Dynamo
26 replies to this thread. Most Recent
"Injecting" forms with Ajax
There was a recent discussion on the main list about securing forms from bots. One of the tricks used on the FreewayTalk site is to inject the forms into the page using Ajax. Since a lot of bots go looking for registration forms using basic Web crawler technology, and those bots don’t usually evaluate JavaScript, this provides a neat barrier to automated entry. It’s pretty simple to do in a basic way, and if you want to also use the technique to have forms that submit without a page refresh, that can be added later.
Install the Protaculous Action, if you haven’t already. freewaypro.com/actions/downloads/
Make a form, and an associated handler for it. This form can be made in Freeway, but you will need to “cut down” the resulting page using the PHP Make Insert Page Action or similar, because you want to end up with just the form itself, with no HTML HEAD BODY tag sandwich around it. You will be inserting this form into another page in your site using JavaScript. Be sure that your form submits either directly to its handler, or to the page you will be inserting the form into — don’t have it submit to itself.
Now, on the page where you want the form to appear, draw a simple HTML box where the form should go. Set the name of this box to something memorable, like formGoesHere.
Apply the Protaculous Action to the page, and then click on the top Function Body button and enter the following (adjusted for YOUR naming):
new Ajax.Updater('formGoesHere',
'yourFormPage.html',
{'method':'get'}
);
Now preview the page in a browser. If all goes well, you should see your form appear within the page as if it was part of it all along.
A crawler will never see this code, and your users will never know the difference, unless they have disabled JavaScript.
Walter
Freeway user since 1997
Hi Walter
I gave this a go and had success but not until I included the (temp) styles that I had used on the form page in the injected page. Probably worth noting that if you styled the form using permanent styles this wouldn’t be an issue.
Another question: What is to stop the bots from finding the stripped down form page on the server and using that?
David
Glasgow, Scotland
G5 PPC OSX.4.11 Freeway Pro 5.2
What’s stopping them is this:
function isAjax() {
return (isset($_SERVER['HTTP_X_REQUESTED_WITH']) &&
($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest'));
}
Put that at the top of your form page, inside a php block, and then use this bit to call it:
if(!isAjax()) header('Location: theContainerPage.html');
Since that’s all in PHP, not JavaScript, they will never see it and have to deduce what sort of hoop they need to jump through. It won’t stop a truly dedicated hacker, but it will keep most out.
Walter
Freeway user since 1997
Hi Walter, I followed your instructions but when I click on the button Function Body appears to me this alert: “Could not complete your request because memoria insufficiente (-108:379:2328)”.
I work with an iMac Intel with 3Gb Ram and macOsX10.5.2.-
What’s wrong?
Thanks in advance
Umberto
That’s a first for me. Contact support [at] softpress.com. I am sure they will also want a copy of the file in question.
I have never once in my 11 years of using Freeway seen an out of memory error.
Walter
Freeway user since 1997
Many thanks Walter,
I just contacted support[at]softpress.com and wait their response.
Umberto
I am a newbie trying to hide my form, I understand all except:
you will need to “cut down” the resulting page using
the PHP Make Insert Page Action or similar
What action is this? Or how to do this?
Any help really appreciated.
The PHP Make Insert Page Action can be found here:
softpress.com/kb/article.php?id=352
Applied to the form page you created it strips out the html headers etc so that when that page (the form page) is included by the Ajax injection you do not have a doubling up of the html headers in the resultant page.
David
Glasgow, Scotland
G5 PPC OSX.4.11 Freeway Pro 5.2
Thanks David,
I am running into a problem now. if I look at my site in browser preview it works OK but when uploaded it comes as “Not Found”, in Safari and Firefox.
See: olympiawindows.com/fw5/quoterequest.html
Any ideas?
Thanks in advance FW5Pro 5.1.1
The original js example works fine for me but has anyone been able to get this PHP version to work?
Todd
On May 22, 2008, at 8:25 PM, waltd wrote:
What’s stopping them is this:
function isAjax() {return (isset($_SERVER[‘HTTP_X_REQUESTED_WITH’]) && ($_SERVER[‘HTTP_X_REQUESTED_WITH’] == ‘XMLHttpRequest’)); }
Put that at the top of your form page, inside a php block, and then use this bit to call it:
if(!isAjax()) header('Location: theContainerPage.html');Since that’s all in PHP, not JavaScript, they will never see it and have to deduce what sort of hoop they need to jump through. It won’t stop a truly dedicated hacker, but it will keep most out.
Just make sure everything is inside a PHP code block, and is the VERY FIRST THING in the code. So that means that you must put it in the Before HTML part of the Page HTML Markup dialog.
<?php
function isAjax(){
return (isset($_SERVER['HTTP_X_REQUESTED_WITH']) &&
($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest'));
}
if(!isAjax()) {
header('Location: yourContainerPage.html');
exit;
}
?>
That construction is working for me here, in multiple sites.
Walter
Freeway user since 1997
I had the IF statement inside the first set of curly brackets. It works now.
As it applies to spam bots and not an actual person doing evil things, this technique would negate the need for a captcha, wouldn’t it?
Thanks,
Todd
On May 25, 2008, at 12:48 PM, waltd wrote:
Just make sure everything is inside a PHP code block, and is the VERY FIRST THING in the code. So that means that you must put it in the Before HTML part of the Page HTML Markup dialog.
