Can a form be submitted if there's no submit button?

Forum Moderators: open

Message Too Old, No Replies

Can a form be submitted if there's no submit button?

littlegiant

6:28 pm on Aug 6, 2006 (gmt 0)

I wrote a javascript that filters out bad input from all text boxes in a form and then I inserted the submit button for the form using the javascript document.write() method. Hence, if the user has Javascript enabled then my bad input filters will work and if the user has Javascript disabled then they won't be able to submit the form at all. Is this a secure situation? Or is there some way to submit a form even though there's no submit button?

Any comment would be appreciated.

Thanks.

kaled

10:45 pm on Aug 6, 2006 (gmt 0)

You could create the submit button disabled and enable it using javascript. You could also use javascript to set the form action. However, in the absence of a submit button or a submit function, the form cannot be submitted so it is secure (but it may be annoying and/or confusing).

Kaled.

littlegiant

9:08 am on Aug 7, 2006 (gmt 0)

Thanks for your reply, Kaled, but it seems to me now that there must be a way to submit a form in the absence of a submit button because I'm having problems with a spammer abusing one of my contact forms. I put my Javascript 'security' system in place (as described above) and I'm still getting spam from this guy. Now however, the referer and user agent lines which usually appear in any emails coming from the spammer are blank.

daveVk

10:35 am on Aug 7, 2006 (gmt 0)

Call the form submit method. eg MyForm.submit()

littlegiant

10:37 am on Aug 7, 2006 (gmt 0)

Okay I realize that this is no longer a Javascript question. I'm currently reading some threads on web form spam and I've taken some measures to solve the problem. I'll start another thread in the appropriate category if need be (unless anyone has anything to add here).

littlegiant

10:40 am on Aug 7, 2006 (gmt 0)

From what I understand, DaveVk, is that some kind of automated spam bot is abusing my form which is calling up my form script directly so I don't think any kind of Javascript security block is going to work. Correct me if I'm wrong please.

vincevincevince

11:00 am on Aug 7, 2006 (gmt 0)

Do this...

Add (using javascript) a hidden field.

In your form processing (server side) reject anything without that additional field.

The spammer will be still using the old form parameters (pre your javascript changes), just editing the POST request before resending it.

daveVk

11:12 am on Aug 7, 2006 (gmt 0)

Consider removing onsubmit event handling, use regular button (or link) in place of submit button that calls old onsubmit code and submits form, perhaps add a dummy onsubmit event handler and/or dummy (hidden?) submit button. Guess it depends how smart the scam agent is.

Agree with vince

[edited by: daveVk at 11:15 am (utc) on Aug. 7, 2006]

littlegiant

2:07 pm on Aug 7, 2006 (gmt 0)

That's a great idea, Vince. I'll try that.

DaveVk, I'm not sure I get what you mean. According one of my javascript manuals (The Javascript Bible), in order to work, the onsubmit event handler requires a 'real' submit button [as opposed to button type input using the form.submit() method]. Did I misunderstand?

daveVk

1:36 am on Aug 8, 2006 (gmt 0)

My idea was for real users not to trigger onsubmit event, just provide a link for submit, that calls data check code and submits form. As scam assumably calls onsubmit handler add some dummy handler just for catch it, say displaying alert. Hope thats clearer.

RobClarke

3:04 pm on Aug 9, 2006 (gmt 0)

Just a thought, if its a spam bot then its prob not even touching the page with the form on and just posting to the page the form posts to. Thats wat I'd do anyway.

littlegiant

10:13 am on Aug 10, 2006 (gmt 0)

Vince, your idea worked great. I haven't received any spam since Monday. Thanks a million!

vincevincevince

10:14 am on Aug 10, 2006 (gmt 0)

You're welcome, littlegiant