SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    Web Enthusiast
    Join Date
    Jul 2000
    Location
    Western Massachusetts, USA
    Posts
    1,389
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Bogus newsletter signups

    I am getting bogus newsletter sign-ups place of valid email addresses such as:
    the Content-Type: multipart/alternative; boundary=39e0f5be185a493a6cbdd834dad04e3c MIME-Version: 1.
    and
    swollen Content-Type: multipart/alternative; boundary=4007780bd0899f854a2bbad873cbae85 MIME-Version
    and
    all Content-Type: multipart/alternative; boundary=9e866c43d4f32c270a34300277b11d27 MIME-Version: 1.
    and
    town Content-Type: multipart/alternative; boundary=4119172c8d946a5c61314fd74f1e6d5a MIME-Version: 1
    I thought I had good validation in the following code:
    PHP Code:
    <p>Sign up for <strong>ClickBasics eNews</strong>, an email newsletter about easy ways to build your website.</p>
    <
    script type="text/javascript" >
    //validates that the field value string has one or more characters in it
    function isNotEmpty(elem) {
    var 
    str elem.value;
    var 
    re = /.+/;
    if(!
    str.match(re)) {
    alert("Please fill in the required field.");
    return 
    false;
    } else {
    return 
    true;
    }
    }
    // validates that the entry is formatted as an email address
    function isEmailAddr(elem) {
    var 
    str elem.value;
    //var re = /^[\w-]+(\.[\w-]+)*@([\w-]+\.)+\.[a-zA-Z]{2,7}$/;
    var re = /[\w\-]+\@[\w\-]+\.\w{2,3}/;
    if (!
    str.match(re)) {
    alert("Please verify the email address format.");
    return 
    false;
    } else {
    return 
    true;
    }
    }
    // detects incorrect data entry to halt the submission of the form until the user corrects //the data entry
    function validateForm(form) {
    if (
    isNotEmpty(form.newemail)) {
        if (
    isEmailAddr(form.newemail)) {
        return 
    true;
        }
    }
    return 
    false;
    }
    </script>
     
    <form method="post" action="register_news.php" name="newsletter" onsubmit="return validateForm(this)" >
    <fieldset>
        <legend><strong>Your Email Address</strong></legend>
    <p>
        <label for="newemail" class="short">Email</label>
        <input type="text" name="newemail" id="newemail" class="txt" onchange="if (isNotEmpty(this)) {isEMailAddr(this)}" />
    </p>
    </fieldset>
    <p>
        <input type="submit" name="newsSubmit" id="newsSubmit" value="Go" class="btn" />
    </p>
    </form> 
    Any clues what's going on?
    Paul C.
    ClickBasics
    http://www.clickbasics.com

  2. #2
    SitePoint Wizard Pedro Monteiro's Avatar
    Join Date
    Sep 2002
    Location
    Lisbon
    Posts
    1,393
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I would strongly advise to stay away from javascrip validation has the plugin can be easly turned off.

    Why don't you server side validate the form?

  3. #3
    From downunder but sure 2 rise Hazardous's Avatar
    Join Date
    Aug 2003
    Location
    New Zealand
    Posts
    361
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Validate serverside will allow you to determine if it is ok or not.

    relying on client side validation will not be 100% accurate all the time as browsers have functionality to turn things off and on.
    Hazardous
    My Blog

  4. #4
    Non-Member Gator99's Avatar
    Join Date
    Sep 2004
    Location
    Florida
    Posts
    613
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The robots that are injecting your form aren't users with javascript-enabled browsers, so javascript validation would not prevent form hijacking. Mostly the injection is done by inserting headers and linefeeds into the form fields. You'd need to check for linefeeds and their hex equivelants %0a %0d. To get more specific info google something like "php email injection".

  5. #5
    Web Enthusiast
    Join Date
    Jul 2000
    Location
    Western Massachusetts, USA
    Posts
    1,389
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks Pedro,

    Do you have a favorite server side email validation script?
    Paul C.
    ClickBasics
    http://www.clickbasics.com


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •