I have a cgi script which submits form data via email. Spammers are attempting to use the form with the result of junk data (basically it looks like web page addresses) being emailed to the form's intended recipient.
The script currently checks for blank fields and I wondered if checking for only integer data or only alpha data in appropriate fields would stop this ... or even a no spam check like this board has on it's sign up page. Problem is, after 4+ hours searching online, I have no clue how to do this.
A viewable copy of my form is at www.S*Chamber.org/test.htm (replace * with "a n f o r d" with no spaces). I've redirected entries from this form away from the client. I believe you can view the cgi script from there as it's called from the form.
Again, the intent is to not have garbage going to the person who's supposed to be processing new members. My thoughts were checking if either aaDuesAmountCalculated or ajNo.Emees had only integer values and rejecting the form if this wasn't the case.
I would appreciate your help. I'm an amazing graphic artist and not too hot cgi/perl scripter!!!
Kristi
Last edited by WindowsWarrior; 05-02-07 at 12:06 PM.
Checking to see if someone has entered the appropriate information in each field can be quite a programming task. For instance if you wanted to check to see if the user has entered a valid email address you could do something like this:
First you would have to fix your <form> element statement to include the onsubmit="" event handler.
To check for other fields you would add more functions to check the data in those fields. Then call those functions from the "ValidateForm()" function.
client side vaidation is useful, but server side validation is what should be relied on. But WindowsWarrior needs to clarify what type of server side script they are using, perl or something else? cgi can be anything.
The cgi script starts with calling perl, so I'm pretty sure it's perl. I definitely don't want to use JS as someone can just disable JS on the site.
I am going to excerpt the script because I think that might expedite this:
Code:
#!/usr/bin/perl
#the perl path may need to be set if your web host is running Unix
require 5.0;
#the path to the sendmail program will need to be set on Un*x systems
$mail_program = "/usr/lib/sendmail -t";
#on NT the name of the smtp server must be set
$smtp_server = "smtp.surething.com";
use Env;
# turn off output buffering for AnaServe - effect unknown Patrick 10/21/98
$| = 1;
################################################################################
#
# MVForms.cgi - A form response script for use with WebExpress.
# Copyright 1997 MicroVision Development, Inc.
#
# Version
# 3.04 May 19 1999 - Deleted some html <br> tags from the email body.
# 3.03 May 14 1999 - Changed get_date to make it handle y2k.
# 3.02 Dec 08 1998 - Moved form type check for "jump" ahead of .intro
# check as this was causing the script to fail for
# redirection forms.
# 3.01 Oct 22 1998 - Unix sendmail version had inverted to and from
# addresses.
# - Removed all extraneous whitespace and reformated with
# spaces rather than tabs.
# - Modified .thanks_url processing to allow it to be set
# to either a complete URL, or a file name relative to
# the directory containing the form page.
# 3.00 Sep 29 1998 - Rewrote to fix "internal server error" problem on
# some unix servers.
#
# Special thanks to Selena Sol and Sanford Morton
# for examples and explanations. Thanks to William Mussatto
# for posting the sendmail.pl script on the Win32-Perl-Web list,
# and to C. Mallwitz for writing it.
#
# Permission is granted to use, modify and distribute
# this script, so long as this copyright section is
# included intact.
#
#
# This script gives the option of using Un*x sendmail on systems that
# have it available. To use the perl sendmail that is built in
# access to an SMTP server is required.
#
################################################################################
#
# Program Begins Here
#
#
# parse the form data
#
&ReadParse;
#
# set the current date
#
$current_date = &get_date;
#
# if it is a redirect menu, jump
#
if ( $in{'.form_type'} eq "jump" )
{
&jump_url;
}
#
# Otherwise, send an email response
# Check required fields were filled by the user
#NOTE FROM WINDOWS WARRIOR ... this is where I thought the validation could
#logically be added.
#
if ($in{'.required'})
{
&Compulsory;
}
if ( ! $in{'.intro'} )
{
&usage("the intro for the response (<I>.intro</I>)");
}
#
# Check for required hidden fields
#
if ( !$in{'.email_dest'} )
{
&usage("the email desitination field (<I>.email_dest</I>)");
}
if ( ! $in{'.intro'} )
{
&usage("the intro for the response (<I>.intro</I>)");
}
if ( ! $in{'.subject'} )
{
&usage("the subject for the response (<I>.subject</I>)");
}
#
# send the response
#
&send_response;
#
# Redirect to acknowledgement page
#
&send_acknowledgement;
exit;
