contact form security

Discussion in 'other software & services' started by Bethrezen, Sep 30, 2007.

Thread Status:
Not open for further replies.
  1. Bethrezen

    Bethrezen Registered Member

    Joined:
    Apr 16, 2002
    Posts:
    546
    hi all

    I decided to add a contact form to the site I been building

    Found Here Contact

    as you can see I have the front end done now I need the back end script that makes the whole thing work

    trouble is my knowledge of php is limited I only just started learning how to code php a few months ago and therefore something of this nature is beyond my ability to create so I was wondering if any one knows of a good secure pre-made contact form validator that will stop spammers from abuseing the form to spam me or other people

    might also be a good idea at add some sort of captcha to the form as well to help enhance security further
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    My brother uses something like thi on his site (php contact, obfuscated js). I'll ask him. Hang in there for a few hours / days.
    Mrk
     
  3. Bethrezen

    Bethrezen Registered Member

    Joined:
    Apr 16, 2002
    Posts:
    546
    hi

    thanks much appreciated
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,

    Here you go, first part, obfuscated js:


    ---------


    first create html file with this js code:

    y = "<a href=mailto:example@email.com>example@email.com</a>";
    for(i=0;i<
    y.length;i++) {
    document.write(String.fromCharCode(5^y.charCodeAt(i)));
    }

    This is to encrypt your email address. Of course you should change the "example@email.com
    " to desired email.
    The key used here for encryption is 5. You can see it in the 5^y string above. You can change it to something else. After
    you open this html file with the above js you'll have the encrypted string displayed on the browser.


    Copy this string and replace 'y = "<a href=mailto:example@email.com>example@email.com</a>"' by 'y = "the encrypted string"; '.

    In the above example the encrypted string was "9d%mw`c8hdliqj?cjjE|dcjj+fjh;cjjE|dcjj+fjh9*d;". So the code has to be modified to:

    y = "9d%mw`c8hdliqj?cjjE|dcjj+fjh;cjjE|dcjj+fjh9*d;";
    for(i=0;i<
    y.length;i++) {
    document.write(String.fromCharCode(5^y.charCodeAt(i)));
    }


    ---------


    Hope this helps, I'll see regarding the php script soon too.

    Cheers,
    Mrk
     
  5. Bethrezen

    Bethrezen Registered Member

    Joined:
    Apr 16, 2002
    Posts:
    546
    hi

    thanks for your reply

    question how does this work with the back end php form valuator ??

    I mean obviously this encodes my email address so that even if a bad guy was to be able to download the back end php that powers the form they still wouldn't be able to get my real email address because all they would see is the encoded string which is good

    but there is a problem the php form valuator needs to be able to read the encoded address so that it could send me any correspondence

    problem is that if I include

    Code:
    y = "Encoded String";
    for(i=0;i<
    y.length;i++) {
    document.write(String.fromCharCode(5^y.charCodeAt(i)));
    }
    to decode the encoded email address this makes it super easy for anyone to decode the encoded string back to plain text and get my email which entirely defeats the purpose of encoding my email in the first place

    I mean this Java obfuscation would probably be able to stop spam bots in there tracks because all they see is the java code but this isn't going to stop a person hell even I could bypass this in about 30 seconds if the above was included in the source of the form validator

    so my question is how do you create an encoded email address that can be read by the the form validator but is impossible for a person to decode ?? so that should a bad guy manage to download the php back end for the contact form it is all but impossible for them to get my email address ??
     
    Last edited: Oct 4, 2007
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    That's against bots, of course.
    No one will bother gathering emails by hand ...
    Mrk
     
  7. Bethrezen

    Bethrezen Registered Member

    Joined:
    Apr 16, 2002
    Posts:
    546
    hi Mrkvonic

    you are probably right but if someone is going to try and abuse one of these contact forms for bad purposes its usually a person doing it and not a bot

    what can I say I like to try and cover all the bases just to be on the safe side I may not be able to stop someone abusing the facility to spam me or other people but doesn't hurt to make it as hard as possible :)
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    You could significantly complicate the algorithm... something like entropy or whatever?
    Mrk
     
  9. Bethrezen

    Bethrezen Registered Member

    Joined:
    Apr 16, 2002
    Posts:
    546
    hi

    I see well that's not happening I don't even know how to build a basic back end validator for a contact form never mind anything more complex

    maybe it time I got an account an php freaks
     
Loading...
Thread Status:
Not open for further replies.