Beautiful Gabe and works perfectly!!

(just edit your "change this" "into this" bit with the last bit of form submit html..it's a bit out of synch

Great job!!

i have been thinking about this and i realise how possibly useless it is.

since the url to the cgi-bin is still in the form.

can anyone elaborate on how this can be modified?

i need someone to hack into the perl, the requirement of a form element known as 'uword'.

this means that it woll only go if the browser loaded the captcha element using javascript.

this is secure.

someone hack the perl? i really have very little perl skillz.

also, this is the chap that wrote it originally: http://www.archreality.com/

only a few modifications to the original archive were required to make it work with actinic. those are in the zip on the Interact server.

clever feller.

fair point, I'd be interested to know how many people browse with javascript disabled though.

Still, it's a quick and simple mod for the majority, IYSWIM

It's only on a test (well, WIP) site for me so doesn't matter about the limitations for now.

Gabe your a star

You know i have been battling this, unfortunately php sendmail is not on my server so i cant use one of the options i had, i managed to get it to work ok on another site hosted elsewhere but you solutions is simpler

no end to your talents

Thanks
D

Without tweaking the Perl (which would need redone every time Actinic updates turned up).
Replace with
and within the JavaScript function jcap() add (maybe after the CAPTCHA has done its stuff) i.e. just before the return true; What we've done is used a corrupted URL for the submit action and it only gets repaired if the CAPTCH runs OK.

Gabe

Ermm problem, i tested it without a code and it still sent the email ? test area http://rawair.co.uk/cgi-bin/mf900002.pl?ACTION=SHOWFORM

D

pmsl
he's right, you know

Darren,

We'll need a non-cgi URL to follow. Yours won't work if we start from the Forum.

hmmm..it's not working for me anyway! even from the test site which is

http :// rawair.co.uk/acatalog/ test/ acatalog/

Hmmm - that will be the test site indexed then

oops...ok..I'll edit if you do

Hmmm ok all

not sure it does this, sometimes it shows ok sometimes not?

the contact us page can be found using the contactus link at the top of the page,
as for index i do have the test area listed in my robots file, mind i know that not all spiders follow these rules, but google never index's the test area so thats one thing, thanks though malc

D

the problem here isnt actually with any form of turing test type image.

what it actually needs is a unique token, passed into the perl, that can only be gleaned from using the web form sucessfully.

attacks from spammers happen when they scan your form for fields, then use those fields to post to your cgi-bin.

there are a number of secure solutions, and usually, they need to be employed together.

1- captcha. This one is required only to show that the form was submitted by a human. it does NOT mean that someone diddnt hijack the cgi-url directly, and bypass the form. Thats what norms hack does. and a clever one it is, especially the javascript addon.

2- unique token. In php applications, you'd set a session, as the from loads. a unique one, for the user. Then when the data is passed to the mailer script, the presence of a session is checked. If its not there, that means that they diddnt use the form. no game. This javascript example doesnt do that, but again, a perl hack would fix that.

3- modulating obfuscation. Making your form inputs different every time they are loaded is a sure fire way to ensure that you cannot pass values that diddnt some from a form. use javascript on the form side and your server language on the send side. I use the users ip address, and the date, in a nice string, with an md5 string at the end, representing the forms real name. complex but effective.

Really, your only goal is to ensure that the user used the form.

perhaps block all external uses of the cgi-bin with htaccess too?