Hide action location in html form

Posted on 2008-01-31
Medium Priority
Last Modified: 2008-02-04
I have a form that someone keeps spoofing.  I am using PHP to process the form.  I am using JavaScript to validate the form.  After I applied the validation, I still received a couple of blank messages.  I believe what is happening is the person or program is creating their own form and using my PHP script to process whatever it is they are doing.  My form is <FORM action= 'mail.php'   method='post' name="request_form">.  Is there a way I can disguise or hide the action="mail.php" so they do not know where to process the form?  I'm also open to other solutions.
Question by:rbudj
LVL 17

Accepted Solution

nplib earned 900 total points
ID: 20788636
not really,

thats why people use captcha form validation

that's where you see an image and have to type the numbers, letters in order for it to submit.

These spoofs are easy to do, disable javascript then your form validation doesn't work.

You can also do Server side validation instead of javascript.

Expert Comment

ID: 20788723
Not really,

The whole point behind a form is that the information on how to submit it must be present in the browser, and it will always be possible for someone to extract that and submit the form. Itwould  be possible to obfuscate the action url using some javascript hocus pocus, but that probably isn't a good idea - aside from the fact that it  is more prone to failure, they just need to break it once and can start spamming you again.

I think you'd be better off building some checks into the form processor itself. You could make sure it contains all the data you need to be certain the form has been sent from your site, and if it doesn't, just drop it there instead of sending it to you or recording it in a database.

If you're getting *lots* of spoofed forms, then he is probably using a machine to send them automatically. This type of attack can be guarded against pretty effectively using a captcha (one of those images with quiggly text on that humans can read but machines can't). Take a look at http://recaptcha.net/ they have one that is quite easy to set up and will help make sure that every form submitted is at least submitted by a human rather than a script.

Expert Comment

ID: 20788959
Although its not the best way, one of the simpliest could be to place a cookie on the users machine or create a session variable of a unique code, say date and time in an MD5 hash i.e. MD5(date('Y-m-d H:i:s', time()))

Write this to the session variable or cookie, and pass it through to the processing script as a hidden file.  First thing the processing script does is to check the pass through value against the session variable or cookie.  If they match, its come from your system, if not don't process the form.

Like I say, not the best way, but it could be the quickest and simpliest.
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.


Assisted Solution

gemdeals395 earned 600 total points
ID: 20789110
For one you need to validate the input server side. So lets say you make the page contactUs.php then for validation in the form action make it $_SERVER[PHP_SELF] then verify the fields and for the email entered with checkdnsrr(). Now once everything is getting verified server side if your issue is someone sending spam you can make a table in your DB to record an IP and a timestamp then only allow a second email from that IP after a certain amount of time has passed. :)
LVL 17

Expert Comment

ID: 20789802
checkdnsrr() that wouldn't work in this case,

if they are using a spam spider bot, the bot is using the form but ignoring the javascript validation.

checkdnsrr() will always give him the ip address of his own server.

In this case that is.

if they were sending from their own form that they created then yes it would work.

but not typically how spammers work.

Assisted Solution

gemdeals395 earned 600 total points
ID: 20790188
Checking the DNS of the email address is only to verify the email address supplied is as valid as you can check after regex testing. Now on the bot then thats when checking ip's and setting a timestamp against how often you want each ip to be able to send an email. Now you could also time the interval between requests and if you decide that its a bot then block the ip for 24 hours at a time and if it occurs multiple times block it forever.

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

The article shows the basic steps of integrating an HTML theme template into an ASP.NET MVC project
Without even knowing it, most of us are using web applications on a daily basis.  In fact, Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We generally confuse these web applications to…
The viewer will learn the benefit of using external CSS files and the relationship between class and ID selectors. Create your external css file by saving it as style.css then set up your style tags: (CODE) Reference the nav tag and set your prop…
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question