I have a profile edit page on my website with preset age and country lists so people can choose their age and country.
My problem is a guy made an HTML form that can submit a custom age and country. Does somebody know how to block form submitting from websites that are not on my domain?
I changed my form a few times, but he can find the input names just as simply as I changed them.
The only fail-safe way to prevent a submission of a form with undesirable values is to perform validation on server side.
I think the referrer (Request.ServerVariables("http_referrer")) should tell you the page the request came from. As Oleg said you should additionally validate the returned form data in any case.
Related
If I want to send data back to the server from user input I know I need to use the form tag.
But why do I need the form tag, what does a form tag do behind the scenes?
I've only been in web development for less than a year, so please forgive me if my question is beginner question.
Edit: I know a form is used to denote a part of the page that is interactive and data between the from tags will be sent back to the server.
So, is the tag, just a tag, is there another piece of technology that takes the data from the page and returns the data to the server?
Edit 2: From comments and more specific web searches, I found out that the form tag is just that. A tag. It defines something on a page and does not do anything. All is okay now.
The form tag validates and with html 5 it means it doesn't call the server immediately. It can do a quick check before it attempts to post. E.g. does the email box look like an email address.
The advantage of this is it reduces costs as you're not unnecessarily calling the server. When the form thinks it looks good it will send the info to the back end.
Get and post messages are sent either getting information (reading) or it might be posting (writing).
I think that's what you're after.
Much like the mailto: link you can add ?subject=
I wanted to be able to create a web link which would send you to a webpage that contained a form.
In that Form, I would like the value of the TextArea to contain information Inserted by the contents of the referring Weblink.
Example:
example.com/page-url?textarea=content
Is that possible? If so, can you tell me?
I pay in chocolates.
Thanks for your time and I look forward to any replies.
Plain HTML can't do this by itself. You'll need to use Javascript or some kind of server-side processing to get the values from the submission.
Forms have two methods - POST, which submits through the headers, and GET, which submits through a querystring. With the querystring it's easier for users to mess with your data, so keep that in mind as you design this. (Not that it's impossible with POST, but it takes a little more work)
Since you're passing to a textarea, make sure you URLEncode your post or things like spaces will cause you a lot of headaches.
I've got a basic contact form that asks for email address and a message, which is then emailed to me. I want to add a checkbox after the email input that gives the option to subscribe to a newsletter as well. I can do the form, I can do a newsletter sign up, I'm just not sure how to combine the two. Any ideas?
Edit: To clarify, I'm planning to use a basic html form. I was hoping there'd be someway to combine that with a mailchimp or phplist newsletter signup.
You need an onSubmit() action with a method - generally post, and you'll probably have to use PHP and link it to that page so it knows to go there to process the action =}
in that page is where the clever stuff will happen like subscribe the user.
(Connect to the DB, add the email address to said table/column etc...)
Unfortunately this is not something I can just give you a snippet to insert - it'll have to be completed your side.
I have working the auto population of this form: http://getpocket.com/save
I'm using it rather than the API so that it works when users are logged into Pocket on the same browser as my website.
However, it's not a good user experience to then have to click 'save', so how can I "automate" that?
I won't show my code, because it essentially is just to generate a link of the form:
http://getpocket.com/save/?title=thetitle&url=encodedurl
It populates the form fine, but how can I submit? I tried apending &save and &submitand then each of those =True, in vain. Is the issue that the save button doesn't have a name= field, which is what's used to hook into the title and URL fields?
EDIT: Just to be clear, I didn't have any malicious intentions, only to save articles to read later on click of a button.
If I find the time I'll have a look at the API.
Luckily this is impossible (on Pocket and most sites) due to cross site forgery request protection to prevent exactly what you are trying to do.
A token is set in the form and together with session information for the user on pocket (or any other site that uses csfr token protection) it will need to form some sort of secret hash. When the 'save' form is submitted the combination of these strings will be checked and normally new strings will be set. Because there is (practically) no chance that you will be able to predict the token form the form itself and have no real way of manipulating the session hash, you are out of luck. And we are all very happy for that :).
Otherwise you could make links on other sites that would delete your whole database when you happen to click on them, etc.
In short: You can't.
On any form without csrf protection you'd have to target not the url of the page with the form, but the 'action' of the form. You can see this action by inspecting the form with your browser's DOM inspector. But, as I said, csrf protection will prevent this from working most of the time.
http://en.wikipedia.org/wiki/Cross-site_request_forgery
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
i am working on a submit form in my html page. When i click submit button, i should get mail in my inbox.
So what all the procedures, i need to follow to get the output.
You need to use a server side language like PHP / ASP.NET etc. Then:
User submits form.
Retrieve the submitted information.
Send an email using the email functionality specific to the language you decide to use.
You haven't given much so this is only an outline of what you need to do to get going. You can use Google for the various areas you need to implement.
Instead of using any server, is there any plugins which can be useful
to get my output. – Bharadwaj
I think this might do the job for you http://www.emailmeform.com/
I've never used it, but it looks like a website that hosts the form for you and emails you the results. You'd just put the form html on your page and let them do the rest.
Hope that helps.