Solved

Perl form scrip returning blanks

Posted on 2002-04-23
16
240 Views
Last Modified: 2010-03-05
I run a simple perl guestbook form script on my website that has been working perfectly for a few years.

Lately, however, I've been getting a lot of "blank" submissions -- so many, in fact, that I don't think they are coming just from folks fooling around.

The entries posted on the guestbook page show no content. And the email notification I receive, which contains the information from six different fields, only shows the names of two fields ("name" and "comment" -- the first and the last in the list) and the content for those are blank.

When I go to the form and submit it myself without entering any information in the fields, I get an email notification that shows three fields --name, comment, and one that is checkbox with one of the choices checked.

But when I get the "blanks," just the name & comment show, but without any content.    

Previously I noticed that if a user used the "enter" key to move from one field line to the next, it would launch the program. So I added a java script to block the enter key and encourage the use of the tab key.  

But I don't think that's the problem. Sometimes the form works just fine, and submissions come through as they should. But then I'll get 20 blanks a day.

Any ideas on what could be causing this and how I can fix it?

Thanks!

0
Comment
Question by:MaureenM
  • 7
  • 5
  • 4
16 Comments
 
LVL 19

Expert Comment

by:Kim Ryan
ID: 6964804
Are you using one of those dodgy Matt's scripts programs? There are better versions such as http://nms-cgi.sourceforge.net/guestbook.zip . As you are using Javascript already, I would extend it to not allow the page to be submitted until all required fields have a a value. Then the empty forms nver get posted to you in the first place. For an example see http://hotwired.lycos.com/webmonkey/reference/javascript_code_library/is_form_complete/?tw=reference&category=forms_data
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6965051
can you imagine that your form is used without JavaScript enabled?
can you imagine that someone feeds your form programatically with a script?

In both cases your CGI is responsible for checking passed in values. A common mistake which opens a wide security hole too.
0
 

Author Comment

by:MaureenM
ID: 6965185
Hi Teraplane --

Thanks for your rapid response.

Yes, it is a Matt's script. I'm not a programmer (as you obviously can tell) but that script worked well for me for a very long time.

I took a look at the Sourceforge script and tried to run it -- with no luck so far. I am installing it as a standalone, not as an emulation of Matt's script. I am concerned if I do that, I will lose some of the customization of I had in the original Matt's script (I added a few additional fields) -- or lose the whole thing altogether.  

I also took a look at the javascript and tried that out. I does work...when a field is not filled in, a message box pops up gives a reminder to fill it in, and the cursor is taken back to that field...BUT the form launches BEFORE you can enter the necessary information.  

0
 
LVL 19

Expert Comment

by:Kim Ryan
ID: 6965277
Did you call the javascript method  from the form input field?
<INPUT TYPE=BUTTON VALUE="OK" OnClick=IsFormComplete("form_name")>
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6965663
which version of Matt's script do you use?
Some old version are vulnerable to CGI-attacks (see my previous comment).
Please forget about JavaScript, it's not the solution of your problem, you need to fix it on the server.
0
 
LVL 19

Expert Comment

by:Kim Ryan
ID: 6967323
ahoffman, I suggested Javascript as the user was already familiar with it, and not being a programmer would probably have felt more comfortable confinging her changes to this area than dabbling with the CGI script. I still think the it is best to use Javascript to screen for empty fields, so that blank forms never get submitted in the first place. Agree additional checks should then be made in the CGI itself. Curios to know how a form can be filled out programatically. How is the click on the submit button handled?

Maureen, you might also like to look at http://www.bravenet.com/samples/guestbooks.php . Its a free service, the idea being they host and maintain 1 really good guestbook program, which is used by thousands of subscribers who don't want the hassle of installing CGI themselves.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6967806
> How is the click on the submit button handled?

wget http://your.dom.ain/cgi-bin/lazy.cgi?Name=""&AdDress="`try to fool the script`"&andsoon=andsoon

Just FYI
0
 
LVL 19

Expert Comment

by:Kim Ryan
ID: 6972617
Has this helped you? Have you tried calling the javascript after OnClick?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 19

Accepted Solution

by:
Kim Ryan earned 75 total points
ID: 6982208
Hope these suggestions have been useful.
<INPUT TYPE=BUTTON VALUE="OK" OnClick=IsFormComplete("form_name")>
http://www.bravenet.com/samples/guestbooks.php
0
 

Author Comment

by:MaureenM
ID: 6985650
I don't "reject" this answer (Sheesh! Is it necessary to be so harsh!) But I don't want to close the question, so I have to choose reject. Sorry, teraplane. I really appreciate your guidance.

Unfortunately, calling the Javascript after OnClick (but before </form>) still launches the form before it can be properly filled out. The button I am using is "INPUT TYPE="submit".

When I change it to "INPUT TYPE="BUTTON" -- it will give a pop-up reminder for all fields not filled in -- but then it won't send the form.


