Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 392
  • Last Modified:

Website form, make it mandatory to enter in data

I have a form on my website, and I am getting lots of hits from people just clicking submit and not entering any data. What do I need to add to my form so they have to enter there name or email before they hit submit.
I will past the code here. I don't know if that is what the code box is for but I will know for next time.

<form action="gdform.asp" method="post">
    <input name="ARThankyouURL" type="hidden" id="ARThankyouURL" value="http://www.mydomain.com/thankyoufreereport.asp">
    <input name="copyarresponse" type="hidden" id="copyarresponse" value="1">
    <input name="custom" type="hidden" id="custom" value="1">
    <input name="defaultar" type="hidden" id="defaultar" value="58357">
    <input name="allowmulti" type="hidden" id="allowmulti" value="1">
    <input name="showSuccessBox" type="hidden" id="showSuccessBox" value="true">
    <input name="visiblefields" type="hidden" id="visiblefields" value="Name,Email1,Company,Workphone,Address1,City,State,Zip">
    <input name="requiredfields" type="hidden" id="requiredfields" value="Name,Email1,Company,Workphone,Address1,City,State,Zip">
    <input type="hidden" name="fieldname7" value="Title">
    <input type="hidden" name="required7" value="1">
    <p>
      <label for="name">Name:</label>
      <input name="name" type="text" id="name" size="30">
      </p>
    <p>
      <label for="field7">Title:</label>
      <input name="field7" type="text" size="30" id="field7">
        </p>
    <p>
      <label for="company">Company:</label>
      <input name="company" type="text" id="company"  size="30">
    </p>
    <p>
      <label for="address1">Address:</label>
      <input name="address1" type="text" id="address1" size="30">
     </p>
    <p>
      <label for="city">City:</label>
      <input name="city" type="text" id="city" size="30">
  </p>
    <p>
      <label for="state">State:</label>
      <input name="state" type="text" id="state" size="30">
     </p>
    <p>
      <label for="zip">Zip:</label>
      <input name="zip" type="text" id="zip" size="30">
      </p>
    <p>
      <label for="workphone">Workphone:</label>
      <input name="workphone" type="text" id="workphone" size="30">
     </p>
    <p>
      <label for="email1">Email:</label>
      <input name="email1" type="text" id="email1" size="30" />
     </p>
    <p>
      <input type="hidden" name="redirect" value="thankyoufreereport.asp"/>
<input type="submit" name="Submit" value="Send Me the Report" class="redbutton" style="margin-left: 90px">
    </p>
  </form>
0
calitech
Asked:
calitech
  • 8
  • 7
  • 6
  • +4
3 Solutions
 
Adam314Commented:
The best way would be to add a check on the server, in your gdform.asp file.  You could put the check in javascript on the client, but users can easily get around that by disabling javascript.

I'm not familiar with asp, but if you attach the file, you'll probably find someone that can help.
0
 
OnthraxCommented:
I would too recommend using server side validation as client side (javascript) can be easily circumvented. Although a javascript check would be more user friendly so you can do both.

To check in ASP if for instance the name has been set you can do something like this:

if len(request.form("name")) < 5 then
   'Smaller than 5 characters, probably invalid, do not put into database and return error msg.
end if
0
 
Wayne BarronCommented:
Have a look here at this demostration.
If you want something fast and easy
You can do a ClientSide JavaScript
http:Q_24334730.html?cid=236#a24224866
(Pay attention to the Form Name and OnSubmit functions.)

hth
Have a good one.
Carrzkiss
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
JoachimMartinsenCommented:

<%
 
formName = request.form("name")
formMail = request.form("email1")
 
if len(formName)>0 and len(formMail)>0 then
	' User have entered both Name and Email
	' Continue with the process
else
	' Name and Email fields seems to be empty
	' Don't proceed, and tell the user to fill out the fields
end if
 
%>

Open in new window

0
 
calitechAuthor Commented:
This is my Gdform.asp code. Where do I add the code?
<%
 
Dim landing_page, host_url
Dim fso, outfile, filename, dirname, myFolder
Dim req_method, key, value
Dim bErr, errStr, bEmpty
On Error resume next
bErr = false
bEmpty = true
errStr = ""
Set fso = Server.CreateObject("Scripting.FileSystemObject")
host_url = Request.ServerVariables("HTTP_HOST")
req_method = Request.ServerVariables("REQUEST_METHOD")
dtNow = Now()
filename = Server.MapPath("\ssfm")
dirname = filename
filename = filename & "\gdform_" & DatePart("M", dtNow) & DatePart("D", dtNow) & DatePart("YYYY", dtNow) & DatePart("N", dtNow) & DatePart("S", dtNow)
 
Function FormatVariableLine(byval var_name, byVal var_value)
	Dim tmpStr
	tmpStr = tmpStr & "<GDFORM_VARIABLE NAME=" & var_name & " START>" & vbCRLF
	tmpStr = tmpStr & var_value & vbCRLF
	tmpStr = tmpStr & "<GDFORM_VARIABLE NAME=" & var_name & " END>"
	FormatVariableLine = tmpStr
end function
 
