RE: Form submission error
Thanks Ray, I got it working now! It's in the neo_runtime.xml file. Appreciate the help as always :) Matt ColdFusion will block a form post with too many form fields. In CF10, you can go into the Admin and tweak the # (default is 100), in CF9 I believe it is some XML file. Will try to grab that doc for you. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355645 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Fwd: Form submission error
Thanks Craig, That's exactly what it was. http://helpx.adobe.com/coldfusion/release-note/coldfusion-9-0-update-2.html I'm trying to fix a page that was working at one time and now I'm getting some odd behavior. The form is pretty large and has well over 100 fields. When I submit the form I get an 500 error in IE. In Firefox, the form posts to a blank page and Firebug throws this error in the console: The character encoding of the HTML document was not declared. The document will render with garbled text in some browser configurations if the document contains characters from outside the US-ASCII range. The character encoding of the page must be declared in the document or in the transfer protocol. I have this just after the tag on the page that the form is on: The form fields are all unique and dynamically created in this manner: Fieldname1_2_2013 Fieldname1_3_2013 Fieldname1_4_2013 Fieldname1_5_2013 Fieldname2_1_2013 Fieldname2_2_2013 Fieldname2_3_2013 Fieldname2_4_2013 Fieldname2_5_2013 Etc. When I strip down the form to only allow around 30 fields, it passes the data fine. I even managed to find the point at which is fails and it appears to be some sort of size issue. However, I checked the cfadmin to make sure the Max size of post data was jacked up, but that doesn't seem to the be the issue either. Any ideas? Matt ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355644 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Form submission error
ColdFusion will block a form post with too many form fields. In CF10, you can go into the Admin and tweak the # (default is 100), in CF9 I believe it is some XML file. Will try to grab that doc for you. On Thu, May 2, 2013 at 12:57 PM, Matthew S Blatchley wrote: > > I'm trying to fix a page that was working at one time and now I'm getting > some odd behavior. > > The form is pretty large and has well over 100 fields. When I submit the > form I get an 500 error in IE. > > In Firefox, the form posts to a blank page and Firebug throws this error in > the console: > > The character encoding of the HTML document was not declared. The document > will render with garbled text in some browser configurations if the > document > contains characters from outside the US-ASCII range. The character encoding > of the page must be declared in the document or in the transfer protocol. > > I have this just after the tag on the page that the form is on: > > > The form fields are all unique and dynamically created in this manner: > > Fieldname1_2_2013 > Fieldname1_3_2013 > Fieldname1_4_2013 > Fieldname1_5_2013 > > Fieldname2_1_2013 > Fieldname2_2_2013 > Fieldname2_3_2013 > Fieldname2_4_2013 > Fieldname2_5_2013 > > Etc. > > When I strip down the form to only allow around 30 fields, it passes the > data fine. I even managed to find the point at which is fails and it > appears to be some sort of size issue. However, I checked the cfadmin to > make sure the Max size of post data was jacked up, but that doesn't seem to > the be the issue either. > > Any ideas? > > > Matt > > > > > > > > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355643 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Form submission error
Boom: http://stackoverflow.com/questions/15182567/coldfusion-9-html-form-500-internal-server-error On Thu, May 2, 2013 at 1:19 PM, Raymond Camden wrote: > ColdFusion will block a form post with too many form fields. In CF10, you > can go into the Admin and tweak the # (default is 100), in CF9 I believe it > is some XML file. Will try to grab that doc for you. > > > On Thu, May 2, 2013 at 12:57 PM, Matthew S Blatchley > wrote: > >> >> I'm trying to fix a page that was working at one time and now I'm getting >> some odd behavior. >> >> The form is pretty large and has well over 100 fields. When I submit the >> form I get an 500 error in IE. >> >> In Firefox, the form posts to a blank page and Firebug throws this error >> in >> the console: >> >> The character encoding of the HTML document was not declared. The document >> will render with garbled text in some browser configurations if the >> document >> contains characters from outside the US-ASCII range. The character >> encoding >> of the page must be declared in the document or in the transfer protocol. >> >> I have this just after the tag on the page that the form is on: >> >> >> The form fields are all unique and dynamically created in this manner: >> >> Fieldname1_2_2013 >> Fieldname1_3_2013 >> Fieldname1_4_2013 >> Fieldname1_5_2013 >> >> Fieldname2_1_2013 >> Fieldname2_2_2013 >> Fieldname2_3_2013 >> Fieldname2_4_2013 >> Fieldname2_5_2013 >> >> Etc. >> >> When I strip down the form to only allow around 30 fields, it passes the >> data fine. I even managed to find the point at which is fails and it >> appears to be some sort of size issue. However, I checked the cfadmin to >> make sure the Max size of post data was jacked up, but that doesn't seem >> to >> the be the issue either. >> >> Any ideas? >> >> >> Matt >> >> >> >> >> >> >> >> >> >> >> ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355642 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Form submission error
I'm trying to fix a page that was working at one time and now I'm getting some odd behavior. The form is pretty large and has well over 100 fields. When I submit the form I get an 500 error in IE. In Firefox, the form posts to a blank page and Firebug throws this error in the console: The character encoding of the HTML document was not declared. The document will render with garbled text in some browser configurations if the document contains characters from outside the US-ASCII range. The character encoding of the page must be declared in the document or in the transfer protocol. I have this just after the tag on the page that the form is on: The form fields are all unique and dynamically created in this manner: Fieldname1_2_2013 Fieldname1_3_2013 Fieldname1_4_2013 Fieldname1_5_2013 Fieldname2_1_2013 Fieldname2_2_2013 Fieldname2_3_2013 Fieldname2_4_2013 Fieldname2_5_2013 Etc. When I strip down the form to only allow around 30 fields, it passes the data fine. I even managed to find the point at which is fails and it appears to be some sort of size issue. However, I checked the cfadmin to make sure the Max size of post data was jacked up, but that doesn't seem to the be the issue either. Any ideas? Matt ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355641 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: problem with ajax on cflayout form submission
We would need to see the code of the cfm in tab2, and it's form's
processor script, to help you out here.
Steve 'Cutter' Blades
Adobe Community Professional
Adobe Certified Expert
Advanced Macromedia ColdFusion MX 7 Developer
http://cutterscrossing.com
Co-Author "Learning Ext JS 3.2" Packt Publishing 2010
https://www.packtpub.com/learning-ext-js-3-2-for-building-dynamic-desktop-style-user-interfaces/book
"The best way to predict the future is to help create it"
On 9/6/2012 6:29 AM, alex poyaoan wrote:
> Yes steve sorry my question here is on the cflayoutarea2 tab 2 is a form
> that submits on an action page after it executes it goes back to the calling
> form from the tab but doesn't show the the updated form.. just blank even if
> I use the
> javascript below after the action query
>
> ColdFusion.Layout.hideTab('tabtest', 'tab2');
> ColdFusion.Layout.showTab('tabtest', 'tab2');
> ColdFusion.Layout.selectTab('tabtest', 'tab2');
>
>
>> Alex,
>>
>> Did you intend to include more here? Not seeing a question
>>
>> First peek, there's no closing cflayout tag, your 3rd tab should use
>> the
>> 'source' attribute, like your others, for consistency, and it appears
>>
>> that your code formatting is way off. Something like:
>>
>>
>
>> > source="tab1.cfm">
>
>> > source="personshowTab2.cfm">
>
>> > source="personshowTab3.cfm">
>>
>>
>> Steve 'Cutter' Blades
>> Adobe Community Professional
>> Adobe Certified Expert
>> Advanced Macromedia ColdFusion MX 7 Developer
>>
>> http://cutterscrossing.com
>>
>>
>> Co-Author "Learning Ext JS 3.2" Packt Publishing 2010
>> https://www.packtpub.
> com/learni>
> ng-ext-js-3-2-for-building-dynamic-desktop-style-user-interfaces/book
>> "The best way to predict the future is to help create it"
>>
>> On 9/6/2012 6:01 AM, alex poyaoan wrote:
>>> Hi everybody have this
>>>
>>>
>>>
>>>
>>>
>>>
>>> > source="personshowTab2.cfm">
>>>
>>>
>>>
>>>
>>>
>>> >> template="personshowTab3.cfm">
>>>
>>>
>>>
>
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352430
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: problem with ajax on cflayout form submission
Yes steve sorry my question here is on the cflayoutarea2 tab 2 is a form that
submits on an action page after it executes it goes back to the calling form
from the tab but doesn't show the the updated form.. just blank even if I use
the
javascript below after the action query
ColdFusion.Layout.hideTab('tabtest', 'tab2');
ColdFusion.Layout.showTab('tabtest', 'tab2');
ColdFusion.Layout.selectTab('tabtest', 'tab2');
> Alex,
>
> Did you intend to include more here? Not seeing a question
>
> First peek, there's no closing cflayout tag, your 3rd tab should use
> the
> 'source' attribute, like your others, for consistency, and it appears
>
> that your code formatting is way off. Something like:
>
>
> source="tab1.cfm">
> source="personshowTab2.cfm">
> source="personshowTab3.cfm">
>
>
> Steve 'Cutter' Blades
> Adobe Community Professional
> Adobe Certified Expert
> Advanced Macromedia ColdFusion MX 7 Developer
>
> http://cutterscrossing.com
>
>
> Co-Author "Learning Ext JS 3.2" Packt Publishing 2010
> https://www.packtpub.
