Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#253 2006-02-11 11:49:56
Re: Plug-in: zem_contact_reborn
Ha haa. That’s much better thank you. :)
Stuart
In a Time of Universal Deceit
Telling the Truth is Revolutionary.
Offline
#254 2006-02-11 11:55:41
- neptho
- Member
- From: A cold, dark place.
- Registered: 2006-02-01
- Posts: 48
Re: Plug-in: zem_contact_reborn
> thebombsite wrote:
> Ha haa. That’s much better thank you. :)
Grrrr… markup with no ability to disable make neptho angry!!
Offline
#255 2006-02-11 13:33:50
- els
- Moderator
- From: The Netherlands
- Registered: 2004-06-06
- Posts: 7,458
Re: Plug-in: zem_contact_reborn
Thank you all, neptho, tranquillo and Stuart, for all your efforts to get this right. I just don’t understand half of what is said, so can someone tell me in plain English what I should do? Should I take Stuart’s latest update, should I take neptho’s code, should I remove all contact forms from my sites or should I just shut up and sit and wait ;)
Offline
#256 2006-02-11 16:28:19
- neptho
- Member
- From: A cold, dark place.
- Registered: 2006-02-01
- Posts: 48
Re: Plug-in: zem_contact_reborn
> doggiez wrote:
> Thank you all, neptho, tranquillo and Stuart, for all your efforts to get this right. I just don’t understand half of what is said, so can someone tell me in plain English what I should do? Should I take Stuart’s latest update, should I take neptho’s code, should I remove all contact forms from my sites or should I just shut up and sit and wait ;)
It’s really up to you, to be honest. My code is just a basic rewrite of Stuart’s which implements the same exact thing, but cleans up a few things. Basically, “It works here, but if it doesn’t work for you, let me know what you’re doinjg, and what it does.”
There may be an even simpler way around the whole thing in the end, but I want to ensure that variables are not poisoned at all. One of the simplest ones are using a cookie, rather than a POST, which is set on your computer, and tested before mail is ever sent. If it is NOT found, you have the option of either returning an error, or silently ignoring it. Passing a simple string in the browser which matches the string locally is somewhat easy if you directly invoke the contact.
Now, to make the contact set a cookie that can be REVERSED or matched via two keys, or even just an internal hash which is unique to every site – this would stop the spamming dead in it’s tracks – however, we need to make sure that the system itself is secured once more.
Simpler reply: Try it. If it breaks, you get to keep BOTH pieces!
Offline
#257 2006-02-11 17:27:11
- -P-
- Member
- From: Finland
- Registered: 2005-09-10
- Posts: 211
Re: Plug-in: zem_contact_reborn
Another thing regarding security. Sorry if it is a stupid question but I just learned this week to be bit afraid of form mail functions.
Is there any chance of increasing security risks if having two separate forms on a site? Off course it doubles the number of forms that some can use maliciously for spamming but is there a possiblity of making unknowingly some additional query conflicts or what they are called?
The situation could be that I have on one section the “default” contat form with fields name, email and message.
Then on the other section of the site I call second time zontact_reborn form but this time it is used to order a T-shirt. That form has fields name, email, phone, dropdown list with selection of color of the shirt and checkboxes regarding the preferred size (small, medium, large) of the T-shirt.
Any risks with it? Not to mention the ugly T-shirt. :D
<blockquote> > thebombsite wrote:
I’ve just finished a redesign for FreshlyPressed with a complex contact form. Have a look. </blockquote>
I just started building a quite complex contact form too, with several dropdown fields and checkboxes. Few things/suggestions/ideas came to my mind. And don´t get me wrong, I love totally contact_reborn as it is and I am happy with it. And I know you have more important stuff to take care about with security etc.
But here we go anyway. Everything is in a way could it be possible/is it a good idea
- Ability to save data. So when there´s form with several required fields and some that are not required. Fields required are of course marked as but were only human. So you hit submit button, you get an error ´cause you forgot to fill all the required fields. That is very ok. But it loses (at least I think) also all the checkbox data etc. you submitted. So could these values be somehow remembered that user don´t have to fill all the data again?
- Preview of the data before sending it. Could also make spam bots life more difficult? And would be nice feature for all of us who make lots of typos.
