Forums

1.) do i need to insert the post action file code .. or is that not necessary?

2.) where do the files go when using the upload action? how to access them?

3.) i see validation is already integrated is it good to have other php validation?

HI Kade,

#1- there is no need to do this unless you need to post to a page other than your website chronoforms page (for example a payment gateway )

#2- components/com_chronocontact/upload/

#3- this is a good idea but will need some preparations at your code to get back the user data written, if you don't care about this issue then this is easy to achieve!

Cheers

Max<br><br>Post edited by: GreyHead, at: 2007/12/29 19:06

I am also in favour of server-side validation instead of using client-side JavaScript.

http://www.sitepoint.com/article/javascript-just-not-validation

Strictly speaking JavaScript validation isn't validation -- it's input assistance. Anyone can bypass JavaScript; it's an aid, not a gate.

And here is a good and brief description of the objectives when producing a form:

http://simonwillison.net/2003/Jun/17/theHolyGrail/

Let’s talk about form validation. Here’s what I would class as the ideal validation system for a form in a web application:

The form is displayed; you fill it in.
You submit the form to the server.
If you missed something out or provided invalid input, the form is redisplayed pre-filled with the valid data you already entered.
The redisplayed form tells you what you got wrong. It also flags the fields that were incorrect.
Loop until you fill the form in correctly.

Now all I need to do is to find out how the CronoEngine can help us to achieve all the above.🙂

Hopefully, I'll find all the answers within the following:
http://www.chronoengine.com/component/option,com_fireboard/Itemid,37/func,view/id,2691/catid,5/
http://www.chronoengine.com/component/option,com_easyfaq/task,cat/catid,17/Itemid,38/

Best wishes,

- Vince

Hi Vince,

The validation that is built into ChronoForms is client-side JavaScript input assistance as you describe here, and that is what most people want.

ChronoForms will support server side validation but you have to provide the code to do the validation. Probably the best place to enter is is in the 'OnSubmit before email' box - at that point the submitted data is available to you in the $_POST[] array.

You can process it in whatever way you like and, if there is an error, redisplay the form using showform() - the validation code syntax will show you how to do this. To redisplay the data you need to preset the values in your form to be taken from $_POST[].

Hope this helps.

Bob

Thanks Bob.
In the meantime, I wanted to add some PHP to protect my form from hackers, but getting the following error:

Fatal error: Call to undefined function: logbadrequest() in /htdocs/domainname/components/com_chronocontact/chronocontact.php(390) : eval()'d code on line 29

Here is the code I inerted into the 'OnSubmit before email' box:

http://www.alt-php-faq.org/local/115/

<?php 
// First, make sure the form was posted from a browser. 
// For basic web-forms, we don't care about anything 
// other than requests from a browser:     
if(!isset($_SERVER['HTTP_USER_AGENT'])){ 
   die("Forbidden - You are not authorized to view this page"«»); 
   exit; 
} 

// Make sure the form was indeed POST'ed: 
//  (requires your html form to use: action="post"«»)  
if(!$_SERVER['REQUEST_METHOD'] == "POST"«»){ 
   die("Forbidden - You are not authorized to view this page"«»); 
   exit;     
} 

// Host names from where the form is authorized 
// to be posted from:  
$authHosts = array("domain.com", "domain2.com", "domain3.com"«»); 

// Where have we been posted from? 
$fromArray = parse_url(strtolower($_SERVER['HTTP_REFERER'])); 

// Test to see if the $fromArray used www to get here. 
$wwwUsed = strpos($fromArray['host'], "www."«»); 

// Make sure the form was posted from an approved host name. 
if(!in_array(($wwwUsed === false ? $fromArray['host'] : substr(stristr($fromArray['host'], '.'), 1)), $authHosts)){     
   logBadRequest(); 
   header("HTTP/1.0 403 Forbidden"«»); 
       exit;     
} 

// Attempt to defend against header injections: 
$badStrings = array("Content-Type:", 
                     "MIME-Version:", 
                     "Content-Transfer-Encoding:", 
                     "bcc:", 
                     "cc:"«»); 

// Loop through each POST'ed value and test if it contains 
// one of the $badStrings: 
foreach($_POST as $k => $v){ 
   foreach($badStrings as $v2){ 
       if(strpos($v, $v2) !== false){ 
           logBadRequest(); 
           header("HTTP/1.0 403 Forbidden"«»); 
               exit; 
       } 
   } 
}     

// Made it past spammer test, free up some memory 
// and continue rest of script:     
unset($k, $v, $v2, $badStrings, $authHosts, $fromArray, $wwwUsed); 
?>

Any ideas?

many thanks,

- Vince<br><br>Post edited by: GreyHead, at: 2008/01/08 15:40

Hi Vince,

You seem to have taken this code from somewhere like this but it's incomplete. The code calls the function logBadRequest() three times but it isn't defined. That's why it's failing.

I believe that some of these checks are made for you by Joomla so this code is probably unnecessary unless you are experiencing particular spam problems.

If there is a problem then I'd suggest that you install sh404SEF which has extensive security configuration.

Bob<br><br>Post edited by: GreyHead, at: 2008/01/08 16:00

Indeed, got the actual code from here:
http://www.alt-php-faq.org/local/115/
Corrected version here in case anyone is interested:
http://www.alt-php-faq.org/local/115/

Back to my attempts to use PHP for validation, here is a simpler task I want to achieve.
Our forms have a 'comments' field, and on our current static site we needed to protect from spammers adding a ton of Website links in there (p0rn or Vi4gra related).

The following is the code that eventually stopped them:

<?php 
if (eregi('http://*.', $comments))
die ("Sorry, no links allowed"«»);

if (eregi('www*.', $comments))
die ("Sorry, no links allowed"«»);
?>

How do we translate this code to work within a CronoForm?

best wishes,

- Vince

Hi Vince,

I ran down a version of the missing function:

function logBadRequest() {
   @mail($admin, "Spammer Bot Attempt",$_SERVER['REMOTE_ADDR'],"From: Alert <alert@$domain>\r\n"«»);
}

You'd need to ensure that the variables $admin, $domain. etc. are defined or replaced with their Joomla equivalents.

The eregi codes can be put into the 'OnSubmit before email' box; I think that either die or continue will work OK there but you may need to experiment. Or given that it's probably a spammer you might just redirect to the 404 page.

Bob

PS Searching on Google it seems like most versions of that script fail because of the missing function😉<br><br>Post edited by: GreyHead, at: 2008/01/08 16:45

Hi Bob,
I've tried the eregi codes in the 'OnSubmit before email' box, but nothing happens - users are still able to include URL's in our 'Comments' field.

I was going to use the included javascript validation for this field - allow only alpha-numeric - but no good as this function currently also blocks any spaces.😟

Any other suggestions welcome.
Thanks,

- Vince

Hi Vince,

What did you actually put in the 'OnSubmit before' box? Did you replace '$comments' with the $_POST['fieldname'] equivalent?

Bob