com/learni>
ng-ext-js-3-2-for-building-dynamic-desktop-style-user-interfaces/book
>
> "The best way to predict the future is to help create it"
>
> On 9/6/2012 6:01 AM, alex poyaoan wrote:
> > Hi everybody have this
> >
> >
> >
> >
> >
> >
> > source="personshowTab2.cfm">
> >
> >
> >
> >
> >
> > > template="personshowTab3.cfm">
> >
> >
> >
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352429
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: problem with ajax on cflayout form submission
Alex, Did you intend to include more here? Not seeing a question First peek, there's no closing cflayout tag, your 3rd tab should use the 'source' attribute, like your others, for consistency, and it appears that your code formatting is way off. Something like: Steve 'Cutter' Blades Adobe Community Professional Adobe Certified Expert Advanced Macromedia ColdFusion MX 7 Developer http://cutterscrossing.com Co-Author "Learning Ext JS 3.2" Packt Publishing 2010 https://www.packtpub.com/learning-ext-js-3-2-for-building-dynamic-desktop-style-user-interfaces/book "The best way to predict the future is to help create it" On 9/6/2012 6:01 AM, alex poyaoan wrote: > Hi everybody have this > > > > > > > > > > > > >template="personshowTab3.cfm"> > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352428 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
problem with ajax on cflayout form submission
Hi everybody have this ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352427 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: verify form submission
Yes; http://cfformprotect.riaforge.org/ comes to mind. mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ 2009/3/18 Dave Watts : > >> If putting a CAPTCHA on the page is enough of a >> deterrent that a would-be attacker goes away, then it's >> served its purpose. > > But there are easier, more accessible and equally effective ways to do > the same thing. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:320618 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: verify form submission
> CAPTCHA is virtually never the right solution. I wish I could favorite this to infinity. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:320617 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: verify form submission
> If putting a CAPTCHA on the page is enough of a > deterrent that a would-be attacker goes away, then it's > served its purpose. But there are easier, more accessible and equally effective ways to do the same thing. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:320616 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: verify form submission
A nonce is designed exactly for the case of validating a form-to-action process: that's the whole point. Using CAPTCHA for that works, because CAPTCHA is a form on nonce that requires the user to "promote" the nonce into a state that can be passed to the action. But the core functionality is still the nonce behaviour, not the CAPTCHA behaviour. CAPTCHA is about validating that it's a human triggering the form-to-action process (as opposed to a machine), not that the action is preceded by a form. Both are valid, no question, but if you can void foisting extra effort onto the human in question, surely you agree that's a good thing? cheers, barneyb On Tue, Mar 17, 2009 at 9:03 PM, Justin Scott wrote: > >> CAPTCHA is virtually never the right solution. If >> a simple CAPTCHA is sufficient to protect your form, >> you're not securing something immensely valuable in >> an attacker's eye. > > I'll respectfully disagree. You also made a great point for using it while > trying to break it down. If putting a CAPTCHA on the page is enough of a > deterrent that a would-be attacker goes away, then it's served its purpose. > If you're concerned that a visitor might have trouble, you can always make > its use dynamic. The page can assume that the visitor is legitimate, and if > something "fishy" is happening from a given IP or session ID, the system can > activate the CAPTCHA as a basic line of defense. It's certainly not the > be-all end-all security measure, but it's enough for most situations as a > first line of defense. > > But getting back to the original question, it's a good way to verify that > the form post is coming from your original form page and not some saved > version hosted somewhere else if that is your goal. Depending on the > situation, it may be overkill, or it might be just right. There are many > tools in our bag, and I wouldn't be so quick to dismiss CAPTCHA for certain > situations if it fits the bill. > > > -- > Justin Scott | GravityFree > Member of the Technical Staff > > 1960 Stickney Point Road, Suite 210 > Sarasota | FL | 34231 | 800.207.4431 > 941.927.7674 x115 | f 941.923.5429 > www.GravityFree.com > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:320614 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: verify form submission
> CAPTCHA is virtually never the right solution. If > a simple CAPTCHA is sufficient to protect your form, > you're not securing something immensely valuable in > an attacker's eye. I'll respectfully disagree. You also made a great point for using it while trying to break it down. If putting a CAPTCHA on the page is enough of a deterrent that a would-be attacker goes away, then it's served its purpose. If you're concerned that a visitor might have trouble, you can always make its use dynamic. The page can assume that the visitor is legitimate, and if something "fishy" is happening from a given IP or session ID, the system can activate the CAPTCHA as a basic line of defense. It's certainly not the be-all end-all security measure, but it's enough for most situations as a first line of defense. But getting back to the original question, it's a good way to verify that the form post is coming from your original form page and not some saved version hosted somewhere else if that is your goal. Depending on the situation, it may be overkill, or it might be just right. There are many tools in our bag, and I wouldn't be so quick to dismiss CAPTCHA for certain situations if it fits the bill. -- Justin Scott | GravityFree Member of the Technical Staff 1960 Stickney Point Road, Suite 210 Sarasota | FL | 34231 | 800.207.4431 941.927.7674 x115 | f 941.923.5429 www.GravityFree.com ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:320613 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: verify form submission
CAPTCHA is virtually never the right solution. If a simple CAPTCHA is sufficient to protect your form, you're not securing something immensely valuable in an attacker's eye. If simple CAPTCHA isn't sufficient, then complex CAPTCHA will be broken as well, because you've obviously got something valuable. As such, it's almost always drastic overkill or simply insufficient. Couple that with the annoyance it provides to legit users trying to use your form, and the reasonable use cases are pretty slim. Much better to use a cookie-based nonce, perhaps some JavaScript obfuscation (if you are comfortable require JS), and if you're processing prose, something like Akismet. The nonce ensures people can't hit your action page directly, the JS obfuscation ensures that whomever is submitting the form has to load the form in a user agent with a JS interpreter, and Akismet does a fantastic job of filtering out spam while leaving the good stuff. If someone can beat those, they can beat CAPTCHA too, so you're still screwed, but you haven't pissed off your end users in the process. However, based on the original question, a simple nonce (or perhaps with a half-JS "upgrade") will almost certainly suffice. cheers, barneyb On Tue, Mar 17, 2009 at 8:31 PM, Justin Scott wrote: > >> How do I prevent someone from using their own form to submit >> to my action page and skipping my javascript function to make >> sure the data is well formatted? > > If you want to make sure the input is well formed, you'll need to do that on > the server side. Do not rely on JavaScript code to do this for you. > > Having said that, if you need to protect the form itself there are a few > ways to approach that. One of the best would be to use a captcha. Another > would be to check the cgi.http_referer variable on submission (though this > can be easily spoofed if the person is determined enough). Embedding a > hidden value into the form will help ensure the post came from your > generated form, though it won't stop someone from turning off JavaScript and > submitting the form with whatever values they want, so again, verify the > input on the processing side in addition to any client-side script you're > using. > > > -- > Justin Scott | GravityFree > Member of the Technical Staff > > 1960 Stickney Point Road, Suite 210 > Sarasota | FL | 34231 | 800.207.4431 > 941.927.7674 x115 | f 941.923.5429 > www.GravityFree.com > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:320612 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: verify form submission
> How do I prevent someone from using their own form to submit > to my action page and skipping my javascript function to make > sure the data is well formatted? If you want to make sure the input is well formed, you'll need to do that on the server side. Do not rely on JavaScript code to do this for you. Having said that, if you need to protect the form itself there are a few ways to approach that. One of the best would be to use a captcha. Another would be to check the cgi.http_referer variable on submission (though this can be easily spoofed if the person is determined enough). Embedding a hidden value into the form will help ensure the post came from your generated form, though it won't stop someone from turning off JavaScript and submitting the form with whatever values they want, so again, verify the input on the processing side in addition to any client-side script you're using. -- Justin Scott | GravityFree Member of the Technical Staff 1960 Stickney Point Road, Suite 210 Sarasota | FL | 34231 | 800.207.4431 941.927.7674 x115 | f 941.923.5429 www.GravityFree.com ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:320610 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
verify form submission
What is the best way to verify that data coming into an action page is from your form? I have a form that uses javascript to make sure they filled out the form right. Email, user name, password etc. How do I prevent someone from using their own form to submit to my action page and skipping my javascript function to make sure the data is well formatted? I thought of using createUUID() setting it as a hidden form variable and session variable then checking to see if they match on the action page. Is this enough? Or are there better methods? Thanks! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:320607 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: spam form submission getting past server side validation
> I'll meet your captcha and raise you a CFFormProtect: > > http://cfformprotect.riaforge.org/ Yes, this is far better than using CAPTCHAs. It's accessible and usable, and will get you the same (or better) results. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:317155 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: spam form submission getting past server side validation
I'll meet your captcha and raise you a CFFormProtect: http://cfformprotect.riaforge.org/ mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ 2008/12/24 Robert Bailey : > Use Captcha > > http://www.captcha.net/ > > Thanks! > Robert Bailey > 210.748.2363 > > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:317124 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: spam form submission getting past server side validation
Use Captcha http://www.captcha.net/ Thanks! Robert Bailey 210.748.2363 ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:317119 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: spam form submission getting past server side validation
It appears that the referrer value is populated: HTTP_REFERER http://www.jury-duty.org/index.cfm/fuseaction/main.contact/index.cfm Here's the user agent, anything look off? HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; RRHSO_BLD1) I had the form reload on error with values pre-populated. I think that's where my error was: selected> selected>Email selected>Telephone has been changed to: selected> selected>Email selected>Telephone ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:317118 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: spam form submission getting past server side validation
Spam submission tools don't actually fill out your form, they just post values programatically, imagine they are just doing a cfhttp post. This is why the often fail to include some values, they are just trying to get junk entered into your database and hopefully send someone an email with their crap content. One of the most effective filters is checking the cgi.HTTP_REFERER, they often don't bother trying to fake this out. If the request doesn't come from your site, just trash it. If you want to get more proactive, you can do things like, set a session var on the page with the form and then check for it's existence when the form is submitted. Ideally, someone would have to have come to the site and viewed the form, which would have set the session var and then it should exist on the action page. There are more obtrusive ways to go as well, captchas and answering simple math questions, but those tend to annoy your real users. Try checking the cgi.HTTP_REFERER and the session trick, Im sure you'll see at least a 95% reduction in spam traffic. =] -- Alan Rother Adobe Certified Advanced ColdFusion MX 7 Developer Manager, Phoenix Cold Fusion User Group, AZCFUG.org ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:317117 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
spam form submission getting past server side validation
I have a contact form on a site that is getting hit over and over with spam submissions. It is not going to the contact, as whatever is filling out the form is leaving out a required value. But my error trapping is sending me an email, and I'm getting sick of it. The spam submissions are coming from different ips so I can't block based upon that. I am checking to see if the form field is blank, but I am still getting the error email. I've got something wrong. Any help? It's a fusebox 3 app so I have pulled the code from a couple of files, but the flow should be correct. The form field left unselected is "contactmeby". It is a select drop down, so I should still be getting an empty value, correct? I am gettting an undefined error, I don't understand how this could be happening: Expression Element CONTACTMEBY is undefined in ATTRIBUTES. [empty string] 0 [empty string] [empty string] Here is the code that should be catching it: ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:317116 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Form submission issue
Thank you all. I managed to sort it out. I tried various methods to solve the problem, but the hidden field method worked out best for me. THanks ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311354 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Form submission issue
And to run a train on them all... just check cgi.request_method to see if it is "POST" ..:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com http://cf4em.com -Original Message- From: Dominic Watson [mailto:[EMAIL PROTECTED] Sent: Monday, August 18, 2008 4:14 AM To: CF-Talk Subject: Re: Form submission issue And to double-piggy-back on Charlie and James, you can also check form.fieldnames which only exists after a form is submitted. I prefer the hidden field approach but all those methods are good ;) Dominic 2008/8/18 Charlie Griefer <[EMAIL PROTECTED]>: > to piggyback on what James said, you could just use structIsEmpty(form)> > > the form scope/struct exists on all pages. it's just empty if the page has > received no post data. > > On Mon, Aug 18, 2008 at 12:45 AM, James Holmes <[EMAIL PROTECTED]>wrote: > >> No, in IE6 the submit button is not part of the form submission if the >> enter key is used. >> >> I'd use a hidden field and check for that instead of the submit button. >> >> On Mon, Aug 18, 2008 at 3:12 PM, Andrew Scott >> <[EMAIL PROTECTED]> wrote: >> > Are you using the onsubmit in the form tag? >> > >> > Maybe some more code with no sensitive data or code, might help some >> more. >> > >> > By default enter/return is acceptable under IE... >> > >> > -Original Message- >> > From: Karan Joshi [mailto:[EMAIL PROTECTED] >> > Sent: Monday, 18 August 2008 4:49 PM >> > To: CF-Talk >> > Subject: Form submission issue >> > >> > Hi >> > >> > I want to submit a form in IE6 using the Enter key. >> > > > value="Search"> >> > >> > I am using to StructKeyExists tag to check if the form has been submitted >> > >> > >> > It works fine with Firefox but doesn't work in IE. >> > If I look at the FORM struct in Firefox then the submitSearchGeneral key >> has >> > the value "Search" but in IE the value is null. >> > >> > Any suggestions as to how I can make the Enter key pass the value in IE? >> >> -- >> mxAjax / CFAjax docs and other useful articles: >> http://www.bifrost.com.au/blog/ >> >> > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311231 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Form submission issue
> Hi > > I want to submit a form in IE6 using the Enter key. > value="Search"> I ran into this issue myself. IE6 - jeez, thanks Microshaft! Bobby H. taught me yet another way to check for form submissions. process the form Guess it's six to one, a half dozen to the other in comparison to the other solutions posted. Will ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311171 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Form submission issue
You can try this on your cfinput...confirmed working on IE7...
