[DUG] Contact form page

Gary T. Benner gary at benner.co.nz
Thu Mar 20 07:12:33 NZDT 2014 

[Reply]

HI John et al,

I use very much the same type of PHP contact form, and have eliminated all such entries where I only wish to have contacts from NZ. I implemented very simple test if the remote address (IP Number) is from New Zealand. BTW I have tried simple Captcha style mechanisms but not totally successful in stopping these false contacts.

Check out:

http://www.phptutorial.info/iptocountry/the_script.html

My code that processes the request from the Contact Form then uses curl to access my IP2Country system and if not from NZ sends it to the ether,  well there is a message too, just to be polite.

My server is Linux and I run a Cron process every night to update the IP2Country lookup tables. 
HTH

Gary


At 23:19 on 19/03/2014 you wrote 
>This is a multipart message in MIME format.
>
>
>
>
>
>
>It's probably from a spam bot. >
> >
>Don't forget that data validation needs to happen client side and server side. Server side because if a user has javascript disabled it wouldn't be validated . and also, nothing really stopping a bot from posting data directly without even requesting the page. >
> >
>The usual ways to cut down on bots posting include Captcha, using Cookies/Sessions with CSRF tokens to make sure only someone who requested the page can actually post, checking the content with Aksimet/Defensio/etc for spam content . and so on. >
> >
> >
>PS: It's one of the reasons why I am not big on PHP. In PHP you kind of have to implement and handle this kind of security checking in every single form you do . and if you forget something somewhere then your website is under risk of getting abused/hacked. The asp.net framework does handle all of this basics for you out of the box. I feel very confident my websites will hold up much better to attacks then anything written in PHP.  Don't get me wrong, I am not suggesting you ditch PHP just for your simple contact form, that would be overkill - just proof your php script better! But if you ever plan on doing something a bit bigger more complex with multiple input forms then I seriously suggest you think twice before using PHP.
>
> >
>
>
>
>
>Kind regards,
>
>
>
>Stefan Mueller,
>R&D Manager
>
>ORCL Toolbox Ltd. >Auckland, New Zealand >
>
>P Please consider the environment before printing this email
>
>This message is intended for the adresse named above and may contain privileged or confidential information.
>If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone.
>
> >
>From: delphi-bounces at listserver.123.net.nz [mailto:delphi-bounces at listserver.123.net.nz] On Behalf Of David O'Brien
>Sent: Wednesday, 19 March 2014 8:19 p.m.
>To: NZ Borland Developers Group - Delphi List
>Subject: Re: [DUG] Contact form page
>
> >
>Possibly a Unicode or language problem?
>
>Sent from my Windows Phone
>
>  _____  >
>From: John C <mailto:jc at sunshinesoftware.co.nz> >Sent: ?19/?03/?2014 8:16 p.m.
>To: NZ Borland Developers Group - Delphi List <mailto:delphi at delphi.org.nz> >Subject: [DUG] Contact form page
>
>Hi all
>
> >
>I have this website with a contact page (in PHP & html) where any person can submit a request with their contact details which is emails to me after clicking a submit button.
>
>All works fine, however. So now and then I receive an email from this website/page but details don't seem being filled in at "page level" but in another way. This as the page does a submit validation check and the submitted phone number is e.g. " LbXwjLfDDTFkIuBkPP " something my validator doesn't allow for. >
> >
>Also other details are like:
>
>Name: Bjmpynut
>
>Organisation: ahTKXyxtYnCdo
>
>Position: Bjmpynut
>
>Phone: LbXwjLfDDTFkIuBkPP
>
>Email: gipnpmhk at uohrokgr.com
>
> >
>All looks very suspicious. Any clues how this could happen at all and how to prevent this?
>
> >
>The webpage in question is at http://www.relacs.co.nz/ContactUs.php
>
> >
>The email creator resides in the post process of the page like:
>
>                if($_POST['Submit']=="Submit")
>
>                {
>
>                                $Name = $_POST['InputName'];
>
>                                $Email =  $_POST['InputEmail'];
>
>                                $Phone =$_POST['InputPhone'];
>
>                                $Company = $_POST['InputCompany'];
>
>                                $Position = $_POST['InputPosition'];
>
>                                $Subject  = $_POST['Subject'];
>
>                                $Comment = $_POST['InputComment'];
>
> >
>                                $body = "Name: $Name\n\n";
>
>                                $body.= "Company: $Company\n\n";
>
>                                $body.= "Position: $Position\n\n";
>
>                                $body.= "Phone: $Phone\n\n";
>
>                                $body.= "Email: $Email\n\n";
>
>                                $body.= "Subject: $Subject\n\n";
>
>                                $body.= "Comment: $Comment";
>
> >
>                                $Receiver               = "info at relacs.co.nz" ;
>
>                                $send = mail($Receiver, "Feedback website - RELACS", $body, "From: $Email");
>
>                                $Msg = "Thank you $Name for your feedback. We will get back to you ASAP";
>
>                }
>
> >
> >
>Thanks for any help and/or suggestions.
>
> >
>John Ch
>
>
>
>_______________________________________________
>NZ Borland Developers Group - Delphi mailing list
>Post: delphi at listserver.123.net.nz
>Admin: http://delphi.org.nz/mailman/listinfo/delphi
>Unsubscribe: send an email to delphi-request at listserver.123.net.nz with Subject: unsubscribe

Ref#: 41006

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://listserver.123.net.nz/pipermail/delphi/attachments/20140320/3d4a0cfa/attachment-0001.html

More information about the Delphi mailing list