Sub OutputLine(byVal line)
   outfile.WriteLine(line)
end sub
 
if err.number = 0 then
	Set outfile = fso.CreateTextFile(filename, true, false)
	if err.number <> 0 then
			bErr = true
			errStr = "Error creating file! Directory may not be writable or may not exist.<br>Unable to process request."
	else
		if(req_method = "GET") then
			for each Item in request.QueryString
				if item <> "" then
					bEmpty = false
					key = item
					value = Request.QueryString(item)
					if(lcase(key) = "redirect") then
						landing_page = value
					else
						line = FormatVariableLine(key, value)
						Call OutputLine(line)
					end if
				end if	
			next
		elseif (req_method = "POST") then
			for each Item in request.form
				if item <> "" then
					bEmpty = false
					key = item
					value = Request.form(item)
					if(lcase(key) = "redirect") then
						landing_page = value
					else
						line = FormatVariableLine(key, value)
						Call OutputLine(line)
					end if
				end if	
			next
		end if
		outfile.close
	end if	
	if(bEmpty = true) AND errStr = "" then
		bErr = true
		errStr = errStr & "<br>No variables sent to form! Unable to process request."
	end if
	if(bErr = false) then	
		if (landing_page <> "") then
			response.Redirect "http://" & host_url & "/" & landing_page
		else
			response.Redirect "http://" & host_url	
		end if
	else
		Response.Write errStr
	end if	
	set fso = nothing
else
  Response.Write " An Error Occurred creating mail message. Unable to process form request at this time."
end if
%>

Open in new window

0
 
Wayne BarronCommented:
(It has been 12 days, hopefully he is still around)

Here are a few links.
(Serverside is the best way to go with this one)
http://www.haneng.com/lessons_13.asp
http://www.aspwebpro.com/aspscripts/forms/basicformvalidation.asp

There are a lot more as well.
But they are 2 of the easest ones to implement and quick.

Good Luck
Carrzkiss
0
 
Wayne BarronCommented:
By the way.
Whack
>> CGI Scripting
This is not CGI. This is ASP (or) Javascript.

Have a good one.
Carrzkiss
0
 
ahoffmannCommented:
> .. What do I need to add to my form so they have to enter there name or email before they hit submit.
as already suggested: using client side scripting (JavaScript, ActiveX, etc.) is the onle way to do it, but it is unreliable too as it can be circumvented
The only reliable method is that your receiving script checks the values.
0
 
Wayne BarronCommented:
ahoffmann
I am sorry, but you are incorrect on this being "Clientside" Only.
The links that I provided in the post above http:#a24333518
And this link here
http://www.asp101.com/articles/hojjat/formvalidation/default.asp
code
http://www.asp101.com/articles/hojjat/formvalidation/formvalidation.zip

Clientside is simple, but if they do not have Javascript enabled, then it is not going to work.
As well as reverse engineering, and bypass is pretty simple to do.
(Of which I am going to be taking down my demo from my post above, as it is Javascript)

Carrzkiss
0
 
Michel PlungjanIT ExpertCommented:
Seems the script tests empty fields already

if(bEmpty = true) AND errStr = "" then
  bErr = true
  errStr = errStr & "<br>No variables sent to form! Unable to process request."
end if

0
 
ahoffmannCommented:
> .. but you are incorrect ..
may be, but show one example without client side scripting sending a reuest where the form is filled (except the form variables have been preset by a tag's value= attribute)

There may be solutions using CSS, I didn't check ...
0
 
Wayne BarronCommented:
This for one.
http://www.haneng.com/lessons_13.asp
There is no way that a user can reverse engineering this code.
Unless they were to some how get their hands on the source.

Run the demo. All you see is HTML code. There is nothing else to allow the user to do anything else.
But, to fill out the form and submit it to the Server for processing.

Have a good one.
Carrzkiss
0
 
ahoffmannCommented:
carrzkiss, don't know what you're talking/complaining about
The questions is:
   > need to add to my form so they have to enter there name or email before they hit submit.

And that's not possible without client side scripting. None of your links check it on the client side, all do it server side, hence *after* the submit.
Please correct me if I'm wrong.
0
 
Michel PlungjanIT ExpertCommented:
ANYWAY to answer this question

<form action="gdform.asp" method="post" onClick="return validate(this)">
.
.
   <input name="fullname" type="text" id="name" size="30"> <------ name="name" is not a great idea
.
.
 <input name="email1" type="text" id="email1" size="30" />

and have in the head

<script type="text/javascript">
function validate(theForm) {
  if (theForm.fullname.value=="") {
    alert('Please enter a name');
    theForm.fullname.focus();
    return false
  }
  if (theForm.email1.value=="") {
    alert('Please enter an email');
    theForm.email1.focus();
    return false
  }
  return true; // allow submit
}
</script>

Open in new window

0
 
Michel PlungjanIT ExpertCommented:
and if you want to stop robots from filling in your form and spamming you and others, change to the following which WILL force the user to have javascript

<form action="" method="post" onClick="return validate(this)">

and have

<form action="" method="post" onClick="return validate(this)">
 
<script type="text/javascript">
function validate(theForm) {
  if (theForm.fullname.value=="") {
    alert('Please enter a name');
    theForm.fullname.focus();
    return false
  }
  if (theForm.email1.value=="") {
    alert('Please enter an email');
    theForm.email1.focus();
    return false
  }
  theForm.action="gdform.asp"; 
  return true; // allow submit
}
</script>

Open in new window

0
 
ahoffmannCommented:
> .. which WILL force the user to have javascript ..
mplungjan, I guess we both know that there're infinite ways to submit automated without javascript too (unless the form uses unique session tokens ;-)
0
 
Michel PlungjanIT ExpertCommented:
Not if there is no action
0
 
ahoffmannCommented:
are you talking about "monkey forms"? they are submitted to the page URL itself, where is the problem (except with non-w3c-conform browsers)?
0
 
Michel PlungjanIT ExpertCommented:
The code I posted will not submit to the gdform unless it was run in a browser(-like) environment
0
 
Wayne BarronCommented:
@ahoffmann
>>carrzkiss, don't know what you're talking/complaining about
---------------------------------------------
OK ahoffmann I was not talking bad about you, so I expect the same professionalism from you as well.
---------------------------------------------
(((The question is:
   > need to add to my form so they have to enter there name or email before they hit submit.)))

The link that I provided checks to see if the information is submitted.
Regardless of rather or not the [Submit] button is clicked or not.

Let's look at something here.
Let's say that you go onto a page, and you see a <form> and 2 fields and a button.
Now, How are you going to tell that the user is even messing with the <form> unless they
1 - Type in information in the form fields
2 - Click the Submit button.

So.
You have to click the button somewhere in order to find out if the user is on the <form>
As they could be anywhere else on the page.
(Unless the page is one giant javascript that grabs your Mouse's movement )
(Correct me if I am wrong on this one, I do not believe that I am)
So.

If the Developer does not want the Visitor to click through to an error page, BUT wants to keep the
User on the same page, until the form is completed fully, then they can use this script.
http://www.asp101.com/articles/hojjat/formvalidation/default.asp
This will validate each field that is required.
If the user misses a required field, the Focus is set on that field when the Button is clicked.
In return, doing the same exact thing that [mplungjan:] posted here http:#a24333758
Except that there is no way that the visitor (Hacker X) can reverse engineer the site by removing
The Validation Script from the page.
(mplungjan  I mean no offence on your code, just making a point)

So, to calitech, If you want to keep the page secure, then you can use my script(s) provided from either of the links from my last 2 linked post.
(or) you can use JavaScript.

Have a good one all.
Once again to "mplungjan" no offence for using your code as an example.
(It is almost the same thing as what I initially posted here http:#a24230778

Carrzkiss
0
 
ahoffmannCommented:
@carrzkiss, @mplungjan
no offense meant at all

Said this, I state that there is no way to protect a page in a way without using sophisticated javascript (or any other client side scripting) submitting an empty form from within a browser. Though, I've to admit that I never tried CSS for that, it might work in modern browsers.
If any doubt, please feel free to post the HTML code I can use with lynx ;-)

And i.g. it is impossible to protect the application from receiving empty forms, it's always possible to script such requests.

@calitech, sorry for some (probably) off-topic discussion.
In short words: reliable solutions are always server side
0
 
Michel PlungjanIT ExpertCommented:
@Carrzkiss, no offence taken - I did not visit the link given.
the code I provided here works with the form given in this question and verifying server side what is sent is always a good idea - something it SEEMS the gdform.php is doing if the settings are correct
0
 
Michel PlungjanIT ExpertCommented:
Yes, I agree we should finish it in one question

I gave 2 complete CLIENT-SIDE solutions in  http:Q_24353611.html?cid=238#a24333746 and  http:Q_24353611.html?cid=238#a24333758

and you got server side versions here too from carrzkiss
0
 
Wayne BarronCommented:
I agree with mplungjan, this does need to be taken care of here and not in another post.
The link that is covered in my post as well do what is needed on the server side.
It is complete and works like a charm. And if hack proof.
http:Q_24353611.html?cid=238#a24334723

calitech,
If you feel over-whelmed with the information that is provided here.
Just simply spend a little time and go through each indivisual EE's post and see what better suits you.
Did not bother with the post here that I made http:Q_24353611.html?cid=238#a24230778
As it is Client Side validation, and I no longer use them methods, as they are not hack proof.

Good Luck
Carrzkiss
0
 
Michel PlungjanIT ExpertCommented:
Erm, the recommendation from BOTH experts was to NOT close but to FINISH this question by IMPLEMENTING our suggestions
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 8
  • 7
  • 6
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now