onKeyDown="if(Key.isDown(Key.ENTER)) {submitForm()}">
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311167
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Form submission issue
And to double-piggy-back on Charlie and James, you can also check form.fieldnames which only exists after a form is submitted. I prefer the hidden field approach but all those methods are good ;) Dominic 2008/8/18 Charlie Griefer <[EMAIL PROTECTED]>: > to piggyback on what James said, you could just use structIsEmpty(form)> > > the form scope/struct exists on all pages. it's just empty if the page has > received no post data. > > On Mon, Aug 18, 2008 at 12:45 AM, James Holmes <[EMAIL PROTECTED]>wrote: > >> No, in IE6 the submit button is not part of the form submission if the >> enter key is used. >> >> I'd use a hidden field and check for that instead of the submit button. >> >> On Mon, Aug 18, 2008 at 3:12 PM, Andrew Scott >> <[EMAIL PROTECTED]> wrote: >> > Are you using the onsubmit in the form tag? >> > >> > Maybe some more code with no sensitive data or code, might help some >> more. >> > >> > By default enter/return is acceptable under IE... >> > >> > -Original Message- >> > From: Karan Joshi [mailto:[EMAIL PROTECTED] >> > Sent: Monday, 18 August 2008 4:49 PM >> > To: CF-Talk >> > Subject: Form submission issue >> > >> > Hi >> > >> > I want to submit a form in IE6 using the Enter key. >> > > > value="Search"> >> > >> > I am using to StructKeyExists tag to check if the form has been submitted >> > >> > >> > It works fine with Firefox but doesn't work in IE. >> > If I look at the FORM struct in Firefox then the submitSearchGeneral key >> has >> > the value "Search" but in IE the value is null. >> > >> > Any suggestions as to how I can make the Enter key pass the value in IE? >> >> -- >> mxAjax / CFAjax docs and other useful articles: >> http://www.bifrost.com.au/blog/ >> >> > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311165 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Form submission issue
to piggyback on what James said, you could just use the form scope/struct exists on all pages. it's just empty if the page has received no post data. On Mon, Aug 18, 2008 at 12:45 AM, James Holmes <[EMAIL PROTECTED]>wrote: > No, in IE6 the submit button is not part of the form submission if the > enter key is used. > > I'd use a hidden field and check for that instead of the submit button. > > On Mon, Aug 18, 2008 at 3:12 PM, Andrew Scott > <[EMAIL PROTECTED]> wrote: > > Are you using the onsubmit in the form tag? > > > > Maybe some more code with no sensitive data or code, might help some > more. > > > > By default enter/return is acceptable under IE... > > > > -Original Message- > > From: Karan Joshi [mailto:[EMAIL PROTECTED] > > Sent: Monday, 18 August 2008 4:49 PM > > To: CF-Talk > > Subject: Form submission issue > > > > Hi > > > > I want to submit a form in IE6 using the Enter key. > > > value="Search"> > > > > I am using to StructKeyExists tag to check if the form has been submitted > > > > > > It works fine with Firefox but doesn't work in IE. > > If I look at the FORM struct in Firefox then the submitSearchGeneral key > has > > the value "Search" but in IE the value is null. > > > > Any suggestions as to how I can make the Enter key pass the value in IE? > > -- > mxAjax / CFAjax docs and other useful articles: > http://www.bifrost.com.au/blog/ > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311164 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Form submission issue
No, in IE6 the submit button is not part of the form submission if the enter key is used. I'd use a hidden field and check for that instead of the submit button. On Mon, Aug 18, 2008 at 3:12 PM, Andrew Scott <[EMAIL PROTECTED]> wrote: > Are you using the onsubmit in the form tag? > > Maybe some more code with no sensitive data or code, might help some more. > > By default enter/return is acceptable under IE... > > -Original Message- > From: Karan Joshi [mailto:[EMAIL PROTECTED] > Sent: Monday, 18 August 2008 4:49 PM > To: CF-Talk > Subject: Form submission issue > > Hi > > I want to submit a form in IE6 using the Enter key. > value="Search"> > > I am using to StructKeyExists tag to check if the form has been submitted > > > It works fine with Firefox but doesn't work in IE. > If I look at the FORM struct in Firefox then the submitSearchGeneral key has > the value "Search" but in IE the value is null. > > Any suggestions as to how I can make the Enter key pass the value in IE? -- mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311163 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Form submission issue
Are you using the onsubmit in the form tag? Maybe some more code with no sensitive data or code, might help some more. By default enter/return is acceptable under IE... -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 -Original Message- From: Karan Joshi [mailto:[EMAIL PROTECTED] Sent: Monday, 18 August 2008 4:49 PM To: CF-Talk Subject: Form submission issue Hi I want to submit a form in IE6 using the Enter key. I am using to StructKeyExists tag to check if the form has been submitted It works fine with Firefox but doesn't work in IE. If I look at the FORM struct in Firefox then the submitSearchGeneral key has the value "Search" but in IE the value is null. Any suggestions as to how I can make the Enter key pass the value in IE? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311162 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Form submission issue
Hi I want to submit a form in IE6 using the Enter key. I am using to StructKeyExists tag to check if the form has been submitted It works fine with Firefox but doesn't work in IE. If I look at the FORM struct in Firefox then the submitSearchGeneral key has the value "Search" but in IE the value is null. Any suggestions as to how I can make the Enter key pass the value in IE? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311160 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Triggering a form submission on an AutoSuggest field
I have a form with a field where the user specifies the name of a student. I've specified autosuggest on that box. I would like the form to auto-submit after the user specifies the name. Is there any way to do this? If this were a normal non-autosuggest field, I'd have no problem adding an onChange event. But it does not seem to work with autosuggest. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:305325 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: cfajaxproxy form submission
Or do this:
~Todd
On Nov 8, 2007 8:32 PM, Todd <[EMAIL PROTECTED]> wrote:
>
> Nick,
>
> It does work, but you have to change your to type="submit"> or at least put a submit() function on the button. If the
> form isn't submitting, there's a reason why and that's cause you're not
> triggering it.
>
> ~Todd
>
> On Nov 8, 2007 1:34 PM, Nick Cernis <[EMAIL PROTECTED]> wrote:
>
> > >Add method="post" and use onsubmit="return false;"? Is there a reason
> > why
> > >there's no method?
> >
> > Thanks for the reply and for your thoughts, Todd. Specifying
> > method="post" wouldn't make much difference, I'm afraid - using "return
> > false;" in the submit handler means the form never gets the chance to
> > submit, be it by post or get. This is the desired effect, but makes for a
> > somewhat unfriendly form - users /have/ to submit it by pressing the button
> > and can't just hit enter.
> >
> > I have found a workaround, though - by checking for the enter key on
> > each keypress in the input box, I can call the original echoWord() method if
> > the enter key is pressed, like this:
> >
> >
> > function checkEnter(event){
> > if (event.keyCode == 13) {
> >echoWord();
> >}
> > }
> >
> >
> >
> >
> >
> >
> >
> > It's not ideal, and there's probably a better way - if anyone can
> > suggest a more fool-proof method of using cfajaxproxy with forms your
> > thoughts will be warmly welcomed!
> >
>
>
~|
Enterprise web applications, build robust, secure
scalable apps today - Try it now ColdFusion Today
ColdFusion 8 beta - Build next generation apps
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:293003
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: cfajaxproxy form submission
Nick,
It does work, but you have to change your to or at least put a submit() function on the button. If the
form isn't submitting, there's a reason why and that's cause you're not
triggering it.
~Todd
On Nov 8, 2007 1:34 PM, Nick Cernis <[EMAIL PROTECTED]> wrote:
> >Add method="post" and use onsubmit="return false;"? Is there a reason
> why
> >there's no method?
>
> Thanks for the reply and for your thoughts, Todd. Specifying method="post"
> wouldn't make much difference, I'm afraid - using "return false;" in the
> submit handler means the form never gets the chance to submit, be it by post
> or get. This is the desired effect, but makes for a somewhat unfriendly form
> - users /have/ to submit it by pressing the button and can't just hit enter.
>
> I have found a workaround, though - by checking for the enter key on each
> keypress in the input box, I can call the original echoWord() method if the
> enter key is pressed, like this:
>
>
> function checkEnter(event){
> if (event.keyCode == 13) {
>echoWord();
>}
> }
>
>
>
>
>
>
>
> It's not ideal, and there's probably a better way - if anyone can suggest
> a more fool-proof method of using cfajaxproxy with forms your thoughts will
> be warmly welcomed!
>
~|
Get the answers you are looking for on the ColdFusion Labs
Forum direct from active programmers and developers.
http://www.adobe.com/cfusion/webforums/forum/categories.cfm?forumid-72&catid=648
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:293001
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: cfajaxproxy form submission
>Add method="post" and use onsubmit="return false;"? Is there a reason why
>there's no method?
Thanks for the reply and for your thoughts, Todd. Specifying method="post"
wouldn't make much difference, I'm afraid - using "return false;" in the submit
handler means the form never gets the chance to submit, be it by post or get.
This is the desired effect, but makes for a somewhat unfriendly form - users
/have/ to submit it by pressing the button and can't just hit enter.
I have found a workaround, though - by checking for the enter key on each
keypress in the input box, I can call the original echoWord() method if the
enter key is pressed, like this:
function checkEnter(event){
if (event.keyCode == 13) {
echoWord();
}
}
It's not ideal, and there's probably a better way - if anyone can suggest a
more fool-proof method of using cfajaxproxy with forms your thoughts will be
warmly welcomed!
