rbudj
asked on
Hide action location in html form
I have a form that someone keeps spoofing. I am using PHP to process the form. I am using JavaScript to validate the form. After I applied the validation, I still received a couple of blank messages. I believe what is happening is the person or program is creating their own form and using my PHP script to process whatever it is they are doing. My form is <FORM action= 'mail.php' method='post' name="request_form">. Is there a way I can disguise or hide the action="mail.php" so they do not know where to process the form? I'm also open to other solutions.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Although its not the best way, one of the simpliest could be to place a cookie on the users machine or create a session variable of a unique code, say date and time in an MD5 hash i.e. MD5(date('Y-m-d H:i:s', time()))
Write this to the session variable or cookie, and pass it through to the processing script as a hidden file. First thing the processing script does is to check the pass through value against the session variable or cookie. If they match, its come from your system, if not don't process the form.
Like I say, not the best way, but it could be the quickest and simpliest.
Write this to the session variable or cookie, and pass it through to the processing script as a hidden file. First thing the processing script does is to check the pass through value against the session variable or cookie. If they match, its come from your system, if not don't process the form.
Like I say, not the best way, but it could be the quickest and simpliest.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
checkdnsrr() that wouldn't work in this case,
if they are using a spam spider bot, the bot is using the form but ignoring the javascript validation.
checkdnsrr() will always give him the ip address of his own server.
In this case that is.
if they were sending from their own form that they created then yes it would work.
but not typically how spammers work.
if they are using a spam spider bot, the bot is using the form but ignoring the javascript validation.
checkdnsrr() will always give him the ip address of his own server.
In this case that is.
if they were sending from their own form that they created then yes it would work.
but not typically how spammers work.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The whole point behind a form is that the information on how to submit it must be present in the browser, and it will always be possible for someone to extract that and submit the form. Itwould be possible to obfuscate the action url using some javascript hocus pocus, but that probably isn't a good idea - aside from the fact that it is more prone to failure, they just need to break it once and can start spamming you again.
I think you'd be better off building some checks into the form processor itself. You could make sure it contains all the data you need to be certain the form has been sent from your site, and if it doesn't, just drop it there instead of sending it to you or recording it in a database.
If you're getting *lots* of spoofed forms, then he is probably using a machine to send them automatically. This type of attack can be guarded against pretty effectively using a captcha (one of those images with quiggly text on that humans can read but machines can't). Take a look at http://recaptcha.net/ they have one that is quite easy to set up and will help make sure that every form submitted is at least submitted by a human rather than a script.