Betpawa download apk for pc.Claim Your Free 999 Pesos Bonus Today

ChiefAlchemist
(@chiefalchemist)

13 years, 3 months ago
I just started using Form Manager so I could be mistaken about this. Please don’t shoot me if I’m wrong. Thx.

After hunting around in the code, best I can tell the validation for required is strictly client side. Correct?

I have an install where reCAPTCHA is not an option. I was using Conditions as a CAPTCHA-lite of sorts. For example, don’t display a required field unless the correct value of X + Y = is entered. For example, don’t display the (required message) text box unless the addition is correct.

However, spam bots are naturally bypassing the form and submitting directly. In short, my CAPTCHA-lite trick doesn’t always work. As a result I’m trying to add a server side hack that check to the plugin that won’t add submits unless the required fields are populated.

This is what I have thus far:

In db.php I added:
```
function getItemRequiredStatus($formID, $uniqueName){
$q = "SELECT * FROM <code>".$this->itemsTable."</code> WHERE <code>unique_name</code> = '".$uniqueName."' AND <code>ID</code> = '".$formID."'";
 $res = $this->query($q);
  if(mysql_num_rows($res) == 0) return '2';
  $row = $this->unpackItem(mysql_fetch_assoc($res));
  mysql_free_result($res);
  return $row['required'];
}
```
In api.php below the Nonce check I added:

//server side check to see if required fields have been populated foreach($formInfo['items'] as $item){ if ($postData[$item['required']] != getItemRequiredStatus( $formInfo['ID'],$postData[$item['unique_name']])) { return false; } }

Does this make sense? Yes, I could install it. However, after crawling thru the beautiful but (for me) complex code of the plugin for the last couple hours I wanted to ask others for input before I start pulling my hair out trying to get this hack to work.

And if I have it right, perhaps as a fail-safe this hack (or similar) could/should be added to a future release? I under it’s somewhat of a unique situation but none the less, a little bit of air-tightness never hurt anybody, eh? ??

Thanks

https://www.ads-software.com/extend/plugins/wordpress-form-manager/

Viewing 4 replies - 1 through 4 (of 4 total)

Plugin Author hoffcamp
(@hoffcamp)

13 years, 3 months ago

First, most of the plugin code is a terrible mess. Congratulations, in all seriousness, for figuring out as much as you did.

You are mostly correct about the validation being client side. The reCAPTCHA though is server side. If it fails, no submission occurs. At least that’s how its supposed to work.

If you are feeling brave you could take a look at ‘types.php’ and ‘types/base.php’, and create a new form type class. The ‘processPost’ method can return ‘false’ to indicate some kind of failure. This is how the reCAPTCHA and others prevent data submission from going forward.

I’m not adding new features to 1.x anymore, since I started on 2.0. Server side validation is on the menu.

Thread Starter ChiefAlchemist
(@chiefalchemist)

13 years, 3 months ago

Thanks again.

I wouldn’t say the code is a mess, per se. It’s just often difficult to jump in and figure out someone else’s code. I would say the minimal amount of comments is somewhat of a pain ?? That said, the plugin is fairly sophisticated so I compliment you on your work. I’m certainly not the dev you are that’s for sure ??

Just to explain, this hack kinda grew out of the widget I whipped up. That made it easy to put a simple contact form in a sidebar. Unfortunately, the reCAPTCHA bit isn’t resizeable and therefore extended beyond the sidebar. And my client side CAPTCHA-lite trick with the Conditions doesn’t work if the spambot bypasses the client side form.

btw, while I researching this hack I came across a couple articles that you might want to consider as you pursue your v2.0.

https://www.geekwisdom.com/dyn/antispam_hidden_form_field

https://www.ardamis.com/2007/07/12/defeating-contact-form-spam/

I think the easy (?) thing to do would be have the Conditions be checked on both client side and server side. The UI is there. It’s really just a matter of applying the rules servers side. Easier said than done, eh? ??

Thanks again.

If there’s not a 1.x update coming then I’m going to try the two hacks above. I’ll let you know how that goes.

Thread Starter ChiefAlchemist
(@chiefalchemist)

13 years, 3 months ago

Took me a bit to wrap my head around the various arrays but here’s what I think should do it. I listed some of the original code so it’s easy to see where the insert point is.

In db.php ~ line 860:

//add blanks for non-existent fields foreach($formInfo['items'] as $item){ if(!isset($postData[$item['unique_name']]) && $item['db_type'] != "NONE") $postData[$item['unique_name']] = ""; }

$formInfo2 = $this->getForm($formID, 0);
//server side check to see if required fields have been populated
// loop through the submitted form data
foreach ( $postData as $k=>$v ) {
// make sure we're only looking at form fields, not meta data added by the plugin
if ( $k != 'user' && $k != 'user_ip' && $k != 'unique_id' && $k != 'timestamp' ) {
// find the form field in the formInfo and see if the field is required and populated
foreach( $formInfo2['items'] as $item ) {
// if the key is the field then check the required value for this field
if ( $k == $item['unique_name'] ) {
// if required and empty then false out
if ( $item[ 'required' ] == 1 && empty($v) ) {
return 'spambot';
}
}
}
}
}

In api.php ~ line 285:
if ( $postData == 'spambot' ) return false;

if ( $postData === false )
return false;

Hopefully it’ll work as expected. Let me know if you see anything major I could have done better. Thx

Plugin Author hoffcamp
(@hoffcamp)

13 years, 3 months ago

That looks like it would work. I would have just returned false rather than ‘spambot’, but thats just the convention I was using.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘[Plugin: WordPress Form Manager] Help with an additional spam prevention hack’ is closed to new replies.