~|
Check out the new features and enhancements in the
latest product release - download the "What's New PDF" now
http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:292966
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: cfajaxproxy form submission
Add method="post" and use onsubmit="return false;"? Is there a reason why there's no method? On Nov 8, 2007 11:15 AM, Nick Cernis <[EMAIL PROTECTED]> wrote: > What's the best way to handle forms that are submitted via cfajaxproxy > using the return key? > > For example, the following form is correctly submitted asynchronously when > the Submit button is pressed, but incorrectly submitted via a GET request if > the user just hits the return key after filling in the input box: > > > > > > > I know I could just add onsubmit="return false;" to the form tag, but > wondered if there was a more user-friendly appraoch. > ~| ColdFusion 8 - Build next generation apps today, with easy PDF and Ajax features - download now http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:292956 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
cfajaxproxy form submission
What's the best way to handle forms that are submitted via cfajaxproxy using the return key? For example, the following form is correctly submitted asynchronously when the Submit button is pressed, but incorrectly submitted via a GET request if the user just hits the return key after filling in the input box: I know I could just add onsubmit="return false;" to the form tag, but wondered if there was a more user-friendly appraoch. ~| ColdFusion is delivering applications solutions at at top companies around the world in government. Find out how and where now http://www.adobe.com/cfusion/showcase/index.cfm?event=finder&productID=1522&loc=en_us Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:292951 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: strange character entities in CF... on form submission...
Unicode!!! Make sure a) your html header has utf-8 in it - the form may also need to be told a specific char set; - Dump the form contents on submission: are the chars there? b) if in inserting into a database, that the database is set up with Unicode, look at the SQL - is it inserting the chars? c) check the output - is the DB outputting the chars? T On 10 Jul 2007, at 11:12, D F wrote: > Anyone have any ideas... essentially we are getting ( just ahead of > the pound character ) an A with a hat. Â ( capital a, circumflex > accent,Â,Â) Any ideas how to prevent this one from > happening? > > It seems to be doing this on form submissions. > > ~| Macromedia ColdFusion MX7 Upgrade to MX7 & experience time-saving features, more productivity. http://www.adobe.com/products/coldfusion?sdid=RVJW Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:283373 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
strange character entities in CF... on form submission...
Anyone have any ideas... essentially we are getting ( just ahead of the pound character ) an A with a hat. Ã ( capital a, circumflex accent,Â,Â) Any ideas how to prevent this one from happening? It seems to be doing this on form submissions. ~| ColdFusion MX7 and Flex 2 Build sales & marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2?sdid=RVJT Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:283370 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Getting CFHTTP to REALLY act like a form submission
You don't need addtoken=yes if the client has cookies enabled. I mean you don't add cftoken and cfid to every link on your site, do you? Russ > -Original Message- > From: Michael Traher [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 19, 2006 12:51 PM > To: CF-Talk > Subject: Re: Getting CFHTTP to REALLY act like a form submission > > A better approach to sharing lots of data between your two pages might be > to > use the session scope. > > You have to have session variables enabled in cfadmin and in your > > > In the first page you can > > you need to set addtoken=yes to maintain the session (yes is the default) > > in the second page you can access session.dclist or maybe > > > You may have to consider locking around session variable . > > If I'm telling you obvious stuff you already know then just ignore me! :-) > > On 1/19/06, Pete Ruckelshaus <[EMAIL PROTECTED]> wrote: > > > ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:230019 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Getting CFHTTP to REALLY act like a form submission
A better approach to sharing lots of data between your two pages might be to use the session scope. You have to have session variables enabled in cfadmin and in your In the first page you can you need to set addtoken=yes to maintain the session (yes is the default) in the second page you can access session.dclist or maybe You may have to consider locking around session variable . If I'm telling you obvious stuff you already know then just ignore me! :-) On 1/19/06, Pete Ruckelshaus <[EMAIL PROTECTED]> wrote: ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:230006 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Getting CFHTTP to REALLY act like a form submission
That's not how it works. If there's no LOCATION in the response header (which you can see if you dump the "cfhttp.responseHeader" structure on your page), then it's not going to redirect to anywhere. Why can't you post the form data normally, or using javascript? --Ferg Pete Ruckelshaus wrote: >I was using cflocation to redirect to another page to display a list >of items. CFLOCATION works except when there are too many items in >the #dclist# variable (this is a list of document ID's and is in a few >cases very long). Here is how I was doing things, but it failed when >the URL was too long: > > > >So, I figured I'd try CFHTTP to get it to act more or less like a form >submission, which would allow me to skirt the URL length issue. >Problem is, it doesn't redirect to /admin/datacards/ like it should. >Is there something wrong with my code, or is my understanding of how >CFHTTP works when using this method flawed? > > > > > > >Thanks, > >Pete > > ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229977 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Getting CFHTTP to REALLY act like a form submission
On 1/19/06, Pete Ruckelshaus <[EMAIL PROTECTED]> wrote: > I was using cflocation to redirect to another page to display a list > of items. CFLOCATION works except when there are too many items in > the #dclist# variable (this is a list of document ID's and is in a few > cases very long). Here is how I was doing things, but it failed when > the URL was too long: > > > > So, I figured I'd try CFHTTP to get it to act more or less like a form > submission, which would allow me to skirt the URL length issue. > Problem is, it doesn't redirect to /admin/datacards/ like it should. > Is there something wrong with my code, or is my understanding of how > CFHTTP works when using this method flawed? > > > > > > The "url" attribute is the page that the cfhttp call is going to post to (effectively, the "action" attribute in a standard form tag), not the page to redirect to. If you want to redirect after processing the form submission, put a cflocation at the bottom of the action page. When you specify redirect="yes", cfhttp will "honor" the redirect at the bottom of the action page. Regards, Dave. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229975 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Getting CFHTTP to REALLY act like a form submission
A little flawed, using CFHTTP will make coldfusion server do a post, NOT the user's browser. -Original Message- From: Pete Ruckelshaus [mailto:[EMAIL PROTECTED] Sent: 19 January 2006 15:42 To: CF-Talk Subject: Getting CFHTTP to REALLY act like a form submission I was using cflocation to redirect to another page to display a list of items. CFLOCATION works except when there are too many items in the #dclist# variable (this is a list of document ID's and is in a few cases very long). Here is how I was doing things, but it failed when the URL was too long: So, I figured I'd try CFHTTP to get it to act more or less like a form submission, which would allow me to skirt the URL length issue. Problem is, it doesn't redirect to /admin/datacards/ like it should. Is there something wrong with my code, or is my understanding of how CFHTTP works when using this method flawed? Thanks, Pete ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229973 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Getting CFHTTP to REALLY act like a form submission
I was using cflocation to redirect to another page to display a list of items. CFLOCATION works except when there are too many items in the #dclist# variable (this is a list of document ID's and is in a few cases very long). Here is how I was doing things, but it failed when the URL was too long: So, I figured I'd try CFHTTP to get it to act more or less like a form submission, which would allow me to skirt the URL length issue. Problem is, it doesn't redirect to /admin/datacards/ like it should. Is there something wrong with my code, or is my understanding of how CFHTTP works when using this method flawed? Thanks, Pete ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229972 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: OT: Prevent form submission if radio button and text field are not filled out
Writing ad hoc JavaScript code for form validation isn't a great idea in my opinion. You could investigate using a library like the ones below: http://www.massimocorner.com/validator/ http://www.pengoworks.com/index.cfm?action=get:qforms Massimo Foti Tools for ColdFusion and Dreamweaver developers: http://www.massimocorner.com ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:225227 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
FW: OT: Prevent form submission if radio button and text field are not filled out
I never saw this come through so here it is again.
..:.:.:.:.:.:.:.:.:.:.:.:.:.:.
Bobby Hartsfield
http://acoderslife.com
-Original Message-
From: Bobby Hartsfield [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 22, 2005 6:31 PM
To: 'cf-talk@houseoffusion.com'
Subject: RE: OT: Prevent form submission if radio button and text field are
not filled out
function testPayMethod()
{
f = document.payform;
var radioCheck = false;
var firstEl = 0;
var lastEl = 3;
for (i=firstEl;i's onsubmit
this...
Onsubmit="return testPayMethod();"
The firstEl is the position of the first radio button and lastEl is the
position of the last radio button. Should make it easier to move the radios
around in the form or add more later.
This is probably gonna come through all garbled but ill give it a shot. :/
..:.:.:.:.:.:.:.:.:.:.:.:.:.:.
Bobby Hartsfield
http://acoderslife.com
-Original Message-
From: Andy Matthews [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 22, 2005 5:22 PM
To: CF-Talk
Subject: RE: OT: Prevent form submission if radio button and text field are
not filled out
Well, I'm not really sure what I'm saying. I just need for the form to
submit if both of the criteria are met. If you select one of the bottom two,
the full form works just fine.
-Original Message-
From: Kiley Simpson [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 22, 2005 4:18 PM
To: CF-Talk
Subject: Re: OT: Prevent form submission if radio button and text field
are not filled out
Are you saying you need a DHTML script to reactivate the submit button if
the Troop T.E.N. value is not null and either Troop radio button is
selected?
At 03:02 PM 11/22/2005, you wrote:
>Anyone have any ideas?
>
>I've cut out a portion of a form on which I'm working:
>http://www.andyandjaime.com/uploads/radiojs.html
>
>It's supposed to pop an alert box (and disable the form) when you click
>"check out" IF
>a) You've got either of the top two options (troop check or troop debit)
>selected
>AND
>b) The tax exempt number is not filled in
>
>This part works fine, but it's ALSO supposed to reactivate the form once
>you've filled both of those requirements and it's not doing that.
>
>Does anyone have any ideas as to what's wrong? I'm sure it's something
>simple, but I don't know what it might be.
>
>andy matthews
>web developer
>ICGLink, Inc.
>[EMAIL PROTECTED]
>615.370.1530 x737
>--//->
>
>
>
~|
Logware (www.logware.us): a new and convenient web-based time tracking
application. Start tracking and documenting hours spent on a project or with a
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:225123
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Prevent form submission if radio button and text field are not filled out
Dan...
I saw you speak at CF North in Toronto in 2001 (or was it 2002). That was my
first XP with QForms and I was riveted. Thanks for the input and we'll see
how that works.
-Original Message-
From: Dan G. Switzer, II [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 23, 2005 8:06 AM
To: CF-Talk
Subject: RE: Prevent form submission if radio button and text field are
not filled out
Andy,
You can do this very easily in qForms using a dependency:
// this says if the "pay" field is equal to "personal_credit", than
// the "trooptaxnumber" field is required
objForm.trooptaxnumber.createDependencyTo("pay", "personal_credit");
You can see an example of this on this form:
http://www.pengoworks.com/qforms/docs/examples/advanced.htm
There's a lot of other code on the page, but the piece of code that actually
ties the Favorite Sport "Other" option to requiring the text box is just
this line:
objForm.FavSportOther.createDependencyTo("FavSport", "Other");
More on qForms can be found at:
http://www.pengoworks.com/qforms/
-Dan
~|
Discover CFTicket - The leading ColdFusion Help Desk and Trouble
Ticket application
http://www.houseoffusion.com/banners/view.cfm?bannerid=48
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:225068
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Prevent form submission if radio button and text field are not filled out
Andy,
You can do this very easily in qForms using a dependency:
// this says if the "pay" field is equal to "personal_credit", than
// the "trooptaxnumber" field is required
objForm.trooptaxnumber.createDependencyTo("pay", "personal_credit");
You can see an example of this on this form:
http://www.pengoworks.com/qforms/docs/examples/advanced.htm
There's a lot of other code on the page, but the piece of code that actually
ties the Favorite Sport "Other" option to requiring the text box is just
this line:
objForm.FavSportOther.createDependencyTo("FavSport", "Other");
More on qForms can be found at:
http://www.pengoworks.com/qforms/
-Dan
>-Original Message-
>From: Andy Matthews [mailto:[EMAIL PROTECTED]
>Sent: Tuesday, November 22, 2005 5:02 PM
>To: CF-Talk
>Subject: OT: Prevent form submission if radio button and text field are not
>filled out
>
>Anyone have any ideas?