- Ability to “style” the output in the actual email received. Meaning that output could contain “not visible areas” for example ones that you marked with legend.
Contact details
Name: P
Email: me@somesite.com
Food you like us to feed you
Soup: Yes
Pasta: Yes
Meat: No
Carrots: No
and more perfect would be if the ones that are not selected (Marked “no”), would not show at all. So the email just would contain fields that were selected and “lose” all the data that is not needed. With company sites for example I guess the services that client wants to have more info are data needed and the rest is trivial.
Last edited by -P- (2006-02-11 17:33:35)
Offline
#258 2006-02-11 19:54:23
Re: Plug-in: zem_contact_reborn
Yes, as neptho suggests, there is no harm in testing both, as neptho’s code above will load as a separate plug-in.
@-P- Thanks for the suggestions. I definitely like the “preview” idea. We shall no doubt visit these soon but we are just concentrating on the security side at this point. Shouldn’t be long though. :)
Stuart
In a Time of Universal Deceit
Telling the Truth is Revolutionary.
Offline
#259 2006-02-12 20:32:08
- els
- Moderator
- From: The Netherlands
- Registered: 2004-06-06
- Posts: 7,458
Re: Plug-in: zem_contact_reborn
If I use neptho’s plugin code, I get "to" address is missing
. (It is not.)
Offline
#260 2006-02-13 03:31:47
- Champak
- Member
- Registered: 2006-01-31
- Posts: 56
Re: Plug-in: zem_contact_reborn
Here is an idea I’ve put to work with aspects of my site for protection. Why don’t you format the plugin to disable certain keypresses. Ex. the “@” and the “.”. Have those keys inputted by buttons, and a script to detect that it is ONLY inputted from the button.
THEN
Have captcha back that up. If you really want to be paranoid, have the captcha inputted by buttons as well…but I think that would be overkill and annoying to people.
Offline
#261 2006-02-13 05:26:52
- neptho
- Member
- From: A cold, dark place.
- Registered: 2006-02-01
- Posts: 48
Re: Plug-in: zem_contact_reborn
> doggiez wrote:
> If I use neptho’s plugin code, I get "to" address is missing
. (It is not.)
Yeah. Just noticed that I base64 encoded the more paranoid version. Really, the problem is that there are no ‘set’ variables, so zem_contact tries to take anything passed to it as a variable=what setting. I fixed this one instance, but if you make custom forms, my patches just won’t work – because they take out the core of this basic ‘open and insecure’ design.
At this point, I’m giving up on fixing zem. Stuart, if you have questions, feel free to let me know. I’ll try to answer – I just don’t have the time or patience.
Offline
#262 2006-02-13 21:13:37
Re: Plug-in: zem_contact_reborn
Are the spam problems a result of adding the ‘send article’ functionality?
‘Send article’ gives a user or bot the ability to send mail to anyone, where with the normal contact form only mail gets sent to whoever is set in the ‘to’ attribute.
If this is so, would it be possible to pull this functionality out into a seperate plugin? Maybe using the new API.
Refresh Dallas and other Refreshing Cities.
Offline
#263 2006-02-13 21:49:12
- alannie
- Member
- From: Minnesota, USA
- Registered: 2005-09-15
- Posts: 150
Re: Plug-in: zem_contact_reborn
I am also wondering if the spam problems could be prevented by providing an option to build contact forms that output variables to only the body of the email, and not to the header? Right now, zem_contact_reborn doesn’t allow me to specify that the “From” address be a static address and not the sender’s email address (a header variable that could be exploited). Yes, there’s a “from” attribute, but it still inserts the sender’s email address into the “Reply-To” field, thus easily allowing injection of exploitative code into the header.
cgiemail has similar vulnerabilities, and this tactic of not putting ANY variables in the header is recommended for cgiemail users. Could this work for zem_contact_reborn too?
Offline
#264 2006-02-13 22:54:13
- roelof
- Member
- Registered: 2005-03-27
- Posts: 647
Re: Plug-in: zem_contact_reborn
hello,
maybe a stupid questuin but i use this plugin for my site and now i want to use css with this plugin.
What classes and so on can i use in my css-file ??
Roelof
Offline