######################################
# Parse the cgi form data.
# Adapted from cgi-lib.pl by S.E.Brenner@bioc.cam.ac.uk
# Copyright 1994 Steven E. Brenner
#
sub ReadParse
{
local (*in) = @_ if @_;
if ( $ENV{'REQUEST_METHOD'} eq "GET" )
{
# replaced his MethGet function
## don't accept GET, to make it a little harder to spoof the script
print "Content-type: text/html\n\n";
print "Sorry, this script only accepts METHOD=POST. ";
print "Use that inside your <FORM ...> tag";
exit;
}
elsif ($ENV{'REQUEST_METHOD'} eq "POST")
{
read(STDIN,$in,$ENV{'CONTENT_LENGTH'});
}
else
{
# Added for command line debugging
# Supply name/value form data as a command line argument
# Format: name1=value1\&name2=value2\&... (need to escape & for shell)
# Find the first argument that's not a switch (-)
$in = ( grep( !/^-/, @ARGV )) [0];
$in =~ s/\\&/&/g;
}
@in = split(/&/,$in);
foreach $i (0 .. $#in)
{
# Convert plus's to spaces
$in[$i] =~ s/\+/ /g;
# Split into key and value.
($key, $val) = split(/=/,$in[$i],2); # splits on the first =.
# Convert %XX from hex numbers to alphanumeric
$key =~ s/%(..)/pack("c",hex($1))/ge;
$val =~ s/%(..)/pack("c",hex($1))/ge;
# Associate key and value
# \0 is the multiple separator
$in{$key} .= "\0" if (defined($in{$key}));
$in{$key} .= $val;
}
return length($in);
}
############################
#
# sub Compulsory
#
# Check that the fields in the form that are required to be
# filled are filled. Compulsory fields are listed in the
# .required hidden field, semi-colon separated.
sub Compulsory
{
#split them out of the list in the value field
@required = split (/;/, $in{'.required'});
#check that each required field name keys to data in the input hash
foreach $elem (@required)
{
foreach $key (keys %in)
{
next if ($key ne $elem);
#the required field and the key match, so check that there is data
if (!$in{$elem})
{
$printkey = $elem;
$printkey =~ s/^..//;
$error .= ("<li>The $printkey field must be filled.<p>\n");
}
}
}
if ($error)
{
#kick them to a page telling them what was blank
#use back button to get back to the form.
#******************** CUSTOMIZABLE TEXT ********************
$error_page = "Content-type: text/html\n\n";
$error_page .= "<head><TITLE>Form Entries Incomplete or Invalid</TITLE></head>\n<body><p>\n";
$error_page .= "<hr>\n<H3>Form Entries Incomplete or Invalid</H3>\n";
$error_page .= "One or more problems exist with the data you have entered.<UL>\n";
$error_page .= $error;
$error_page .= "</UL>Please use the <I>Back</I> button on your web browser to problems.<P><HR></BODY></HTML>";
print $error_page;
exit;
}
}
######################################
# general usage routine
#
sub usage
{
my ($usage_error) = @_;
$usage_body = "Content-type: text/html\n\n";
$usage_body .= "<H2> Form Processing Error </H2>";
$usage_body .= "<TITLE> Form Processing Error </TITLE>";
$usage_body .= "You have forgotten to include <B>$usage_error</B> in your form. ";
$usage_body .= "Please correct the problem in your form, and try again. ";
$usage_body .= "<P>The following fields were included in your form: <OL>";
foreach (keys %in)
{
$usage_body .= "<LI>$_: $in{$_}\n";
}
$usage_body .= "</OL>Press the <B>BACK</B> button to return to the submitting form.";
print $usage_body;
exit;
}
######################################
sub get_date
{
@days = ('Sunday','Monday','Tuesday','Wednesday','Thursday','Friday','Saturday');
@months = ('January','February','March','April','May','June','July','August','September','October','November','December');
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
if ($hour < 10)
{
$hour = "0$hour";
}
if ($min < 10)
{
$min = "0$min";
}
if ($sec < 10)
{
$sec = "0$sec";
}
$year = 1900 + $year;
$date = "$days[$wday], $months[$mon] $mday, $year at $hour\:$min\:$sec";
return $date;
}
######################################
# jump to URL destination
#
sub jump_url
{
# look for destination field
foreach (keys %in)
{
next if /^\./; # skip hidden form data in mail message
if ( $_ eq "Destination" )
{
$dest = $in{$_};
}
}
# could check destination here
print "Location: $dest\n\n";
exit;
}
######################################
# send repsonse
#
sub send_response
{
$email_body = $in{'.intro'} ? "$in{'.intro'}\n\n" : "The following data has been submitted:\n\n";