>
>I've cut out a portion of a form on which I'm working:
>http://www.andyandjaime.com/uploads/radiojs.html
>
>It's supposed to pop an alert box (and disable the form) when you click
>"check out" IF
>a) You've got either of the top two options (troop check or troop debit)
>selected
>AND
>b) The tax exempt number is not filled in
>
>This part works fine, but it's ALSO supposed to reactivate the form once
>you've filled both of those requirements and it's not doing that.
>
>Does anyone have any ideas as to what's wrong? I'm sure it's something
>simple, but I don't know what it might be.
>
>andy matthews
>web developer
>ICGLink, Inc.
>[EMAIL PROTECTED]
>615.370.1530 x737
>--//->
>
>
>
~|
Logware (www.logware.us): a new and convenient web-based time tracking
application. Start tracking and documenting hours spent on a project or with a
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:225067
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: OT: Prevent form submission if radio button and text field are not filled out
function testPayMethod()
{
f = document.payform;
var radioCheck = false;
var firstEl = 0;
var lastEl = 3;
for (i=firstEl;i's onsubmit
this...
Onsubmit="return testPayMethod();"
The firstEl is the position of the first radio button and lastEl is the
position of the last radio button. Should make it easier to move the radios
around in the form or add more later.
This is probably gonna come through all garbled but ill give it a shot. :/
..:.:.:.:.:.:.:.:.:.:.:.:.:.:.
Bobby Hartsfield
http://acoderslife.com
-Original Message-
From: Andy Matthews [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 22, 2005 5:22 PM
To: CF-Talk
Subject: RE: OT: Prevent form submission if radio button and text field are
not filled out
Well, I'm not really sure what I'm saying. I just need for the form to
submit if both of the criteria are met. If you select one of the bottom two,
the full form works just fine.
-Original Message-
From: Kiley Simpson [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 22, 2005 4:18 PM
To: CF-Talk
Subject: Re: OT: Prevent form submission if radio button and text field
are not filled out
Are you saying you need a DHTML script to reactivate the submit button if
the Troop T.E.N. value is not null and either Troop radio button is
selected?
At 03:02 PM 11/22/2005, you wrote:
>Anyone have any ideas?
>
>I've cut out a portion of a form on which I'm working:
>http://www.andyandjaime.com/uploads/radiojs.html
>
>It's supposed to pop an alert box (and disable the form) when you click
>"check out" IF
>a) You've got either of the top two options (troop check or troop debit)
>selected
>AND
>b) The tax exempt number is not filled in
>
>This part works fine, but it's ALSO supposed to reactivate the form once
>you've filled both of those requirements and it's not doing that.
>
>Does anyone have any ideas as to what's wrong? I'm sure it's something
>simple, but I don't know what it might be.
>
>andy matthews
>web developer
>ICGLink, Inc.
>[EMAIL PROTECTED]
>615.370.1530 x737
>--//->
>
>
>
~|
Logware (www.logware.us): a new and convenient web-based time tracking
application. Start tracking and documenting hours spent on a project or with a
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:225032
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: OT: Prevent form submission if radio button and text field are not filled out
Well, I'm not really sure what I'm saying. I just need for the form to submit if both of the criteria are met. If you select one of the bottom two, the full form works just fine. -Original Message- From: Kiley Simpson [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 22, 2005 4:18 PM To: CF-Talk Subject: Re: OT: Prevent form submission if radio button and text field are not filled out Are you saying you need a DHTML script to reactivate the submit button if the Troop T.E.N. value is not null and either Troop radio button is selected? At 03:02 PM 11/22/2005, you wrote: >Anyone have any ideas? > >I've cut out a portion of a form on which I'm working: >http://www.andyandjaime.com/uploads/radiojs.html > >It's supposed to pop an alert box (and disable the form) when you click >"check out" IF >a) You've got either of the top two options (troop check or troop debit) >selected >AND >b) The tax exempt number is not filled in > >This part works fine, but it's ALSO supposed to reactivate the form once >you've filled both of those requirements and it's not doing that. > >Does anyone have any ideas as to what's wrong? I'm sure it's something >simple, but I don't know what it might be. > >andy matthews >web developer >ICGLink, Inc. >[EMAIL PROTECTED] >615.370.1530 x737 >--//-> > > > ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:225029 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: OT: Prevent form submission if radio button and text field are not filled out
Are you saying you need a DHTML script to reactivate the submit button if the Troop T.E.N. value is not null and either Troop radio button is selected? At 03:02 PM 11/22/2005, you wrote: >Anyone have any ideas? > >I've cut out a portion of a form on which I'm working: >http://www.andyandjaime.com/uploads/radiojs.html > >It's supposed to pop an alert box (and disable the form) when you click >"check out" IF >a) You've got either of the top two options (troop check or troop debit) >selected >AND >b) The tax exempt number is not filled in > >This part works fine, but it's ALSO supposed to reactivate the form once >you've filled both of those requirements and it's not doing that. > >Does anyone have any ideas as to what's wrong? I'm sure it's something >simple, but I don't know what it might be. > >andy matthews >web developer >ICGLink, Inc. >[EMAIL PROTECTED] >615.370.1530 x737 >--//-> > > > ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:225027 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
OT: Prevent form submission if radio button and text field are not filled out
Anyone have any ideas? I've cut out a portion of a form on which I'm working: http://www.andyandjaime.com/uploads/radiojs.html It's supposed to pop an alert box (and disable the form) when you click "check out" IF a) You've got either of the top two options (troop check or troop debit) selected AND b) The tax exempt number is not filled in This part works fine, but it's ALSO supposed to reactivate the form once you've filled both of those requirements and it's not doing that. Does anyone have any ideas as to what's wrong? I'm sure it's something simple, but I don't know what it might be. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:225025 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Form Submission
I've gotten these errors in the past and have not been able to determine the cause. The resolution I found was to check to see if the form structure existed on the page the form posted to and if not return them back to resubmit. - There was an error processing the page. Please return to the previous page and resubmit the data. From: Dorian Puerta [mailto:[EMAIL PROTECTED] Sent: Tue 4/12/2005 10:32 AM To: CF-Talk Subject: Form Submission Just wondering, I have been getting errors from time to time from information not being passed correctly during a regular form submission. Most of the time its either no information is sent or part of the information is sent. It doesn't seem to be browser specific , I get the error in IE,FireFox, and Netscape. Is this a common error? Could it be related to Network issues? How does someone handle these situations especially if u do multiple form submissions (one after another)? Here is an example of code that was sent which is basically just text input fields and below is the error message that was generated: http://www.coldfugitive.com/paste/?post=1543 <http://www.coldfugitive.com/paste/?post=1543> Note: This does not always happen with the same variable sometimes it doesnt post any information. ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:202443 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Form Submission
Just wondering, I have been getting errors from time to time from information not being passed correctly during a regular form submission. Most of the time its either no information is sent or part of the information is sent. It doesn't seem to be browser specific , I get the error in IE,FireFox, and Netscape. Is this a common error? Could it be related to Network issues? How does someone handle these situations especially if u do multiple form submissions (one after another)? Here is an example of code that was sent which is basically just text input fields and below is the error message that was generated: http://www.coldfugitive.com/paste/?post=1543 Note: This does not always happen with the same variable sometimes it doesnt post any information. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:202421 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Troublesome or Dangerous Form Submission Characters for SQL
I would. Knock up a quick example param myInput "" form input text myInput value="#FORM.myInput#" submit /form Submit Hella"Cool and it should drop the Cool. Try it with HTMLEditFormat() on as many browsers as you can and chances are it'll be consistent on all of them. Ade -Original Message- From: Mike Chabot [mailto:[EMAIL PROTECTED] Sent: 03 March 2005 20:10 To: CF-Talk Subject: Re: Troublesome or Dangerous Form Submission Characters for SQL Thanks for the tip about the double quotes. I am concerned that some people who enter & in the text field will see the five character HTML-safe equivalent when they go to edit the value because of the HtmlEditFormat function. IE 6 does not seem to have this problem. Are there any browsers that display the contents of the value attribute literally, instead of properly interpreting the HTML-safe code? Similarily, when I submit a field who's value attribute equals an expanded HTML-safe code, CF receives the interpreted, single-character, value (actually %26 for & if you look at the headers). Are there any browsers that do not do this? As a general rule, should I wrap HtmlEditFormat around all form field values. For example: . Thank you, Mike Chabot On Thu, 3 Mar 2005 19:09:02 -, Adrian Lynch <[EMAIL PROTECTED]> wrote: > Nothing if you're using queryparam/SPs, however on pulling the data back out > double quotes may cause you trouble in text inputs(or single quotes if > that's how you delimit your attributes in HTML). > > Use HTMLEditFormat() to solve the problem with double quotes. > Ade -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 266.6.0 - Release Date: 02/03/2005 ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197403 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Troublesome or Dangerous Form Submission Characters for SQL
Thanks for the tip about the double quotes. I am concerned that some people who enter & in the text field will see the five character HTML-safe equivalent when they go to edit the value because of the HtmlEditFormat function. IE 6 does not seem to have this problem. Are there any browsers that display the contents of the value attribute literally, instead of properly interpreting the HTML-safe code? Similarily, when I submit a field who's value attribute equals an expanded HTML-safe code, CF receives the interpreted, single-character, value (actually %26 for & if you look at the headers). Are there any browsers that do not do this? As a general rule, should I wrap HtmlEditFormat around all form field values. For example: . Thank you, Mike Chabot On Thu, 3 Mar 2005 19:09:02 -, Adrian Lynch <[EMAIL PROTECTED]> wrote: > Nothing if you're using queryparam/SPs, however on pulling the data back out > double quotes may cause you trouble in text inputs(or single quotes if > that's how you delimit your attributes in HTML). > > Use HTMLEditFormat() to solve the problem with double quotes. > Ade ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197322 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Troublesome or Dangerous Form Submission Characters for SQL