 
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6986175
.. and I still can fool any JavaScript solution :-)
0
 
LVL 19

Expert Comment

by:Kim Ryan
ID: 6987552
Maureen, that's OK to reject the answer, I realise now it wasn't properly tested. I looked into it a bit further and tested it out on a server. The trick was to place the OnSubmit in the form tag and have the javascript return a value. If its false, the form won't get submitted, as in-

<FORM NAME="testform" METHOD=POST OnSubmit ="return IsFormComplete('testform')" ACTION="some_script.cgi">

Full program
------------


<HTML>
<HEAD>
<TITLE>Javascript : IsFormComplete v1.1</TITLE>


<BODY>
<FONT SIZE=+1><BOLD>IsFormComplete v1.1</BOLD></FONT>
<P>
A simple demonstration of the IsFormComplete routine is given below.
Please note, however, that this routine should be called from within
another javascript routine and not as shown in this example.  This is
useful in that the outer routine can test whether or not the value
returned from IsFormComplete was TRUE or FALSE and submit the form to the
neccessary CGI if the TRUE value was returned.
<P>

<HR>
This is a very crude form, but can be easily adapted to fit most any
application.

<BR>
<FORM NAME="testform" METHOD=POST OnSubmit ="return IsFormComplete('testform')" ACTION="some_script.cgi">
   Company name: <INPUT NAME="name of your company">
   <BR>
   Address 1: <INPUT NAME="first line of the postal address">
   <BR>
   Address 2: <INPUT NAME="second line of the postal address">
   <BR>
   <INPUT TYPE=SUBMIT>
</FORM>
</HTML>

<SCRIPT LANGUAGE=JavaScript>
// -----------------------------------------------------------------
// Function    : IsFormComplete
// Language    : JavaScript
// Description : Checks if all elements in a form have a non-blank value
// Copyright   : (c) 1998 Shawn Dorman
// http://www.goodnet.com/~sdorman/web/IsFormComplete.html
// -----------------------------------------------------------------
// Ver    Date    Description of modification
// --- ---------- --------------------------------------------------
// 1.0 08/31/1996 Original write
// 1.1 09/30/1998 CHG: Use standard header format
// -----------------------------------------------------------------
// Source: Webmonkey Code Library
// (http://www.hotwired.com/webmonkey/javascript/code_library/)
// -----------------------------------------------------------------

function IsFormComplete(FormName)
{
var x       = 0
var FormOk  = true

while ((x < document.forms[FormName].elements.length) && (FormOk))
   {
     if (document.forms[FormName].elements[x].value == '')
     {
        alert('Please enter the '+document.forms[FormName].elements[x].name +' and try again.')
        document.forms[FormName].elements[x].focus()
        FormOk = false
     }
     x ++
   }
return FormOk
}

</SCRIPT>
0
 

Author Comment

by:MaureenM
ID: 6988179
Teraplane, thanks for your kind assistance and patience!

Your latest suggestion worked well when I tested it myself.

Now I've got the new form with the JavaScript in it up on my server. But I'll need to leave it there for a few days to see how effective it is in blocking the blanks.

If it's not, then I guess the problem really is with the Matt's script, and I'll have to start again with a newer guestbook script.

At any rate, you are the ginchiest ("the best!") and Experts Exchange is a great site. Thanks to you both.
 
0
 

Author Comment

by:MaureenM
ID: 6988182
Teraplane, thanks for your kind assistance and patience!

Your latest suggestion worked well when I tested it myself.

Now I've got the new form with the JavaScript in it up on my server. But I'll need to leave it there
for a few days to see how effective it is in blocking the blanks.

If it's not, then I guess the problem really is with the Matt's script, and I'll have to start again
with a newer guestbook script.

At any rate, you are the ginchiest ("the best!") and Experts Exchange is a great site. Thanks to you
both.
 
0
 
LVL 19

Expert Comment

by:Kim Ryan
ID: 6989261
Glad to help! There was also an example at webmonkey on how to detect a valid email address in a form field. If you have to start agaon with a new guestbook script, I would really recommend http://www.bravenet.com/samples/guestbooks.php . If it's free, why not less someone else do all the admin grunt work?

ahoffman, agree that javascript has security holes. But do you really think hackers are going to trawl through thousands of online guestbooks to try to break them? Surely there are bigger challenges around for them. I think javascript is the best solution here because it helps filter incomplete entries and it is easier for the user to insert javascript into the HTML page than muck around with some poorly maintained version of those dreadful Matt's archive scripts.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6991686
> .. agree that javascript has security holes ..
didn't mention here this truth ;-)

> .. really think hackers are going to trawl through thousands of online guestbooks to try to break them?
hmm, it's much simpler, see my wget suggestion before, then replace "hacker" with "script on computer", ready.

MaureenM, see my wget suggestion how to give you as much blanks as you don't expect.
Sorry for bad news.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Email validation in proper way is  very important validation required in any web pages. This code is self explainable except that Regular Expression which I used for pattern matching. I originally published as a thread on my website : http://www…
Checking the Alert Log in AWS RDS Oracle can be a pain through their user interface.  I made a script to download the Alert Log, look for errors, and email me the trace files.  In this article I'll describe what I did and share my script.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now