# added functionality to allow users to specify fields and order using the
# .remove_indexing key and the .response_order hidden field.
if (!$in{'.remove_indexing'} and $in{'.response_order'})
{
# split them out of the list in the value field
@resp_ordr = split (/;/, $in{'.response_order'});
foreach $ro_elem (@resp_ordr)
{
# format the text and add it to the mail message
$form_name = &format_text_field("$ro_elem:");
$item = "$form_name $in{$ro_elem}";
# if multiple values, indent them on new lines
$item =~ s/\0/"\n\t".(" "x(2+length($_)))/ge;
$email_body .= "\t $item \n";
# grab the mail address and save it
if ($ro_elem =~ /.*(email).*|.*(e-mail).*/i)
{
$client_email = $in{$ro_elem};
}
}
}
else
{
foreach (sort keys %in)
{
# skip fields beginning with a period (hidden fields)
next if /^\./;
# save client email for return address
if ( $_ eq "zzClientEmail" )
{
$client_email = $in{$_};
}
# don't list the send and clear buttons
if ( $_ eq "xxSend" )
{
next;
}
if ( $_ eq "xxClear" )
{
next;
}
$form_name = &format_text_field("$_:");
$item = "$form_name $in{$_}";
if ( $in{'.remove_indexing'} )
{
$item =~ s/^..//;
}
# if multiple values, indent them on new lines
$item =~ s/\0/"\n\t".(" "x(2+length($_)))/ge;
$email_body .= "\t $item \n";
}
$flag = "did case two<br>\n";
}
#******************** CUSTOMIZABLE TEXT ********************
$email_body .= "\nSubmitted on: $current_date\n";
$email_body .= "Form page: $ENV{HTTP_REFERER}\n";
$email_body .= "User address: $ENV{REMOTE_ADDR}\n";
$email_body .= "User host: $ENV{REMOTE_HOST}\n";
$in{'.email_dest'} =~ s/,.*//;
# to and from addresses are flipped between the NT and Unix versions
# here Patrick 10/21/98
if ($ENV{OS} eq "Windows_NT")
{
&sendmail($client_email,$client_email,$in{'.email_dest'},$smtp_server,$in{'.subject'},$email_body);
}
else
{
&send_mail ($client_email,$in{'.email_dest'},$in{'.subject'},$email_body);
}
}
#####################################
sub format_text_field
{
my ($value) = @_;
return($value . substr((" " x 25), length($value)));
}
use Socket;
use IO::Handle;
sub sendmail
{
($from, $reply, $to, $smtp, $subject, $message) = @_;
$fromaddr = $from;
$replyaddr = $reply;
$to =~ s/[ \t]+/, /g; # pack spaces and add comma
$fromaddr =~ s/.*<([^\s]*?)>/$1/; # get from email address
$replyaddr =~ s/.*<([^\s]*?)>/$1/; # get reply email address
$replyaddr =~ s/^([^\s]+).*/$1/; # use first address
$message =~ s/^\./\.\./gm; # handle . as first character
$message =~ s/\r\n/\n/g; # handle line ending
$message =~ s/\n/\r\n/g;
$smtp =~ s/^\s+//g; # remove spaces around $smtp
$smtp =~ s/\s+$//g;
if (!$to)
{
return(-8);
}
$proto = (getprotobyname('tcp'))[2];
$port = (getservbyname('smtp', 'tcp'))[2];
$smtpaddr = ($smtp =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/) ? pack('C4',$1,$2,$3,$4) : (gethostbyname($smtp))[4];
if (!defined($smtpaddr))
{
return(-1);
}
if (!socket(S, AF_INET, SOCK_STREAM, $proto))
{
return(-2);
}
if (!connect(S, pack('Sna4x8', AF_INET, $port, $smtpaddr)))
{
return(-3);
}
S->autoflush(1);
$_ = <S>;
if (/^[45]/)
{
close(S);
return(-4);
}
print S "helo localhost\r\n";
$_ = <S>;
if (/^[45]/)
{
close(S);
return(-5);
}
print S "mail from: <$fromaddr>\r\n";
$_ = <S>;
if (/^[45]/)
{
close(S);
return(-5);
}
foreach (split(/, /, $to))
{
print S "rcpt to: <$_>\r\n";
$_ = <S>;
if (/^[45]/){
close(S);
return(-6);
}
}
print S "data\r\n";
$_ = <S>;
if (/^[45]/)
{
close S;
return(-5);
}
print S "To: $to\r\n";
print S "From: $from\r\n";
print S "Reply-to: $replyaddr\r\n" if $replyaddr;
print S "X-Mailer: Perl Sendmail Version 1.21\r\n";
print S "Subject: $subject\r\n\r\n";
print S "$message";
print S "\r\n.\r\n";
$_ = <S>;
if (/^[45]/)
{
close(S);
return(-7);
}
print S "quit\r\n";
$_ = <S>;
close(S);
return(1);
}
######################################
# send mail containing the form data
#
sub send_mail
{
my ($clnt_email, $email_dst, $subject, $message) = @_; # list assignment
if ( !open(MAIL, "|$mail_program") )
{
&print_error_page;
exit;