Nothing if you're using queryparam/SPs, however on pulling the data back out double quotes may cause you trouble in text inputs(or single quotes if that's how you delimit your attributes in HTML). Use HTMLEditFormat() to solve the problem with double quotes. Ade -Original Message- From: Mike Chabot [mailto:[EMAIL PROTECTED] Sent: 03 March 2005 19:03 To: CF-Talk Subject: Troublesome or Dangerous Form Submission Characters for SQL Are there any characters that a user could enter into a textarea form field that I should strip out before inserting the value into an MS SQL Server varchar field? Could these characters cause problems? semi-colon,&,*,+,-,--,?,%,_. To prevent SQL injection, I could strip out truncate, drop, insert, update, delete, and '--.' However, queryparam and the use of stored procedures should prevent SQL injection. Thank you, Mike Chabot -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 266.6.0 - Release Date: 02/03/2005 ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197311 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Troublesome or Dangerous Form Submission Characters for SQL
Are there any characters that a user could enter into a textarea form field that I should strip out before inserting the value into an MS SQL Server varchar field? Could these characters cause problems? semi-colon,&,*,+,-,--,?,%,_. To prevent SQL injection, I could strip out truncate, drop, insert, update, delete, and '--.' However, queryparam and the use of stored procedures should prevent SQL injection. Thank you, Mike Chabot ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197310 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Repopulating radio button values after form submission
Would something like this work for you? checked /> On Mon, 7 Feb 2005 13:39:32 -0500, Mark Leder <[EMAIL PROTECTED]> wrote: > Hi all, > > On an initial form display, I have a query looping through radio buttons to > dynamically populate the radio names and values, works great. The query set > returns the #moduleID#, which is numeric. > When I submit the form, the same page is called again, and I have some > server-side form validation run to check the fields. If a validation fails, > I re-display the same form, with an error message, and repopulate the form > fields, so the user doesn't have to type things in again, only make > corrections and resubmit. > > Here's the problem, I can't figure out how to repopulate the radio buttons > dynamically from the FORM values. In doing a form dump after the initial > submit, I get the following: > > Module ID Value > 1335 > 1413 > And so on. These are correct. > > The end result of this would be to insert rows into a db with each row > containing a field for moduleID and another field for the value 0 thru 5. > > What's a good way of accomplishing this? > > > > > > #qCompanyAuthentication.moduleName# /> >FORM.moduleID EQ 5>checked /> >FORM.moduleID EQ 4>checked /> >FORM.moduleID EQ 3>checked /> >FORM.moduleID EQ 2>checked /> >FORM.moduleID EQ 1>checked /> >FORM.moduleID EQ 0>checked /> > > > > > > > > > > > Select Question"> > > > > > > > > > > > > > > > > >FORM.userInactive = "0"; >FORM.moduleID = "4"; > > > > == > > Thanks, > Mark > > ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193461 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Repopulating radio button values after form submission
Hi all, On an initial form display, I have a query looping through radio buttons to dynamically populate the radio names and values, works great. The query set returns the #moduleID#, which is numeric. When I submit the form, the same page is called again, and I have some server-side form validation run to check the fields. If a validation fails, I re-display the same form, with an error message, and repopulate the form fields, so the user doesn't have to type things in again, only make corrections and resubmit. Here's the problem, I can't figure out how to repopulate the radio buttons dynamically from the FORM values. In doing a form dump after the initial submit, I get the following: Module ID Value 1335 1413 And so on. These are correct. The end result of this would be to insert rows into a db with each row containing a field for moduleID and another field for the value 0 thru 5. What's a good way of accomplishing this? #qCompanyAuthentication.moduleName# checked /> checked /> checked /> checked /> checked /> checked /> Select Question"> FORM.userInactive = "0"; FORM.moduleID = "4"; == Thanks, Mark ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193431 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: form submission
A checkbox will only be defined if checked on the form. Otherwise, it is not defined. should do the trick. Jerry Jerry Johnson Web Developer Dolan Media Company >>> [EMAIL PROTECTED] 12/10/04 01:45PM >>> Hi. I have a checkbox on a form. The code on the action page should be executed only if the checkbox was selected on the form. What CFIF statement can i use on the action page to achieve this. Using does not work. Any suggestions please. ~| Special thanks to the CF Community Suite Silver Sponsor - RUWebby http://www.ruwebby.com Message: http://www.houseoffusion.com/lists.cfm/link=i:4:187055 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
form submission
Hi. I have a checkbox on a form. The code on the action page should be executed only if the checkbox was selected on the form. What CFIF statement can i use on the action page to achieve this. Using does not work. Any suggestions please. ~| Special thanks to the CF Community Suite Silver Sponsor - New Atlanta http://www.newatlanta.com Message: http://www.houseoffusion.com/lists.cfm/link=i:4:187053 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re[2]: form submission
Hello Steve,
you can also just change the submit button to a regular button and
have the onclick of the button submit your form.
Friday, March 19, 2004, 2:33:46 PM, you wrote:
SN> Try the code below. Although I think it only works in IE.
SN> Steve Nelson
SN>
SN>
SN> <br>
SN> function testForEnter()<br>
SN> {<br>
SN> if (event.keyCode == 13)<br>
SN> {<br>
SN> event.cancelBubble = true;<br>
SN> event.returnValue = false;<br>
SN> }<br>
SN> }<br>
SN>
SN>
SN>
SN>
SN> style="background-color:yellow">
SN> Form1: Does not stop form submission when user presses ENTER key.
SN>
SN>
SN>
SN>
SN> style="background-color:lightblue">
SN> Form2: Stops form submission when user presses ENTER key.
SN>
SN>
SN>
SN>
SN>
SN> -Original Message-
SN> From: Cutter (CF-Talk) [mailto:[EMAIL PROTECTED]
SN> Sent: Friday, March 19, 2004 2:02 PM
SN> To: CF-Talk
SN> Subject: SOT: form submission
SN> How does one keep a form from submitting when a user presses ENTER?
SN> (Only want them to submit from the button...)
SN> Cutter
SN>
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubscribe]
[User Settings]
RE: form submission
Try the code below. Although I think it only works in IE.
Steve Nelson
<br>
function testForEnter()<br>
{<br>
if (event.keyCode == 13)<br>
{<br>
event.cancelBubble = true;<br>
event.returnValue = false;<br>
}<br>
}<br>
style="background-color:yellow">
Form1: Does not stop form submission when user presses ENTER key.
style="background-color:lightblue">
Form2: Stops form submission when user presses ENTER key.
-Original Message-
From: Cutter (CF-Talk) [mailto:[EMAIL PROTECTED]
Sent: Friday, March 19, 2004 2:02 PM
To: CF-Talk
Subject: SOT: form submission
How does one keep a form from submitting when a user presses ENTER?
(Only want them to submit from the button...)
Cutter
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubscribe]
[User Settings]
SOT: form submission
How does one keep a form from submitting when a user presses ENTER? (Only want them to submit from the button...) Cutter [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: CFMX Form Submission Hacking.
> perhaps you are right Dave. And Matt. > > I'm going to run over to the "Is Flash really that good" > thread to tell them that using flash solves this issue. No, unfortunately it doesn't. Flash content is just like any other client-side content in that respect. If you want to test this theory, just put up a Flash game on your site, have that game store high scores on your server, and see how quickly people put in impossible scores. For the life of me, I can't imagine why anyone would bother doing that - there's no logical incentive to do so - but it didn't take very long. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Host with the leader in ColdFusion hosting. Voted #1 ColdFusion host by CF Developers. Offering shared and dedicated hosting options. www.cfxhosting.com/default.cfm?redirect=10481 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFMX Form Submission Hacking.
In addition, which I think is a reiteration from something said previously, store Ids and prices, but make sure you use the Ids and recalculate the totals during checkout based on the Ids, not the prices that have been being passed around and potentially altered. - Original Message - From: "Matt Robertson" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Monday, June 23, 2003 3:06 PM Subject: RE: CFMX Form Submission Hacking. > You're right. That will not protect you, but the problem isn't > Michael's suggestion; its your application design. > > Hidden form vars are just flat out a terrible place to put sensitive > info; a gilded invitation that says 'steal from me' on it. > > Don't rely on form vars to transport any sort of sensitive info. In > fact try not to rely on them for anything (That way when you have to use > one you *know* you had to do it that way). > > > Matt Robertson [EMAIL PROTECTED] > MSB Designs, Inc. http://mysecretbase.com > > > -Original Message- > From: Igor Ilyinsky [mailto:[EMAIL PROTECTED] > Sent: Monday, June 23, 2003 11:47 AM > To: CF-Talk > Subject: RE: CFMX Form Submission Hacking. > > > Still not sure how what you're saying works. Let me give you a scenario. > > User clicks checkout on the e-commerce app. from his shopping cart. > --> request gets sent to form page; session.notahacker = 1 <-- > The page comes up with a request for his CC info in a form. > The same form has a hidden field with the total purchase amount ($35) > User Clicks Save, to save the html page to his desktop. > User Edits the HTML page to change the amount from $35 to $3 > User Opens the page in a browser from his local machine. > User clicks submit from this page to my web server > --> request gets sent to submit page; session.notahacker is still 1 <-- > > What was solved? > -Igor > > -Original Message- > From: Michael T. Tangorre [mailto:[EMAIL PROTECTED] > Sent: Monday, June 23, 2003 1:38 PM > To: CF-Talk > Subject: Re: CFMX Form Submission Hacking. > > > Form Page - set the session variable equal to 1 > Processing Page - check to see if the session variable equals 1, and if > so, > process the form.. THEN > set the session variable to 0 and carry on. That should work for you. > > Mike > > - Original Message - > From: "Igor Ilyinsky" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Monday, June 23, 2003 2:24 PM > Subject: RE: CFMX Form Submission Hacking. > > > > I'm not sure how that would work Mike... If I set the session > variable, > and the user comes back (within the session timeout timeframe) wouldn't > the > session variable persist? It's not like the session is tied to the page > itself. > > > > -Igor > > > > -Original Message- > > From: Michael T. Tangorre [mailto:[EMAIL PROTECTED] > > Sent: Monday, June 23, 2003 12:51 PM > > To: CF-Talk > > Subject: Re: CFMX Form Submission Hacking. > > > > > > Why not just set some kind of variable on the form page itself, such > as > > session.isOnMyServer > > and then on the processing page, check for the existence of that > variable... > > > > Would that not work for you? > > > > Mike > > > > > > - Original Message - > > From: "Igor Ilyinsky" <[EMAIL PROTECTED]> > > To: "CF-Talk" <[EMAIL PROTECTED]> > > Sent: Monday, June 23, 2003 1:40 PM > > Subject: RE: CFMX Form Submission Hacking. > > > > > > > I realize this... It will not completely prevent hacking... > > > but I would like to make sure that if a person is on my form page, > they > > are not able to save the page, edit some of the hidden form variables, > and > > then submit the page to my server. I am aware that the referrer can be > > simulated, but that is a deeper degree of the issue I am trying to > solve. > > > > > > -Igor > > > > > > -Original Message- > > > From: Dave Watts [mailto:[EMAIL PROTECTED] > > > Sent: Monday, June 23, 2003 11:41 AM > > > To: CF-Talk > > > Subject: RE: CFMX Form Submission Hacking. > > > > > > > > > > Does anyone have a quick snippet of code that does a regex > > > > match against the referrer to check if a form was submitted > > > > from an internal page (with attention to ports if possible)
RE: CFMX Form Submission Hacking.
