Here's what you need to do
How to use WebForm Defender:
| Example 1 "Pre-Validation" | Example 2 "Post-Validation" |
A typical "contact us" form might look like this:
But... How can that be abused? Doesn't it take a person to click on it?
Unfortunately (in this case), no. A person does not actually have to bring a real mouse to the submit button and physically click it. Software can "simulate" a mouse click, very easily. There are good reasons for allowing this capability, but it also opens a door for the less scrupulous among us.
As most folks who run websites know, this sort of form begs for abuse. You will receive emails that are not what you had in mind. Offers for better mortgages and improvements to your love life. Not what the typical webmaster has time to shuffle through while looking for the legitimate emails from the visitors to his site. Sometimes you may end up with 20 spam emails for every legitimate one. Sometimes far worse. Once the "bots" become aware of an unprotected email form, it is open to any and all attackers. (Yes, hackers sell lists to each other.)
So how can you prevent that? Lets look at the form again, with WebForm Defender added to it.
If software can click the submit button, can't it fill in the security phrase, too?
This is precisely what CAPTCHA is all about. Finding a method to separate the human from the bot. At this time sofware has a difficult time understanding images like that. So, yes, attacking malware can fill in the text box, but it has to first "read" the image to do so correctly, and that's more than a little tough for malware to do.
What were the actual changes to the form?
If the "code" for the first form looks like this (simplified):
<form method="post" action="send_email.php" id="TheForm">
<div style="text-align:center;font-size:large;color:blue">Send Us A Message!</div><br/>
<table>
<div style="text-align:center"><input type="submit" value="Send" id="submit1" /></div>
</form>
<table>
<tr><td>Your Name:</td><td><input type="text" /></td></tr>
<tr><td>Your email:</td><td><input type="text" /></td></tr>
<tr><td style="vertical-align:top">Your Message:</td><td><textarea ></textarea></td></tr>
</table><tr><td>Your email:</td><td><input type="text" /></td></tr>
<tr><td style="vertical-align:top">Your Message:</td><td><textarea ></textarea></td></tr>
<div style="text-align:center"><input type="submit" value="Send" id="submit1" /></div>
Then the second form would look like this (changes highlighted):
<?php require_once('webdefender.ini.php'); // include as very first line of the page ?>
...
<form method="post" action="send_email.php" id="TheForm" onsubmit="return wdefValidateSubmit()">
...
<form method="post" action="send_email.php" id="TheForm" onsubmit="return wdefValidateSubmit()">
<div style="text-align:center;font-size:large;color:blue">Send Us A Message!</div><br/>
<table>
<?php InsertDefenderForm(); ?>
<div style="text-align:center"><input type="submit" value="Send" id="submit1" /></div>
</form>
<table>
<tr><td>Your Name:</td><td><input type="text" /></td></tr>
<tr><td>Your email:</td><td><input type="text" /></td></tr>
<tr><td style="vertical-align:top">Your Message:</td><td><textarea ></textarea></td></tr>
</table><tr><td>Your email:</td><td><input type="text" /></td></tr>
<tr><td style="vertical-align:top">Your Message:</td><td><textarea ></textarea></td></tr>
<?php InsertDefenderForm(); ?>
<div style="text-align:center"><input type="submit" value="Send" id="submit1" /></div>
At it's simplest, that is it. WebForm Defender is now going to make it tougher for spam and other abusive attacks to get
through on this "contact us" form. There are other ways that WebForm Defender can be setup, more "sophisticated" ways or
ways that might be more secure (opinions vary -- that's why we've included them as options).
The above example uses what we call Pre-Validation of the CAPTCHA challenge. That is, the CAPTCHA is confirmed before the form is allowed to submit. We also support Post-Validation, where the challenge would be confirmed after the form has been submitted. In this second case, you have the option how a "failure" is handled: return directly to the submission form, or present a "your security phrase did not match" page with a "try again" link on it first, or (in the Pro Version) your own handling, whatever that might be.
Post-Validation would be typical for how most folks setup their web forms: where the submit button links to another web page whose purpose it is to process the data just entered. WebForm Defender is comfortable either way. The only difference really is that you have to modify two web pages instead of just one. Post-Validation does give you more options, though.
With Post-Validation, WebForm Defender Pro Version (available soon) will also allow you to lock-out the visitor after a set number of failures, for a specified amount of time: 10 minutes to forever... (locking some one out forever is NOT recommended, however - an hour or a day would be more typical).
The above example uses what we call Pre-Validation of the CAPTCHA challenge. That is, the CAPTCHA is confirmed before the form is allowed to submit. We also support Post-Validation, where the challenge would be confirmed after the form has been submitted. In this second case, you have the option how a "failure" is handled: return directly to the submission form, or present a "your security phrase did not match" page with a "try again" link on it first, or (in the Pro Version) your own handling, whatever that might be.
Post-Validation would be typical for how most folks setup their web forms: where the submit button links to another web page whose purpose it is to process the data just entered. WebForm Defender is comfortable either way. The only difference really is that you have to modify two web pages instead of just one. Post-Validation does give you more options, though.
With Post-Validation, WebForm Defender Pro Version (available soon) will also allow you to lock-out the visitor after a set number of failures, for a specified amount of time: 10 minutes to forever... (locking some one out forever is NOT recommended, however - an hour or a day would be more typical).
| Example 1 | Example 2 |
