#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2003
    Posts
    1
    Rep Power
    0

    hidden form action


    Is there a way with ASP or Java to hide the form action part of a form? I have someone that has found the location of a script by looking at the source of one of my forms. They run some type of script that trys to post bogus info from 6:00 in the morning till 12:00 in the afternoon. Although it gets denied due to wrong input by the user, it sends administrative emails that are annoying (hundreds). If the user only saw the client side (below), they could not do it. Is there a way?

    Bayman

    Example:

    <form action="" method=post>
    7 Digit Pager Number<br>
    <input type=hidden name=USER value="">

    <input type=text size=9 maxlength=7 name=SUBJECT value="">

    <input type=hidden size=25 maxlength=15 name=FRM value="">


    <p>
    Message<br>
    <input type=text size=50 maxlength=80 name=MSG value="">


    <p>
    <input type=submit value="Send Page!">
    </form>
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2001
    Location
    NJ
    Posts
    428
    Rep Power
    17
    there is no way to do that client side. why don't you record the Ip address of the guy doing this to you, then you can just weed out and requests he tries to send. If you have access to IIS, i would just restrict his ip from the site.
  4. #3
  5. No Profile Picture
    Overly white
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2003
    Location
    Fresno, CA
    Posts
    83
    Rep Power
    12
    Maybe do something to the effect of after 3 bogus attempts ignore the IP. After an IP is blocked you should write all attempts from that IP to input bogus values along with a time and date stamp. You could then report them to there ISP.
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2003
    Posts
    138
    Rep Power
    12
    If the action points to an asp page you can check the Request.ServerVariables("HTTP_REFERER") and only process form data that has come from you script.

    here is a function that test if the form was posted from the script with the same name. eg. the form is in test.asp and the action is test.asp

    Code:
    ' Test if the previous page and the current page are the same,
    ' ignoring the query string
    ' @return True if the last page is the same as the current, False otherwise
    Function wasSelf()
      Dim url
      Dim referer
      Dim ext
      Dim length
      length = 3
    
      Dim fsobj
      Set fsobj = Server.CreateObject("Scripting.FileSystemObject")
    
      ext = fsobj.GetExtensionName(Request.ServerVariables("HTTP_REFERER"))
      If Not IsNull(InStr(ext,"?")) Then
        If InStr(ext,"?") < 3 Then
          length = InStr(ext,"?")
        End If
      End If
      If length > 0 Then
        ext = Left(ext, length)
      End If
    
      url = "http://" & Request.ServerVariables("HTTP_HOST") & Request.ServerVariables("URL")
      referer = fsobj.GetParentFolderName(Request.ServerVariables("HTTP_REFERER")) & "/" & fsobj.GetBaseName(Request.ServerVariables("HTTP_REFERER")) & "." & ext
    
    
      If LCase(url) = LCase(referer) Then
        wasSelf = True
      Else
        ' this handles default.asp when a directory name is given without any filename
        If Lcase(fsobj.getFilename(url)) = "default.asp" AND ((fsobj.GetParentFolderName(url) & ".") = referer) Then
          wasSelf = True
        Else
          wasSelf = False
        End If
    
      End If
    
    'response.write url & "<br>"
    'response.write referer & "<br>"
    'response.write wasSelf & "<br>"
    
      set fsobj = Nothing
    End Function
    --

    ngibsonau

IMN logo majestic logo threadwatch logo seochat tools logo