I agree with this. I run a artwork voting system on a very popular site and before I wasn't checking to see if the values of the votes (I would add up the scores and divide by the # of votes to get an average) were between 1-10 which was on the HTML form. Much to my surprise I found several scores at 1000 and several scores with values BELOW 1 trying to bring down competing pieces of art. Obviously someone had re-written the form and this is a site catering to 13-25 year olds. And there was no profit motivation either. -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2003 1:31 PM To: CF-Talk Subject: RE: CFMX Form Submission Hacking. > It's secure enough to the point where only somebody who can > rewrite the raw HTTP header to look like the one on my > servers, is able to get a hack through. This is hard enough > to do, and enough of a rare case, that if they did that, I'm > sure the admins would eventually (if not immediately) notice > the discrepancy (as it is calculated on the admin side), and > void the transaction. I'm trying to avoid this happening on a > large scale. I think you're overestimating the difficulty of rewriting HTTP headers. I think you're also underestimating the population of computer criminals. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. http://www.cfhosting.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFMX Form Submission Hacking.
perhaps you are right Dave. And Matt. I'm going to run over to the "Is Flash really that good" thread to tell them that using flash solves this issue. -Igor -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2003 3:31 PM To: CF-Talk Subject: RE: CFMX Form Submission Hacking. > It's secure enough to the point where only somebody who can > rewrite the raw HTTP header to look like the one on my > servers, is able to get a hack through. This is hard enough > to do, and enough of a rare case, that if they did that, I'm > sure the admins would eventually (if not immediately) notice > the discrepancy (as it is calculated on the admin side), and > void the transaction. I'm trying to avoid this happening on a > large scale. I think you're overestimating the difficulty of rewriting HTTP headers. I think you're also underestimating the population of computer criminals. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFMX Form Submission Hacking.
> It's secure enough to the point where only somebody who can > rewrite the raw HTTP header to look like the one on my > servers, is able to get a hack through. This is hard enough > to do, and enough of a rare case, that if they did that, I'm > sure the admins would eventually (if not immediately) notice > the discrepancy (as it is calculated on the admin side), and > void the transaction. I'm trying to avoid this happening on a > large scale. I think you're overestimating the difficulty of rewriting HTTP headers. I think you're also underestimating the population of computer criminals. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFMX Form Submission Hacking.
> > > I have opted to circumvent "unnecessary processing" by > > > passing these elements through form fields, which improve my > > > application design and performance. My only issue is making > > > sure that the submission in authentic, which is not that hard > > > to do, only I was hoping that someone here was clever enough > > > to have done it before me. > > > > Why not stick the prices in the Session scope, then, if you > > simply don't want them to change during their transaction? > > I don't use the session scope because it is a clustered > application. I don't like overloading the client scope with > unnecessary information either. I guess we differ on our definition of unnecessary information. The fact remains that your application will be vulnerable to simple price-changing attacks, if you allow that data to be accepted as-is from the form. If that doesn't bother you, why not just look at CGI.HTTP_REFERER in your action page and be done with it? As for making sure the submission is authentic, it's harder to do than you imply. HTTP is a pretty simple protocol, which isn't designed to manage state information. Using the telnet client on nearly any machine, one can send an HTTP request that is indistinguishable from what your browser sends. Using common, freely available tools, one can see what HTTP traffic looks like, in order to build the right request. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Host with the leader in ColdFusion hosting. Voted #1 ColdFusion host by CF Developers. Offering shared and dedicated hosting options. www.cfxhosting.com/default.cfm?redirect=10481 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFMX Form Submission Hacking.
>I don't like overloading the client scope with unnecessary >information either. Where security is concerned, this is not unnecessary. It must seem like everybody is piling on criticism and not listening to what you're asking in the first place, but what you've chosen to do is almost worst-case from a security perspective, and it can't be fixed. I know you've made decisions based on load etc., but you have to think this over again or you will be burned hard; sooner rather than later if this has such hi traffic that it needs clustering. --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFMX Form Submission Hacking.
It's secure enough to the point where only somebody who can rewrite the raw HTTP header to look like the one on my servers, is able to get a hack through. This is hard enough to do, and enough of a rare case, that if they did that, I'm sure the admins would eventually (if not immediately) notice the discrepancy (as it is calculated on the admin side), and void the transaction. I'm trying to avoid this happening on a large scale. -Igor -Original Message- From: Matt Robertson [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2003 2:52 PM To: CF-Talk Subject: RE: CFMX Form Submission Hacking. I do what another poster mentioned: I pass nothing but the session ID and recalculate the cart based on the info in the db. I'm of course unfamiliar with the specifics of your app, but the only thing I think has been done before with regard to passing prices via form vars is hack them. >From an earlier post it sounds like you're reconciled to this info being only >minimally secure, at best. I'm afraid thats about all you can expect with this >approach. I'd still say there's *got* to be a better way to do this. --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- Original Message -- From: "Igor Ilyinsky" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Mon, 23 Jun 2003 14:30:12 -0500 >Actually Matt, that is not a solution for this application in particular. If it were >simple, where prices never changed, and other variables were constants, then that >would be a good solution. Also, if there were not such an intensive overhead for >re-calculating everything unnecessarily. > >The loophole in your suggestion is that the user is not getting an absolutely >"accurate" cost for the items they are purchasing if a change of price occurs during >their transaction. In effect, they could enter their CC info for an item that was $33 >when they clicked it, but is now $35 after your admin realized the demand went up. In >some ways I'm sure this is neither ethical or legal. > >A true solution would be to create an intermediate table that would save the purchase >information between the time they agreed to buy, and the time the purchase went >through. > >I have opted to circumvent "unnecessary processing" by passing these elements through >form fields, which improve my application design and performance. My only issue is >making sure that the submission in authentic, which is not that hard to do, only I >was hoping that someone here was clever enough to have done it before me. > >Apparently not, >Igor > >-Original Message- >From: Matt Robertson [mailto:[EMAIL PROTECTED] >Sent: Monday, June 23, 2003 2:06 PM >To: CF-Talk >Subject: RE: CFMX Form Submission Hacking. > > >You're right. That will not protect you, but the problem isn't >Michael's suggestion; its your application design. > >Hidden form vars are just flat out a terrible place to put sensitive >info; a gilded invitation that says 'steal from me' on it. > >Don't rely on form vars to transport any sort of sensitive info. In >fact try not to rely on them for anything (That way when you have to use >one you *know* you had to do it that way). > > > Matt Robertson [EMAIL PROTECTED] > MSB Designs, Inc. http://mysecretbase.com > > >-Original Message- >From: Igor Ilyinsky [mailto:[EMAIL PROTECTED] >Sent: Monday, June 23, 2003 11:47 AM >To: CF-Talk >Subject: RE: CFMX Form Submission Hacking. > > >Still not sure how what you're saying works. Let me give you a scenario. > >User clicks checkout on the e-commerce app. from his shopping cart. >--> request gets sent to form page; session.notahacker = 1 <-- >The page comes up with a request for his CC info in a form. >The same form has a hidden field with the total purchase amount ($35) >User Clicks Save, to save the html page to his desktop. >User Edits the HTML page to change the amount from $35 to $3 >User Opens the page in a browser from his local machine. >User clicks submit from this page to my web server >--> request gets sent to submit page; session.notahacker is still 1 <-- > >What was solved? >-Igor > >-Original Message- >From: Michael T. Tangorre [mailto:[EMAIL PROTECTED] >Sent: Monday, June 23, 2003 1:38 PM >To: CF-Talk >Subject: Re: CFMX Form Submission Hacking. > > >Form Page - set the session variable equal to 1 >Processing Page - check to see if th
RE: CFMX Form Submission Hacking.
I don't use the session scope because it is a clustered application. I don't like overloading the client scope with unnecessary information either. -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2003 2:47 PM To: CF-Talk Subject: RE: CFMX Form Submission Hacking. > I have opted to circumvent "unnecessary processing" by > passing these elements through form fields, which improve my > application design and performance. My only issue is making > sure that the submission in authentic, which is not that hard > to do, only I was hoping that someone here was clever enough > to have done it before me. Why not stick the prices in the Session scope, then, if you simply don't want them to change during their transaction? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. http://www.cfhosting.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFMX Form Submission Hacking.
> Couldn't you also put in some referrer security that looks > for the server's IP or hostname so people can't post it > from other sites/servers? Your web server can't guarantee the reliability of that information - all it really knows is that it received a request from a specific IP address. Beyond that, it just takes for granted whatever the browser tells it. Or, more accurately, whatever's in the stream of text it received. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFMX Form Submission Hacking.
I do what another poster mentioned: I pass nothing but the session ID and recalculate the cart based on the info in the db. I'm of course unfamiliar with the specifics of your app, but the only thing I think has been done before with regard to passing prices via form vars is hack them. >From an earlier post it sounds like you're reconciled to this info being only >minimally secure, at best. I'm afraid thats about all you can expect with this >approach. I'd still say there's *got* to be a better way to do this. --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- Original Message -- From: "Igor Ilyinsky" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Mon, 23 Jun 2003 14:30:12 -0500 >Actually Matt, that is not a solution for this application in particular. If it were >simple, where prices never changed, and other variables were constants, then that >would be a good solution. Also, if there were not such an intensive overhead for >re-calculating everything unnecessarily. > >The loophole in your suggestion is that the user is not getting an absolutely >"accurate" cost for the items they are purchasing if a change of price occurs during >their transaction. In effect, they could enter their CC info for an item that was $33 >when they clicked it, but is now $35 after your admin realized the demand went up. In >some ways I'm sure this is neither ethical or legal. > >A true solution would be to create an intermediate table that would save the purchase >information between the time they agreed to buy, and the time the purchase went >through. > >I have opted to circumvent "unnecessary processing" by passing these elements through >form fields, which improve my application design and performance. My only issue is >making sure that the submission in authentic, which is not that hard to do, only I >was hoping that someone here was clever enough to have done it before me. > >Apparently not, >Igor > >-----Original Message- >From: Matt Robertson [mailto:[EMAIL PROTECTED] >Sent: Monday, June 23, 2003 2:06 PM >To: CF-Talk >Subject: RE: CFMX Form Submission Hacking. > > >You're right. That will not protect you, but the problem isn't >Michael's suggestion; its your application design. > >Hidden form vars are just flat out a terrible place to put sensitive >info; a gilded invitation that says 'steal from me' on it. > >Don't rely on form vars to transport any sort of sensitive info. In >fact try not to rely on them for anything (That way when you have to use >one you *know* you had to do it that way). > > > Matt Robertson [EMAIL PROTECTED] > MSB Designs, Inc. http://mysecretbase.com > > >-Original Message- >From: Igor Ilyinsky [mailto:[EMAIL PROTECTED] >Sent: Monday, June 23, 2003 11:47 AM >To: CF-Talk >Subject: RE: CFMX Form Submission Hacking. > > >Still not sure how what you're saying works. Let me give you a scenario. > >User clicks checkout on the e-commerce app. from his shopping cart. >--> request gets sent to form page; session.notahacker = 1 <-- >The page comes up with a request for his CC info in a form. >The same form has a hidden field with the total purchase amount ($35) >User Clicks Save, to save the html page to his desktop. >User Edits the HTML page to change the amount from $35 to $3 >User Opens the page in a browser from his local machine. >User clicks submit from this page to my web server >--> request gets sent to submit page; session.notahacker is still 1 <-- > >What was solved? >-Igor > >-Original Message- >From: Michael T. Tangorre [mailto:[EMAIL PROTECTED] >Sent: Monday, June 23, 2003 1:38 PM >To: CF-Talk >Subject: Re: CFMX Form Submission Hacking. > > >Form Page - set the session variable equal to 1 >Processing Page - check to see if the session variable equals 1, and if >so, >process the form.. THEN >set the session variable to 0 and carry on. That should work for you. > >Mike > >- Original Message - >From: "Igor Ilyinsky" <[EMAIL PROTECTED]> >To: "CF-Talk" <[EMAIL PROTECTED]> >Sent: Monday, June 23, 2003 2:24 PM >Subject: RE: CFMX Form Submission Hacking. > > >> I'm not sure how that would work Mike... If I set the session >variable, >and the user comes back (within the session timeout timeframe) wouldn't >the >session variable
RE: CFMX Form Submission Hacking.