<?php > function isAjax(){ > return (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && > ($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest')); > } > if(!isAjax()) { > header('Location: yourContainerPage.html'); > exit; > } > ?>That construction is working for me here, in multiple sites.
Hi Kitesurfer
In the ajax injection you have the form page reference as _QuoteRequest2.html
but it should be
_quoterequest2.html
Change the capitalisation and you should be sorted.
David
Glasgow, Scotland
G5 PPC OSX.4.11 Freeway Pro 5.2
Thanks again David
I think I am way over my head, obviously I don’t grasp the concept, I look at the code in the page:
olympiawindows.com/fw5/quoterequest.html
and I don’t see the form code, it is not supposed to be there, is it?
In which case I haven’t got a clue how it works, when I “Submit” the form ends up in “FormMail” screen, same problem when FW5 scrambled my e-mail address.
I am going in circles.
Thanks for all the help anyways, I will have to learn Russian I guess, they are spamming my form like crazy. The interesting thing is I never-ever had spam in this form until FW5 scrambled my e-mail address (by defaulting to e-mail hiding) and I posted here for help, it must be a coincidence, I am sure.
Kitesufer said:
I don’t see the form code, it is not supposed to be there, is it?
No. All you will see is the reference to the page where the form actually is - in your case: _quoterequest2.html
Are you saying that you are using formmail to process your form? Formmail is known to be susceptible to abuse.
Why not try Tim Plumb’s excellent PHP Feedback Form action it works fine with Email encoding: www.freewayactions.com/product.php?id=019
Just use the form that you have at: _quoterequest2.html
Remove the existing post action that directs to formmail and use the PHP FF action instead.
David
Glasgow, Scotland
G5 PPC OSX.4.11 Freeway Pro 5.2
I wouldn’t make that sweeping an assumption. It will help, and it certainly keeps some types of attacks completely out. For one thing, it makes the entire fact that there’s a form invisible to any client that doesn’t use JavaScript. But the serious operators in this space will simply hire a room full of indigent people somewhere to do their dirty work.
Walter
On May 25, 2008, at 2:08 PM, Todd wrote:
As it applies to spam bots and not an actual person doing evil things, this technique would negate the need for a captcha, wouldn’t it?
Freeway user since 1997
I realize that a person seeking out and manually attacking forms is another matter entirely but your php example in particular seems very well suited to stopping automated (non-human) attempts and would seem - to me - to be at least as effective as a plain form using a captcha only to stop bots, not people, that’s all.
Todd
On May 25, 2008, at 9:30 PM, Walter Lee Davis wrote:
I wouldn’t make that sweeping an assumption. It will help, and it certainly keeps some types of attacks completely out. For one thing, it makes the entire fact that there’s a form invisible to any client that doesn’t use JavaScript. But the serious operators in this space will simply hire a room full of indigent people somewhere to do their dirty work.
Thanks David,
I did apply PHP Feedback Form action and deleted Recipient, Redirect, and Subject from the hidden fields and removed “/cgi/formmail” from Form and left the Method as “Post” (I also tried “Get”) but can’t get the form to work.
Called my provider and they said “Sendmail” is enabled and they use Linux server ( I read on another post problem with windows server and this action).
I am not sure what is wrong or what else I can try. I know the action is working I made the page “Privacy Policy” an error page, and that is what I get.
Sorry to be a pest, but I am so close, I think.
thanks again!
Why not try Tim Plumb’s excellent PHP Feedback Form action it works fine with Email encoding: www.freewayactions.com/product.php?id=019
Just use the form that you have at: _quoterequest2.html
Remove the existing post action that directs to formmail and use the PHP FF action instead.
Hi
With the PHP Feedback Form action you don’t put anything in Page>Form setup - it is all handled by the action interface.
If you name the email and name fields as just that then the resulting email will be populated with that information.
David
Glasgow, Scotland
G5 PPC OSX.4.11 Freeway Pro 5.2
Hi Walter, Joe Billings at support[at]softpress.com replied: “…This is a bug in the Italian localisation that I have now logged.…”. Thanks to all of you for helping.
Umberto
This is in regards to validation. The form injection works as expected (handler: Tim’s Feedback Form action) but the fields are not being validated (using the validation action). Is this expected behavior given the injection method and the form processor?
Todd
If the validation is done in javascript, then it will be lost when you cut the page down for injection. If it’s done in php, then you will have to make sure that the form submits to the handler correctly. When you chop things up in this manner, it’s not always clear what’s pointing where.
Walter
Freeway user since 1997
I’m using the validation action suite so it’s javascript. So basically I’m out of luck with using the action to validate in this situation. The form handler/validation needs to be kept as simple as possible in order for the site owner to manage it (so php is out) while maintaining at least some degree of spam prevention and I thought this would be a good route because it was free which was the preferred option of the client.
Todd
On Jun 18, 2008, at 5:04 PM, waltd wrote:
If the validation is done in javascript, then it will be lost when you cut the page down for injection. If it’s done in php, then you will have to make sure that the form submits to the handler correctly. When you chop things up in this manner, it’s not always clear what’s pointing where.
Would it be possible to add the javascript validation to the page that is injected with the form? Manually?
David
Glasgow, Scotland
G5 PPC OSX.4.11 Freeway Pro 5.2
Try adding the validation to the form, publishing it, then using copy and paste (into the Page/Html Markup/before /head) to put it into the parent page.
Walter
Freeway user since 1997
