We've just recreated a contact form on a HTML webpage. We've implemented Google reCaptcha to prevents bots and spammers from abusing the form.
We've received some feedback from our client, saying they receive a lot of mails with following content:
Language: French
Name: cmRDCjlVlGjMOQxWcAB
Street + nr: nXlomEXzzHz
Town: EDMkWfRUIFD
Tel: UaRrOnVFboDiWeBIAI
Message: HghmAy fsyobphashrh,
[url=http://ift.tt/1xX8PO2],
[link=http://ift.tt/1xX8Otq],
http://ift.tt/1rnZSGa
We've also had instances where nothing was entered, except for the language (which is a static feature, depending on what page they fill in the form). This is weird, as at least 2 input field have the required attribute.
My questions:
- Can they work around reCaptcha (possibly with some sort of injection)?
- Same as above, but for 'required' attribute in HTML?
Edit
I'll try to explain in more detail. The CAPTCHA system is the only check for form input. As you can see in the example above, it's a simple contact form. When pressing submit, I'm first validating some fields that are tagged required (Name and email) + validate the format of the email address. After that, the CAPTCHA input is validated. When that input is approved, it forwards from my contact.html file to thankyou.php. On that file, it strips the content from the controls and emails that to the mail address set in a variable on that page. That user then sees a message thanking them.
Our problem is weird input (See example) or sometimes no input (which would be impossible because of the required tags on some field).
What I'm asking if is there's anyone who sees a flaw in the design, recognizes this problem and can suggest steps to take to prevent the behavior described above.
Aucun commentaire:
Enregistrer un commentaire