Form bypassing validation?

Issues related to forms.
Post Reply
betwixt
Posts: 101
Joined: Mon Nov 25, 2013 3:49 pm

Form bypassing validation?

Post by betwixt »

This is probably something silly I'm doing but I need advice on how to stop it. The form at:
http://www.dyfi.com/Get_In_Touch.php
is created with version 6.02 under Linux.

I am getting lots of spam, apparently sent by the form being completed, example below:
Values submitted from Dyfi.com Talk to us page:
IP Address : 46.166.143.122
Referer : dyfi.com/Get_In_Touch.php
Form Source Is : dyfi.com contact form
NameBox : MarcusGaisk
EmailAddress : xlgfbuogk656@aol.com
LocationBox : Yugoslavia
CommentBox : Hei?e Girls fur *** in deiner Stadt warten auf dich, mach mit: http:// <removed by betwixt>
Editbox4 :
The form has server validation on all fields and a hidden field which is correctly passed on in the email. If I change the values in the hidden field they are immediately used in the email so it appears to be used 'live'. I have tried changing the page name and I have wiped the server and re-published in case any residual old page was being used. I have tried Re-Captcha2 with no success and my latest trial has been to remove the submit button and use a hidden 'normal' button which is only visible if the question is answered correctly. The button triggers events 'Form Submit' then 'Form Reset'.

I can't see how the form is being submitted, the only clue I have is that 'Editbox4' should contain a number (it does if I test the form myself) but in all the spam mails it is blank.

Any idea what is happening?

Brian.
User avatar
Pablo
Site Admin
Posts: 3919
Joined: Mon Feb 13, 2006 7:00 am
Location: Europe
Contact:

Re: Form bypassing validation?

Post by Pablo »

Validation is not meant for stopping spam. It is meant to help users to input correct values.
By default, validation uses JavaScript to validate the input. This can easily be passed by. For example, by disabling JavaScript in the browser.

To prevent spam, you can consider using recaptcha, although this still does not stop manually entered spam.
You can also try to enable server sided validation.
betwixt
Posts: 101
Joined: Mon Nov 25, 2013 3:49 pm

Re: Form bypassing validation?

Post by betwixt »

As stated, server side validation is turned on and Recaptcha has been tried but was unsuccessful, it did not stop the form being used.

The validation was turned on to prevent the form being posted without first completing the fields but the form is still submitted with at least one field empty. In the source that field has to have a minimum and maximum length of 8 digits.

From the amount of mail I'm getting, several every day and all with random names and IP addresses, I don't think it is being manually filled in. My question is 'do you now of any way to cheat' so I can program defensively? It doesn't look like the normal 'Submit' method is being used.

Brian.
User avatar
Pablo
Site Admin
Posts: 3919
Joined: Mon Feb 13, 2006 7:00 am
Location: Europe
Contact:

Re: Form bypassing validation?

Post by Pablo »

There is no way to stop spam completely. Even recaptcha cannot not guarantee that.
But server sided validation should stop invalid input, if configured correctly.

Maybe you have added custom code to the page that conflicts with the generated scripts (and therefor disable the validation)?
mexman
Posts: 547
Joined: Mon Feb 11, 2013 11:33 am
Location: Puebla/Mexico

Re: Form bypassing validation?

Post by mexman »

Hi Brian,
I would recommend to
- review your code, the form is not working as stated on the web page ("then press enter")
- remove all google bullshit
- simplify your site (in QnEWB "save as" -> test. Then remove everything unnecessary, other than the form. upload to the same or any test directory on your server and test again.
I am using the built in form validator from QnEWB and Pablo is right....there is SPAM from time to time, but reasonable. I am not using any captcha, but I exclude the page by "nofollow" from some web crawlers.

regards
Michael
betwixt
Posts: 101
Joined: Mon Nov 25, 2013 3:49 pm

Re: Form bypassing validation?

Post by betwixt »

Thanks Michael.

I can see your test message although unlike the spam, it DID have the number entered as requested. If you found a way to be directed to the 'thankyou' page without passing the quiz I would love to hear it.

The Google stuff is a nuisance but sadly the law in my country states that web sites covering local issues have to be bi-lingual, despite almost all the population only speaking English. I am only fluent in English so I had to add the automatic translation to meet the requirement, I have already had grief from the language authorities for not being fully compliant.

In absolutely no way did I intend to be critical of Pablo's work but if I could see how the spammers operated I could build more appropriate defences.

Brian.
User avatar
Pablo
Site Admin
Posts: 3919
Joined: Mon Feb 13, 2006 7:00 am
Location: Europe
Contact:

Re: Form bypassing validation?

Post by Pablo »

Using events (Javascript) to hide the submit button will not stop anyone from submitting the form.
It takes 2 seconds to enable the button via the browser's debugger (F12)
betwixt
Posts: 101
Joined: Mon Nov 25, 2013 3:49 pm

Re: Form bypassing validation?

Post by betwixt »

I see your test results. Thank you for the explanation, it looks like I need to think this through again.

Brian.
betwixt
Posts: 101
Joined: Mon Nov 25, 2013 3:49 pm

Re: Form bypassing validation? (update)

Post by betwixt »

I confirmed re-Captcha2 was completely useless, as a normal user it did all it was supposed to do but the spammers defeated it 100% of the time.
Instead I used the 'Question and Answer' Captcha and so far, only legitimate users have got through.

Brian.
Post Reply