"Injecting" forms with Ajax

Legacy Dynamo
1

There was a recent discussion on the main list about securing forms
from bots. One of the tricks used on the FreewayTalk site is to inject
the forms into the page using Ajax. Since a lot of bots go looking for
registration forms using basic Web crawler technology, and those bots
don’t usually evaluate JavaScript, this provides a neat barrier to
automated entry. It’s pretty simple to do in a basic way, and if you
want to also use the technique to have forms that submit without a
page refresh, that can be added later.

Install the Protaculous Action, if you haven’t already. <http://freewaypro.com/actions/downloads/

Make a form, and an associated handler for it. This form can be made
in Freeway, but you will need to “cut down” the resulting page using
the PHP Make Insert Page Action or similar, because you want to end up
with just the form itself, with no HTML HEAD BODY tag sandwich around
it. You will be inserting this form into another page in your site
using JavaScript. Be sure that your form submits either directly to
its handler, or to the page you will be inserting the form into –
don’t have it submit to itself.

Now, on the page where you want the form to appear, draw a simple HTML
box where the form should go. Set the name of this box to something
memorable, like formGoesHere.

Apply the Protaculous Action to the page, and then click on the top
Function Body button and enter the following (adjusted for YOUR naming):

new Ajax.Updater('formGoesHere',
	'yourFormPage.html',
	{'method':'get'}
);

Now preview the page in a browser. If all goes well, you should see
your form appear within the page as if it was part of it all along.

A crawler will never see this code, and your users will never know the
difference, unless they have disabled JavaScript.

Walter

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

2

Hi Walter

I gave this a go and had success but not until I included the (temp) styles that I had used on the form page in the injected page. Probably worth noting that if you styled the form using permanent styles this wouldn’t be an issue.

Another question: What is to stop the bots from finding the stripped down form page on the server and using that?

David

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

3

What’s stopping them is this:

function isAjax() {
return (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && 
	($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest'));
}

Put that at the top of your form page, inside a php block, and then use this bit to call it:

if(!isAjax()) header('Location: theContainerPage.html');

Since that’s all in PHP, not JavaScript, they will never see it and have to deduce what sort of hoop they need to jump through. It won’t stop a truly dedicated hacker, but it will keep most out.

Walter

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

4

Hi Walter,
I followed your instructions but when I click on the button Function Body appears to me this alert:
“Could not complete your request because memoria insufficiente (-108:379:2328)”.

I work with an iMac Intel with 3Gb Ram and macOsX10.5.2.-

What’s wrong?

Thanks in advance

Umberto

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

5

I forgot: I am using FWPro 5.1.1

Umberto

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

6

That’s a first for me. Contact support [at] softpress.com. I am sure they will also want a copy of the file in question.

I have never once in my 11 years of using Freeway seen an out of memory error.

Walter

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

7

Many thanks Walter,

I just contacted support[at]softpress.com and wait their response.

Umberto

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

8

I am a newbie trying to hide my form, I understand all except:

you will need to “cut down” the resulting page using

the PHP Make Insert Page Action or similar

What action is this? Or how to do this?

Any help really appreciated.

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

9

The PHP Make Insert Page Action can be found here:

http://softpress.com/kb/article.php?id=352

Applied to the form page you created it strips out the html headers etc so that when that page (the form page) is included by the Ajax injection you do not have a doubling up of the html headers in the resultant page.

David

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

10

Thanks David,

I am running into a problem now.
if I look at my site in browser preview it works OK but when uploaded it comes as “Not Found”, in Safari and Firefox.

See: http://olympiawindows.com/fw5/quoterequest.html

Any ideas?

Thanks in advance
FW5Pro 5.1.1

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

11

The original js example works fine for me but has anyone been able to get this PHP version to work?

Todd

On May 22, 2008, at 8:25 PM, waltd wrote:

What’s stopping them is this:

function isAjax() {

return (isset($_SERVER[‘HTTP_X_REQUESTED_WITH’]) &&

($_SERVER[‘HTTP_X_REQUESTED_WITH’] == ‘XMLHttpRequest’));

}

Put that at the top of your form page, inside a php block, and then use this bit to call it:

if(!isAjax()) header(‘Location: theContainerPage.html’);

Since that’s all in PHP, not JavaScript, they will never see it and have to deduce what sort of hoop they need to jump through. It won’t stop a truly dedicated hacker, but it will keep most out.

12

Just make sure everything is inside a PHP code block, and is the VERY FIRST THING in the code. So that means that you must put it in the Before HTML part of the Page HTML Markup dialog.

