Getting through captcha

Post Reply

Page 12 >

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
freakyfred Members Profile Find Members Posts Groupie Joined: 29 March 2007 Location: United Kingdom Status: Offline Points: 171	Post Options Post Reply Quote freakyfred Report Post Thanks(0) Quote Reply Topic: Getting through captcha Posted: 11 October 2009 at 6:48pm
	Edited by freakyfred - 04 December 2009 at 2:27pm

freakyfred Members Profile Find Members Posts Groupie Joined: 29 March 2007 Location: United Kingdom Status: Offline Points: 171	Post Options Post Reply Quote freakyfred Report Post Thanks(0) Quote Reply Posted: 11 October 2009 at 6:55pm
	I'm using this line fo code elseIf Request("CAPTCHA_Postback") AND blnCAPTCHAcodeCorrect = False Then response.write("The Captcha code is incorrect") elseif execute email code here surely the it should trip on that before it reaches the emailing bit?

123Simples Members Profile Find Members Posts Senior Member Joined: 08 July 2007 Location: United Kingdom Status: Offline Points: 1192	Post Options Post Reply Quote 123Simples Report Post Thanks(0) Quote Reply Posted: 11 October 2009 at 7:01pm
	I'm not sure freakyfred but I know Scotty32 and Bruce will have a better answer, but I'm guessing it should say: If Request("CAPTCHA_Postback") AND blnCAPTCHAcodeCorrect = False Then response.write("The Captcha code is incorrect") else execute email code here end if
	Visit 123 Simples Web Design

123Simples Members Profile Find Members Posts Senior Member Joined: 08 July 2007 Location: United Kingdom Status: Offline Points: 1192	Post Options Post Reply Quote 123Simples Report Post Thanks(0) Quote Reply Posted: 11 October 2009 at 7:02pm
	Also, try using Javascript on your form to help cut down on automated submissions
	Visit 123 Simples Web Design

freakyfred Members Profile Find Members Posts Groupie Joined: 29 March 2007 Location: United Kingdom Status: Offline Points: 171	Post Options Post Reply Quote freakyfred Report Post Thanks(0) Quote Reply Posted: 11 October 2009 at 8:01pm
	Edited by freakyfred - 04 December 2009 at 2:27pm

WebWiz-Bruce Members Profile Find Members Posts Admin Group Web Wiz Developer Joined: 03 September 2001 Location: Bournemouth Status: Offline Points: 9844	Post Options Post Reply Quote WebWiz-Bruce Report Post Thanks(0) Quote Reply Posted: 12 October 2009 at 11:10am
	Are you using CDOSYS to send the email? If so you need to parse the data submitted. For example you can include 100's of email address separated by a semicolon in the subject line CSDOSYS will send the email to each of these email addresses. You can prevent this by parsing the data submitted for the subject line shortening the length to say 100 characters and removing any semicolons (;) Using JavaScript to validate the form, or using the size of a textbox will not work as these are both client side and can easily be changed by turning off javascript in the browser and using a browser plugin to modify the form input fields.
	Web Wiz Forums Hosting ASP.NET Web Hosting

freakyfred Members Profile Find Members Posts Groupie Joined: 29 March 2007 Location: United Kingdom Status: Offline Points: 171	Post Options Post Reply Quote freakyfred Report Post Thanks(0) Quote Reply Posted: 12 October 2009 at 11:33am
	Edited by freakyfred - 04 December 2009 at 2:27pm

WebWiz-Bruce Members Profile Find Members Posts Admin Group Web Wiz Developer Joined: 03 September 2001 Location: Bournemouth Status: Offline Points: 9844	Post Options Post Reply Quote WebWiz-Bruce Report Post Thanks(0) Quote Reply Posted: 12 October 2009 at 12:23pm
	Unless you have modified the CAPTCHA code they would only be able to submit the once before having to generate a new CAPTCHA code and entering it to be able to submit again. It could well be that they are only submitting once to send the email 100's of times. I can see from your code that you are not parsing the user input and only using Request to get the data. This is very dangerous as the data can be submitted using either GET or POST, also you are not parsing it to remove any malicious code. The person submitting the malicious code could easily send a request to the server that contained 100's of email address. Most mail servers, if they receive a list of email addresses separated by a semicolon will send that email to ALL those email addresses in the list. You should rewrite your code to only allow submissions using POST from a form. You should then also parse the data to remove any malicious code such as semicolons from the email_to field and also any tags < and > from all the fields submitted. This is the very lease you should do to remove any malicious code as there are lots of different hacking techniques to get mail servers to relay on 1000's of emails just from a single form submission. Edited by WebWiz-Bruce - 12 October 2009 at 12:27pm
	Web Wiz Forums Hosting ASP.NET Web Hosting

Post Reply	Page 12 >

Forum Jump

Forum Permissions View Drop Down

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot delete your posts in this forum
You cannot edit your posts in this forum
You cannot create polls in this forum
You cannot vote in polls in this forum