Stopping Form Spam

[Clark]

Anyone have a handy ASP script that could be used to keep a FrontPage generated
form from being submitted by the spambots unless a particular field is filled
out with "mychosentext" ?

In looking over the form field validation options available in FP2000 , I dont
see one I could use without giving away "mychosentext" in the FP-generated code.

As for that, I'm not sure of the best approach here anyway, because I have a
form where spambots seem to just ignore required selections from a drop-down box
and still succeed in submitting the form.

Thanks

Clark

 

[Murray]

see one I could use without giving away "mychosentext" in the FP-generated

code.

This is not a problem - the bots don't read.... That's how I do my form
here -

http://www.great-web-sights.com/g_quote.asp (look all the way at the bottom
of the form)

 

[Clark]

Yah well that is exactly the kind of thing I had in mind. The thing is though my
form is FP-generated and I am using the form field properties / validation
selections to set the validations which gives me a limited set of web-bot
generated choices.

I dont see any choice of how to force someone to type in "friday" or any other
specific text using those bots. (I know when Tom sees me trying to work around
those miserable bots to do something simple he's going to get on my case again
about learning asp but hey life is too short and I'm retired)

Anyway, I do see a validation rule where I could require them to fill in a field
with a specific number of characters - - that might serve the purpose. The Bots
wont be able to read the instructions on how many characters to be use so it
would be a lucky bot that happened to get it right.

It could work ----

 

[Murray]

You'd have to do that one by hand, I fear....

 

[Andrew Murray]

The FP bot actually does have a validation to check that a field has been
field in with a pre-set string such as the word "Friday". (see that
procedure below).

However here is a simple Javascript that does the same thing - checks for
the "enter the day after Thursday" value;

The Javascript below & form work; note that this only checks for a value of
"Friday" with a capital 'F', not all variances like "FRIDAY" or "friday".

You'd need to modify it to include those variations, else the script
rejects the value entered as not valid.
else you can do (more or less) the same thing with the FP validation bot.

Note reference to "feedback" is the name of the form(if you have more than
one form on the page, you'd need to distiguish between them so the script
doesn't get confused if there's a field with the same name in two forms),
reference to "textbox" is the name of the input type field the script is
checking.

<script language="Javascript">
<!--
function ValidateForm(feedback) {
passcode = feedback.textbox.value;
if (passcode != "Friday")
alert ("\n You have not typed the correct answer")
return false;
}
else return true;
}
-->
</script>


<form name="feedback" onSubmit='ValidateForm(this)'; method="post"
action="/cgi-bin/mail.cgi">
What is the day after Thursday?
<input type="text" name="textbox" value="">
</form>


If you want you could put the script in an external js file and reference it
like <script language="javascript" src="validate.js'>
in the <head> of your code.

The code & form above work! My first Javascript written from scratch!


Otherwise, use the FP validation:

1. Go to the field validation for your form input type text-box
2. Check the "Data Length as "Required"
3. Put the Maximum Length of 7 chars.
4. Under "Data Value" check "Field must be" and choose "Equal to" and then
type in Friday in the "Value" box.

This is the code it produces:

<form method="POST" action="--WEBBOT-SELF--">
<!--webbot bot="SaveResults" U-File="file:///F:/Documents and
Settings/Andrew Murray/My Documents/My
Webs/murraywebs/_private/form_results.csv" S-Format="TEXT/CSV"
S-Label-Fields="TRUE" -->
<p>
<!--webbot bot="Validation" B-Value-Required="TRUE" I-Minimum-Length="1"
I-Maximum-Length="7" S-Validation-Constraint="Equal to"
S-Validation-Value="friday" -->
<input type="text" name="T1" size="20" maxlength="7">
<input type="submit" value="Submit" name="B1">
<input type="reset" value="Reset" name="B2"></p>
</form>

 

[Ronx]

The easiest way to get round that scenario is to disable JavaScript in
the browser - this is why your required option box selections fail:
no JavaScript == no validation => submit any rubbish.

IMO, the only way to defeat spambots is Server Side validation, which
requires server side scripting.

 

[Clark]

Andrew, thanks for the comments. Regarding the FP bot I was aware of that
particular option, and was making the (maybe bad) assumtion that a BOT could
easily pick up the the Value = "friday" since it is present and visible in the
code.

That's why I was thinking maybe to require a specific length, but then not
specify the validation text, which would mean the spambot would have to
interpret the number of characters needed and then pick something -- not that it
couldnt, but that would be more of a chore for it -- it couldnt just pick off
the Value and get it right --

 

[Clark]

Which gets me back the the original question of an asp solution.

Since in my case, the form is writing to an Access database (whole thing set up
using the Wiz), seems like there could be a code snippet that causes failure to
write to the database unless a certain field contains a prescribed value.

 

[Murray]

Of course this is true. However, the bots that are filling out these forms
are not using a browser to do that, hence no disabled js....

The form is submitted as normal, I believe.

 

[Stefan B Rusynko]

If you have a form field named TestField that they must enter Testword into

<% If Request.Form("TestField") <> "Testword" Then response.redirect "sendtobadpage.asp %>

--

_____________________________________________
SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
"Warning - Using the F1 Key will not break anything!" (-;
To find the best Newsgroup for FrontPage support see:
http://www.frontpagemvps.com/FrontPageNewsGroups/tabid/53/Default.aspx
_____________________________________________


| Which gets me back the the original question of an asp solution.
|
| Since in my case, the form is writing to an Access database (whole thing set up
| using the Wiz), seems like there could be a code snippet that causes failure to
| write to the database unless a certain field contains a prescribed value.
|
| >IMO, the only way to defeat spambots is Server Side validation, which
| >requires server side scripting.
|

 

[Clark]

Exactly the kind of solution I was looking for!
Thank you Stefan

 

[Thomas A. Rowe]

Correct, not JavaScript...

--
==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
==============================================
If you feel your current issue is a results of installing
a Service Pack or security update, please contact
Microsoft Product Support Services:
http://support.microsoft.com
If the problem can be shown to have been caused by a
security update, then there is usually no charge for the call.
==============================================