<?php
function isAjax(){
    return (isset($_SERVER['HTTP_X_REQUESTED_WITH']) &&
        ($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest'));
}
if(!isAjax()) {
    header('Location: yourContainerPage.html');
    exit;
}
?>

That construction is working for me here, in multiple sites.

Walter

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

13

I had the IF statement inside the first set of curly brackets. It
works now.

As it applies to spam bots and not an actual person doing evil
things, this technique would negate the need for a captcha, wouldn’t it?

Thanks,

Todd

On May 25, 2008, at 12:48 PM, waltd wrote:

Just make sure everything is inside a PHP code block, and is the
VERY FIRST THING in the code. So that means that you must put it in
the Before HTML part of the Page HTML Markup dialog.

<?php
function isAjax(){
    return (isset($_SERVER['HTTP_X_REQUESTED_WITH']) &&
        ($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest'));
}
if(!isAjax()) {
    header('Location: yourContainerPage.html');
    exit;
}
?>

That construction is working for me here, in multiple sites.

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

14

Hi Kitesurfer

In the ajax injection you have the form page reference as _QuoteRequest2.html

but it should be

_quoterequest2.html

Change the capitalisation and you should be sorted.

David

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

15

Thanks again David

I think I am way over my head, obviously I don’t grasp the concept, I look at the code in the page:

olympiawindows.com/fw5/quoterequest.html

and I don’t see the form code, it is not supposed to be there, is it?

In which case I haven’t got a clue how it works, when I “Submit” the form ends up in “FormMail” screen, same problem when FW5 scrambled my e-mail address.

I am going in circles.

Thanks for all the help anyways, I will have to learn Russian I guess, they are spamming my form like crazy. The interesting thing is I never-ever had spam in this form until FW5 scrambled my e-mail address (by defaulting to e-mail hiding) and I posted here for help, it must be a coincidence, I am sure.

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

16

Kitesufer said:

I don’t see the form code, it is not supposed to be there, is it?

No. All you will see is the reference to the page where the form actually is - in your case: _quoterequest2.html

Are you saying that you are using formmail to process your form? Formmail is known to be susceptible to abuse.

Why not try Tim Plumb’s excellent PHP Feedback Form action it works fine with Email encoding: http://www.freewayactions.com/product.php?id=019

Just use the form that you have at: _quoterequest2.html

Remove the existing post action that directs to formmail and use the PHP FF action instead.

David

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

17

I wouldn’t make that sweeping an assumption. It will help, and it
certainly keeps some types of attacks completely out. For one thing,
it makes the entire fact that there’s a form invisible to any client
that doesn’t use JavaScript. But the serious operators in this space
will simply hire a room full of indigent people somewhere to do their
dirty work.

Walter

On May 25, 2008, at 2:08 PM, Todd wrote:

As it applies to spam bots and not an actual person doing evil
things, this technique would negate the need for a captcha,
wouldn’t it?

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

18

I realize that a person seeking out and manually attacking forms is another matter entirely but your php example in particular seems very well suited to stopping automated (non-human) attempts and would seem - to me - to be at least as effective as a plain form using a captcha only to stop bots, not people, that’s all.

Todd

On May 25, 2008, at 9:30 PM, Walter Lee Davis wrote:

I wouldn’t make that sweeping an assumption. It will help, and it

certainly keeps some types of attacks completely out. For one thing,

it makes the entire fact that there’s a form invisible to any client

that doesn’t use JavaScript. But the serious operators in this space

will simply hire a room full of indigent people somewhere to do their

dirty work.

19

Thanks David,

I did apply PHP Feedback Form action and deleted Recipient, Redirect, and Subject from the hidden fields and removed “/cgi/formmail” from Form and left the Method as “Post” (I also tried “Get”) but can’t get the form to work.

Called my provider and they said “Sendmail” is enabled and they use Linux server ( I read on another post problem with windows server and this action).

I am not sure what is wrong or what else I can try.
I know the action is working I made the page “Privacy Policy” an error page, and that is what I get.

Sorry to be a pest, but I am so close, I think.

thanks again!

Why not try Tim Plumb’s excellent PHP Feedback Form action it works fine with Email encoding: http://www.freewayactions.com/product.php?id=019

Just use the form that you have at: _quoterequest2.html

Remove the existing post action that directs to formmail and use the PHP FF action instead.

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

20

Hi

With the PHP Feedback Form action you don’t put anything in Page>Form setup - it is all handled by the action interface.

If you name the email and name fields as just that then the resulting email will be populated with that information.

David

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options