}
print MAIL <<__END_OF_MAIL__;
To: $email_dst
From: $clnt_email
Subject: $subject
$message
__END_OF_MAIL__
close (MAIL);
}
######################################
# mail open error message
#
sub print_error_page
{
#******************** CUSTOMIZABLE TEXT ********************
$error_page = "Content-type: text/html\n\n";
$error_page .= "<TITLE> System Error </TITLE>";
$error_page .= "<H2> System Error </H2>";
$error_page .= "The system is not responding, and the form could not be processed. ";
$error_page .= "Please try again later.";
$error_page .= "<P>Thank you for taking the time to fill out the form. ";
$error_page .= "Sorry for the inconvenience!";
if ( $in{'.back_to_url'} )
{
$error_page .= "<P>Return to <A HREF=\"$in{'.back_to_url'}\">$in{'.back_to_url'}</A>";
}
print $error_page;
}
######################################
# Send an acknowledgement
#
sub send_acknowledgement
{
# Get address of page that we came from and strip page name
$ENV{'HTTP_REFERER'} =~ m[(.+/)];
$new_url = $1;
if ( $in{'.thanks_url'} =~ /http:\/\//)
{
print "Location: $in{'.thanks_url'}\n\n";
}
elsif ( $in{'.thanks_url'} )
{
print "Location: $new_url$in{'.thanks_url'}\n\n";
}
else
{
&send_thanks_page;
}
}
######################################
# generic acknowledgement page
#
sub send_thanks_page
{
#******************** CUSTOMIZABLE TEXT ********************
$thanks_page = "Content-type: text/html\n\n";
$thanks_page .= "<TITLE>Form Acknowledgement</TITLE>";
$thanks_page .= "<H2>Thank You</H2>";
$thanks_page .= "Your information has been submitted to ";
$thanks_page .= "<A HREF=\"mailto:$in{'.email_dest'}\">$in{'.email_dest'}</A>.<p>\n";
$thanks_page .= "Thank you for taking the time to fill out the form!<br>\n";
#$thanks_page .= "Perl Version = $] <br>\n";
if ( $in{'.back_to_url'} )
{
$thanks_page .= "<P>Return to <A HREF=\"$in{'.back_to_url'}\">$in{'.back_to_url'}</A>";
}
print $thanks_page;
}
I find that one easy way to kill spam entries dead is to look for the string 'http' in the submitted fields, and if it exists, abort the form.
If you have a situation where someone simply HAS to be able to send a URL, allow one and only one field to contain that string, but only once (or possibly twice).
Also, clean all form fields of TAB and carriage return chars as well as semi-colons- they're often used to include additional email addresses or CC: and BCC: headers.
I disallow the 'http' string in 99% of my contact and mailer forms and it works like a charm, really.
Thats a pretty old script you are using WindowsWarrior. Do you know how to write/code perl or are you really looking for a programmer to modify your script?
Drunken Perl Coder ... no I am not a scripter. Most times I can figure out how to change some code to do what I want by perusing resources on the web, but couldn't in this case.
End User, I think your suggesting of knocking out of the script if there's an "http" in the information is a good one. I think I can do that with:
Code:
#
#CHECK for http in data.
if ($FORM{aaDuesAmountCalculated} eq "http") {
&invalid_stuff("Due Amount Calculated");
exit;
}
if ($FORM{adBizName} eq "http") {
&invalid_stuff("Company Name");
exit;
}
sub invalid_stuff {
local($ename) = @_;
print "Content-type: text/html\n\n";
print "<HTML>\n";
print "<HEAD>\n";
print "<TITLE>Invalid Data Detected</TITLE>\n";
print "</HEAD>\n";
print "<BODY bgcolor=#FFFFFF>\n";
print "<P><H2>These Fields cannot contain web addresses.</H2>\n";
print "<P>\n";
print "We cannot process your application unless $ename contains the proper information.\n";
print "<P> \n";
print "Use the BACK button on your browser to go back. \n";
print "</BODY>\n";
print "</HTML>\n";
}
However, I'm not sure if the operand EQ means the same as CONTAINS?
Kristi
#added dots before and after http
if ($FORM{aaDuesAmountCalculated} eq ".http.") {
&invalid_stuff("Due Amount Calculated");
exit;
}
if ($FORM{adBizName} eq ".http.") {
&invalid_stuff("Company Name");
exit;
}
Linear Mode
