Forum Moderators: buckworks
Now two days ago some idiot from a casino site has begun to insert nonsense into the form fields, which is a little bit annoying, because we have to delete all those orders by hand.
Obviously this guy is doing that by hand, because it ammounts in total to about 10 or 20 submittings per day. I do not really worry about his tag-insertions, because I regard the cdi-enginge 100% safe.
I might also modify the cgi in order to filter that out, but is that really worth the effort? Has anyone made similar experiences? How long will it take until he gives up?
i did use referer checking to make sure form submissions came from the website, but found they don't work for people using norton and other software that hides the referer etc - given up on that now
also try hiding your contact forms using different URLs because spammers often use robots / spiders to check for files called contact.php etc - rename them to something obscure so there's less chance of them being found
> you might find that your forms allow spammers to post a CC or BCC field
I checked that. No way. All the form does, is send an email to me and a second one to another mail-account which I need for importing the data. My hosting company does not allow access to the databases from outside, so I have chosen this workaround to get access to the data and import it to my companies billing-software.
I will wait a few more days and see what happens. If he doesn't give up I will write an extra include-routine for defining some filters. Might do me some good services in the future.
Actually I do not send any mails as an automated action based on that form, except - as I said - two mails to my own accounts, the adresses of which are defined by my cgi-script. All I do is store the (customer-)mail-adress in my database for further requests, so I think I don't have to worry about bcc/cc attacks.
I am a bit worried about mysql-injection and that sort of stuff. It is quite some time ago that I wrote that cgi-script. If I remember correctly, this is a question of configuring escape-methods of your webserver, isn't it? Are there any means an unfiltered storage of post-variables can harm ones database or lead to execution of unwanted code?
Are ALL of the email headers hardcoded in your script or are some of them passed to the script via the form?
For example, if the subject line is passed via the form (such via hidden input, etc.), a carefully placed newline character could allow the spammer to add a bcc/cc field and you would have no idea on your end.
the rest of the post variables are stored into my database and connected to a textstring covering the mere content of the two mails.
$email = $mypostvariables['E_MAIL'];
$regexp = "^([_a-z0-9-]+)(\.[_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]+)*(\.[a-z]{2,4})$";
$valid = 0;if (eregi($regexp, $email)){$valid = 1;} else {$valid = 0;}
piece of php-code in order to check whether the mail-address is valid. By this code the inserted address was filtered out as invalid. I received only one mail as normal, none by the second mail account, and the from-field was left empty due to the status of the $valid-variable.
Secondly, the '\bcc:'-sequence was correctly escaped as '\\bcc:' by the regular post-variables-treatment of my webserver, as the text-body of the mail revealed. I still think I'm on the safe site regarding bcc attacks. Thanks a lot for your contributions, again I learned something important at WW.
some people say you loose 60% customers with any such action. The main idea behind this type of pages is, to enable my visitors to order directly from the landing-page. No login-procedure, no preview, just order. I'm quite satisfied with the success.
It's not unlikely you'd lose some but if couched in a way that seems to be helpful to the customer - like "please check your order to be sure details are correct" or some such - you're likely to lose less. Still, for conversions sake, no preview would be better.
