
    Dec 2003
    Posts
    3,980

    Default Re: required fields

    Hi,

    This is a support question now (not a features question), so we'd appreciate it if you would subscribe here: http://www.tectite.com/vbforums/payments.php

    You need to be using "imgverify" instead of "arverify".
    Russell Robinson - Author of Tectite FormMail and FormMailDecoder
    http://www.tectite.com/

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Required fields containing default text
    By tvulucy in forum FormMail Subscription Support
    Replies: 9
    Last Post: 08-Oct-2004, 09:26 PM
  2. Required Fields not working?
    By zoe77 in forum FormMail Subscription Support
    Replies: 2
    Last Post: 02-Jun-2004, 04:27 PM
  3. Deriving fields from other fields
    By russellr in forum HOWTO Guides and Tips
    Replies: 0
    Last Post: 13-May-2004, 12:25 PM
  4. required field error
    By Ibis in forum FormMail Subscription Support
    Replies: 18
    Last Post: 02-Mar-2004, 09:04 AM
  5. required does not work ?!
    By flynst4r in forum FormMail Subscription Support
    Replies: 9
    Last Post: 26-Jan-2004, 09:04 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •