MaureenM
asked on
Perl form scrip returning blanks
I run a simple perl guestbook form script on my website that has been working perfectly for a few years.
Lately, however, I've been getting a lot of "blank" submissions -- so many, in fact, that I don't think they are coming just from folks fooling around.
The entries posted on the guestbook page show no content. And the email notification I receive, which contains the information from six different fields, only shows the names of two fields ("name" and "comment" -- the first and the last in the list) and the content for those are blank.
When I go to the form and submit it myself without entering any information in the fields, I get an email notification that shows three fields --name, comment, and one that is checkbox with one of the choices checked.
But when I get the "blanks," just the name & comment show, but without any content.
Previously I noticed that if a user used the "enter" key to move from one field line to the next, it would launch the program. So I added a java script to block the enter key and encourage the use of the tab key.
But I don't think that's the problem. Sometimes the form works just fine, and submissions come through as they should. But then I'll get 20 blanks a day.
Any ideas on what could be causing this and how I can fix it?
Thanks!
Lately, however, I've been getting a lot of "blank" submissions -- so many, in fact, that I don't think they are coming just from folks fooling around.
The entries posted on the guestbook page show no content. And the email notification I receive, which contains the information from six different fields, only shows the names of two fields ("name" and "comment" -- the first and the last in the list) and the content for those are blank.
When I go to the form and submit it myself without entering any information in the fields, I get an email notification that shows three fields --name, comment, and one that is checkbox with one of the choices checked.
But when I get the "blanks," just the name & comment show, but without any content.
Previously I noticed that if a user used the "enter" key to move from one field line to the next, it would launch the program. So I added a java script to block the enter key and encourage the use of the tab key.
But I don't think that's the problem. Sometimes the form works just fine, and submissions come through as they should. But then I'll get 20 blanks a day.
Any ideas on what could be causing this and how I can fix it?
Thanks!
Kim Ryan
Are you using one of those dodgy Matt's scripts programs? There are better versions such as http://nms-cgi.sourceforge.net/guestbook.zip . As you are using Javascript already, I would extend it to not allow the page to be submitted until all required fields have a a value. Then the empty forms nver get posted to you in the first place. For an example see http://hotwired.lycos.com/webmonkey/reference/javascript_code_library/is_form_complete/?tw=reference&category=forms_data
can you imagine that your form is used without JavaScript enabled?
can you imagine that someone feeds your form programatically with a script?
In both cases your CGI is responsible for checking passed in values. A common mistake which opens a wide security hole too.
can you imagine that someone feeds your form programatically with a script?
In both cases your CGI is responsible for checking passed in values. A common mistake which opens a wide security hole too.
ASKER
Hi Teraplane --
Thanks for your rapid response.
Yes, it is a Matt's script. I'm not a programmer (as you obviously can tell) but that script worked well for me for a very long time.
I took a look at the Sourceforge script and tried to run it -- with no luck so far. I am installing it as a standalone, not as an emulation of Matt's script. I am concerned if I do that, I will lose some of the customization of I had in the original Matt's script (I added a few additional fields) -- or lose the whole thing altogether.
I also took a look at the javascript and tried that out. I does work...when a field is not filled in, a message box pops up gives a reminder to fill it in, and the cursor is taken back to that field...BUT the form launches BEFORE you can enter the necessary information.
Thanks for your rapid response.
Yes, it is a Matt's script. I'm not a programmer (as you obviously can tell) but that script worked well for me for a very long time.
I took a look at the Sourceforge script and tried to run it -- with no luck so far. I am installing it as a standalone, not as an emulation of Matt's script. I am concerned if I do that, I will lose some of the customization of I had in the original Matt's script (I added a few additional fields) -- or lose the whole thing altogether.
I also took a look at the javascript and tried that out. I does work...when a field is not filled in, a message box pops up gives a reminder to fill it in, and the cursor is taken back to that field...BUT the form launches BEFORE you can enter the necessary information.
Did you call the javascript method from the form input field?
<INPUT TYPE=BUTTON VALUE="OK" OnClick=IsFormComplete("fo
<INPUT TYPE=BUTTON VALUE="OK" OnClick=IsFormComplete("fo
which version of Matt's script do you use?
Some old version are vulnerable to CGI-attacks (see my previous comment).
Please forget about JavaScript, it's not the solution of your problem, you need to fix it on the server.
Some old version are vulnerable to CGI-attacks (see my previous comment).
Please forget about JavaScript, it's not the solution of your problem, you need to fix it on the server.
ahoffman, I suggested Javascript as the user was already familiar with it, and not being a programmer would probably have felt more comfortable confinging her changes to this area than dabbling with the CGI script. I still think the it is best to use Javascript to screen for empty fields, so that blank forms never get submitted in the first place. Agree additional checks should then be made in the CGI itself. Curios to know how a form can be filled out programatically. How is the click on the submit button handled?
Maureen, you might also like to look at http://www.bravenet.com/samples/guestbooks.php . Its a free service, the idea being they host and maintain 1 really good guestbook program, which is used by thousands of subscribers who don't want the hassle of installing CGI themselves.
Maureen, you might also like to look at http://www.bravenet.com/samples/guestbooks.php . Its a free service, the idea being they host and maintain 1 really good guestbook program, which is used by thousands of subscribers who don't want the hassle of installing CGI themselves.
> How is the click on the submit button handled?
wget http://your.dom.ain/cgi-bin/lazy.cgi?Name=""&AdDress="`try to fool the script`"&andsoon=andsoon
Just FYI
wget http://your.dom.ain/cgi-bin/lazy.cgi?Name=""&AdDress="`try to fool the script`"&andsoon=andsoon
Just FYI
Has this helped you? Have you tried calling the javascript after OnClick?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I don't "reject" this answer (Sheesh! Is it necessary to be so harsh!) But I don't want to close the question, so I have to choose reject. Sorry, teraplane. I really appreciate your guidance.
Unfortunately, calling the Javascript after OnClick (but before </form>) still launches the form before it can be properly filled out. The button I am using is "INPUT TYPE="submit".
When I change it to "INPUT TYPE="BUTTON" -- it will give a pop-up reminder for all fields not filled in -- but then it won't send the form.
Unfortunately, calling the Javascript after OnClick (but before </form>) still launches the form before it can be properly filled out. The button I am using is "INPUT TYPE="submit".
When I change it to "INPUT TYPE="BUTTON" -- it will give a pop-up reminder for all fields not filled in -- but then it won't send the form.
.. and I still can fool any JavaScript solution :-)
Maureen, that's OK to reject the answer, I realise now it wasn't properly tested. I looked into it a bit further and tested it out on a server. The trick was to place the OnSubmit in the form tag and have the javascript return a value. If its false, the form won't get submitted, as in-
<FORM NAME="testform" METHOD=POST OnSubmit ="return IsFormComplete('testform')
Full program
------------
<HTML>
<HEAD>
<TITLE>Javascript : IsFormComplete v1.1</TITLE>
<BODY>
<FONT SIZE=+1><BOLD>IsFormComple
<P>
A simple demonstration of the IsFormComplete routine is given below.
Please note, however, that this routine should be called from within
another javascript routine and not as shown in this example. This is
useful in that the outer routine can test whether or not the value
returned from IsFormComplete was TRUE or FALSE and submit the form to the
neccessary CGI if the TRUE value was returned.
<P>
<HR>
This is a very crude form, but can be easily adapted to fit most any
application.
<BR>
<FORM NAME="testform" METHOD=POST OnSubmit ="return IsFormComplete('testform')
Company name: <INPUT NAME="name of your company">
<BR>
Address 1: <INPUT NAME="first line of the postal address">
<BR>
Address 2: <INPUT NAME="second line of the postal address">
<BR>
<INPUT TYPE=SUBMIT>
</FORM>
</HTML>
<SCRIPT LANGUAGE=JavaScript>
// --------------------------
// Function : IsFormComplete
// Language : JavaScript
// Description : Checks if all elements in a form have a non-blank value
// Copyright : (c) 1998 Shawn Dorman
// http://www.goodnet.com/~sdorman/web/IsFormComplete.html
// --------------------------
// Ver Date Description of modification
// --- ---------- --------------------------
// 1.0 08/31/1996 Original write
// 1.1 09/30/1998 CHG: Use standard header format
// --------------------------
// Source: Webmonkey Code Library
// (http://www.hotwired.com/webmonkey/javascript/code_library/)
// --------------------------
function IsFormComplete(FormName)
{
var x = 0
var FormOk = true
while ((x < document.forms[FormName].e
{
if (document.forms[FormName].
{
alert('Please enter the '+document.forms[FormName]
document.forms[FormName].e
FormOk = false
}
x ++
}
return FormOk
}
</SCRIPT>
<FORM NAME="testform" METHOD=POST OnSubmit ="return IsFormComplete('testform')
Full program
------------
<HTML>
<HEAD>
<TITLE>Javascript : IsFormComplete v1.1</TITLE>
<BODY>
<FONT SIZE=+1><BOLD>IsFormComple
<P>
A simple demonstration of the IsFormComplete routine is given below.
Please note, however, that this routine should be called from within
another javascript routine and not as shown in this example. This is
useful in that the outer routine can test whether or not the value
returned from IsFormComplete was TRUE or FALSE and submit the form to the
neccessary CGI if the TRUE value was returned.
<P>
<HR>
This is a very crude form, but can be easily adapted to fit most any
application.
<BR>
<FORM NAME="testform" METHOD=POST OnSubmit ="return IsFormComplete('testform')
Company name: <INPUT NAME="name of your company">
<BR>
Address 1: <INPUT NAME="first line of the postal address">
<BR>
Address 2: <INPUT NAME="second line of the postal address">
<BR>
<INPUT TYPE=SUBMIT>
</FORM>
</HTML>
<SCRIPT LANGUAGE=JavaScript>
// --------------------------
// Function : IsFormComplete
// Language : JavaScript
// Description : Checks if all elements in a form have a non-blank value
// Copyright : (c) 1998 Shawn Dorman
// http://www.goodnet.com/~sdorman/web/IsFormComplete.html
// --------------------------
// Ver Date Description of modification
// --- ---------- --------------------------
// 1.0 08/31/1996 Original write
// 1.1 09/30/1998 CHG: Use standard header format
// --------------------------
// Source: Webmonkey Code Library
// (http://www.hotwired.com/webmonkey/javascript/code_library/)
// --------------------------
function IsFormComplete(FormName)
{
var x = 0
var FormOk = true
while ((x < document.forms[FormName].e
{
if (document.forms[FormName].
{
alert('Please enter the '+document.forms[FormName]
document.forms[FormName].e
FormOk = false
}
x ++
}
return FormOk
}
</SCRIPT>
ASKER
Teraplane, thanks for your kind assistance and patience!
Your latest suggestion worked well when I tested it myself.
Now I've got the new form with the JavaScript in it up on my server. But I'll need to leave it there for a few days to see how effective it is in blocking the blanks.
If it's not, then I guess the problem really is with the Matt's script, and I'll have to start again with a newer guestbook script.
At any rate, you are the ginchiest ("the best!") and Experts Exchange is a great site. Thanks to you both.
Your latest suggestion worked well when I tested it myself.
Now I've got the new form with the JavaScript in it up on my server. But I'll need to leave it there for a few days to see how effective it is in blocking the blanks.
If it's not, then I guess the problem really is with the Matt's script, and I'll have to start again with a newer guestbook script.
At any rate, you are the ginchiest ("the best!") and Experts Exchange is a great site. Thanks to you both.
ASKER
Teraplane, thanks for your kind assistance and patience!
Your latest suggestion worked well when I tested it myself.
Now I've got the new form with the JavaScript in it up on my server. But I'll need to leave it there
for a few days to see how effective it is in blocking the blanks.
If it's not, then I guess the problem really is with the Matt's script, and I'll have to start again
with a newer guestbook script.
At any rate, you are the ginchiest ("the best!") and Experts Exchange is a great site. Thanks to you
both.
Your latest suggestion worked well when I tested it myself.
Now I've got the new form with the JavaScript in it up on my server. But I'll need to leave it there
for a few days to see how effective it is in blocking the blanks.
If it's not, then I guess the problem really is with the Matt's script, and I'll have to start again
with a newer guestbook script.
At any rate, you are the ginchiest ("the best!") and Experts Exchange is a great site. Thanks to you
both.
Glad to help! There was also an example at webmonkey on how to detect a valid email address in a form field. If you have to start agaon with a new guestbook script, I would really recommend http://www.bravenet.com/samples/guestbooks.php . If it's free, why not less someone else do all the admin grunt work?
ahoffman, agree that javascript has security holes. But do you really think hackers are going to trawl through thousands of online guestbooks to try to break them? Surely there are bigger challenges around for them. I think javascript is the best solution here because it helps filter incomplete entries and it is easier for the user to insert javascript into the HTML page than muck around with some poorly maintained version of those dreadful Matt's archive scripts.
ahoffman, agree that javascript has security holes. But do you really think hackers are going to trawl through thousands of online guestbooks to try to break them? Surely there are bigger challenges around for them. I think javascript is the best solution here because it helps filter incomplete entries and it is easier for the user to insert javascript into the HTML page than muck around with some poorly maintained version of those dreadful Matt's archive scripts.
> .. agree that javascript has security holes ..
didn't mention here this truth ;-)
> .. really think hackers are going to trawl through thousands of online guestbooks to try to break them?
hmm, it's much simpler, see my wget suggestion before, then replace "hacker" with "script on computer", ready.
MaureenM, see my wget suggestion how to give you as much blanks as you don't expect.
Sorry for bad news.
didn't mention here this truth ;-)
> .. really think hackers are going to trawl through thousands of online guestbooks to try to break them?
hmm, it's much simpler, see my wget suggestion before, then replace "hacker" with "script on computer", ready.
MaureenM, see my wget suggestion how to give you as much blanks as you don't expect.
Sorry for bad news.