Couldn't you also put in some referrer security that looks for the server's IP or hostname so people can't post it from other sites/servers? Personally I do the "recalculate" method... I'm willing to risk a change in price for the 2 minutes it takes someone to fill out a form. -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2003 12:47 PM To: CF-Talk Subject: RE: CFMX Form Submission Hacking. > I have opted to circumvent "unnecessary processing" by > passing these elements through form fields, which improve my > application design and performance. My only issue is making > sure that the submission in authentic, which is not that hard > to do, only I was hoping that someone here was clever enough > to have done it before me. Why not stick the prices in the Session scope, then, if you simply don't want them to change during their transaction? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. http://www.cfhosting.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFMX Form Submission Hacking.
> Still not sure how what you're saying works. Let me give you > a scenario. > > User clicks checkout on the e-commerce app. from his shopping cart. > --> request gets sent to form page; session.notahacker = 1 <-- > The page comes up with a request for his CC info in a form. > The same form has a hidden field with the total purchase amount ($35) > User Clicks Save, to save the html page to his desktop. > User Edits the HTML page to change the amount from $35 to $3 > User Opens the page in a browser from his local machine. > User clicks submit from this page to my web server > --> request gets sent to submit page; session.notahacker is > still 1 <-- > > What was solved? The user solved his need for cheaper stuff? Please, please, for the love of ecommerce, don't pass the prices in your form. Or, rather, don't use those prices in your calculations. Use the prices in the database, or somewhere else, as long as they're server-side. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. http://www.cfhosting.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFMX Form Submission Hacking.
> In addition - can't you use some domain variables to check > that the refererrer is coming from your domain online. If > a user submits from his or her desktop it certainly won't > match your domain. Or path info stuff... you know where > your form is - you can verify the path maybe That's what Mr. Ilyinsky wanted to do in the first place. However, again, any information like this is provided by the browser, and is subject to (pretty easy) tampering. > OR actually - it just came to me.. Basically the concern is > if a page was modified. You can use the HTTP_IF_MODIFIED_SINCE > referer to see if it was modified after a certain date. Sure > anytime you make a change to that form you have a slight > window someone can sneak by and you have to modify that > "check" date but it would prevent what you are referring to. I'm pretty sure that the browser won't send this CGI variable to the server, in the event that you open an HTML page on your filesystem. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFMX Form Submission Hacking.
> I have opted to circumvent "unnecessary processing" by > passing these elements through form fields, which improve my > application design and performance. My only issue is making > sure that the submission in authentic, which is not that hard > to do, only I was hoping that someone here was clever enough > to have done it before me. Why not stick the prices in the Session scope, then, if you simply don't want them to change during their transaction? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFMX Form Submission Hacking.
Actually Matt, that is not a solution for this application in particular. If it were simple, where prices never changed, and other variables were constants, then that would be a good solution. Also, if there were not such an intensive overhead for re-calculating everything unnecessarily. The loophole in your suggestion is that the user is not getting an absolutely "accurate" cost for the items they are purchasing if a change of price occurs during their transaction. In effect, they could enter their CC info for an item that was $33 when they clicked it, but is now $35 after your admin realized the demand went up. In some ways I'm sure this is neither ethical or legal. A true solution would be to create an intermediate table that would save the purchase information between the time they agreed to buy, and the time the purchase went through. I have opted to circumvent "unnecessary processing" by passing these elements through form fields, which improve my application design and performance. My only issue is making sure that the submission in authentic, which is not that hard to do, only I was hoping that someone here was clever enough to have done it before me. Apparently not, Igor -Original Message- From: Matt Robertson [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2003 2:06 PM To: CF-Talk Subject: RE: CFMX Form Submission Hacking. You're right. That will not protect you, but the problem isn't Michael's suggestion; its your application design. Hidden form vars are just flat out a terrible place to put sensitive info; a gilded invitation that says 'steal from me' on it. Don't rely on form vars to transport any sort of sensitive info. In fact try not to rely on them for anything (That way when you have to use one you *know* you had to do it that way). Matt Robertson [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com -Original Message- From: Igor Ilyinsky [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2003 11:47 AM To: CF-Talk Subject: RE: CFMX Form Submission Hacking. Still not sure how what you're saying works. Let me give you a scenario. User clicks checkout on the e-commerce app. from his shopping cart. --> request gets sent to form page; session.notahacker = 1 <-- The page comes up with a request for his CC info in a form. The same form has a hidden field with the total purchase amount ($35) User Clicks Save, to save the html page to his desktop. User Edits the HTML page to change the amount from $35 to $3 User Opens the page in a browser from his local machine. User clicks submit from this page to my web server --> request gets sent to submit page; session.notahacker is still 1 <-- What was solved? -Igor -Original Message- From: Michael T. Tangorre [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2003 1:38 PM To: CF-Talk Subject: Re: CFMX Form Submission Hacking. Form Page - set the session variable equal to 1 Processing Page - check to see if the session variable equals 1, and if so, process the form.. THEN set the session variable to 0 and carry on. That should work for you. Mike - Original Message - From: "Igor Ilyinsky" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Monday, June 23, 2003 2:24 PM Subject: RE: CFMX Form Submission Hacking. > I'm not sure how that would work Mike... If I set the session variable, and the user comes back (within the session timeout timeframe) wouldn't the session variable persist? It's not like the session is tied to the page itself. > > -Igor > > -Original Message----- > From: Michael T. Tangorre [mailto:[EMAIL PROTECTED] > Sent: Monday, June 23, 2003 12:51 PM > To: CF-Talk > Subject: Re: CFMX Form Submission Hacking. > > > Why not just set some kind of variable on the form page itself, such as > session.isOnMyServer > and then on the processing page, check for the existence of that variable... > > Would that not work for you? > > Mike > > > - Original Message - > From: "Igor Ilyinsky" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Monday, June 23, 2003 1:40 PM > Subject: RE: CFMX Form Submission Hacking. > > > > I realize this... It will not completely prevent hacking... > > but I would like to make sure that if a person is on my form page, they > are not able to save the page, edit some of the hidden form variables, and > then submit the page to my server. I am aware that the referrer can be > simulated, but that is a deeper degree of the issue I am trying to solve. > > > > -Igor > > > > -Original Message- > > From: Dave Watts [mailto:[EMAIL PROT
RE: CFMX Form Submission Hacking.
You're right. That will not protect you, but the problem isn't Michael's suggestion; its your application design. Hidden form vars are just flat out a terrible place to put sensitive info; a gilded invitation that says 'steal from me' on it. Don't rely on form vars to transport any sort of sensitive info. In fact try not to rely on them for anything (That way when you have to use one you *know* you had to do it that way). Matt Robertson [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com -Original Message- From: Igor Ilyinsky [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2003 11:47 AM To: CF-Talk Subject: RE: CFMX Form Submission Hacking. Still not sure how what you're saying works. Let me give you a scenario. User clicks checkout on the e-commerce app. from his shopping cart. --> request gets sent to form page; session.notahacker = 1 <-- The page comes up with a request for his CC info in a form. The same form has a hidden field with the total purchase amount ($35) User Clicks Save, to save the html page to his desktop. User Edits the HTML page to change the amount from $35 to $3 User Opens the page in a browser from his local machine. User clicks submit from this page to my web server --> request gets sent to submit page; session.notahacker is still 1 <-- What was solved? -Igor -Original Message- From: Michael T. Tangorre [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2003 1:38 PM To: CF-Talk Subject: Re: CFMX Form Submission Hacking. Form Page - set the session variable equal to 1 Processing Page - check to see if the session variable equals 1, and if so, process the form.. THEN set the session variable to 0 and carry on. That should work for you. Mike - Original Message - From: "Igor Ilyinsky" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Monday, June 23, 2003 2:24 PM Subject: RE: CFMX Form Submission Hacking. > I'm not sure how that would work Mike... If I set the session variable, and the user comes back (within the session timeout timeframe) wouldn't the session variable persist? It's not like the session is tied to the page itself. > > -Igor > > -Original Message- > From: Michael T. Tangorre [mailto:[EMAIL PROTECTED] > Sent: Monday, June 23, 2003 12:51 PM > To: CF-Talk > Subject: Re: CFMX Form Submission Hacking. > > > Why not just set some kind of variable on the form page itself, such as > session.isOnMyServer > and then on the processing page, check for the existence of that variable... > > Would that not work for you? > > Mike > > > - Original Message ----- > From: "Igor Ilyinsky" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Monday, June 23, 2003 1:40 PM > Subject: RE: CFMX Form Submission Hacking. > > > > I realize this... It will not completely prevent hacking... > > but I would like to make sure that if a person is on my form page, they > are not able to save the page, edit some of the hidden form variables, and > then submit the page to my server. I am aware that the referrer can be > simulated, but that is a deeper degree of the issue I am trying to solve. > > > > -Igor > > > > -Original Message- > > From: Dave Watts [mailto:[EMAIL PROTECTED] > > Sent: Monday, June 23, 2003 11:41 AM > > To: CF-Talk > > Subject: RE: CFMX Form Submission Hacking. > > > > > > > Does anyone have a quick snippet of code that does a regex > > > match against the referrer to check if a form was submitted > > > from an internal page (with attention to ports if possible). > > > Too lazy to write it myself, so hoping someone does this to > > > prevent hacking of form submissions. > > > > That wouldn't prevent "hacking of form submissions", as the referer is > > provided by the browser, not the server. Also, I'm not sure what you mean > by > > "attention to ports". > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > voice: (202) 797-5496 > > fax: (202) 797-5444 > > > > > > > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFMX Form Submission Hacking.
personally, I have queries set on my form processing page that simply calculates price from my Database and NOT from users cart pricing. Only thing I personally pull from users shopping cart / session is the item codes they are ordering. In this scenario they can set the price as many times as they want.. but when the checkout I look at their items, re-grab the pricing and give them a final invoice. Perhaps that's more what you are after? In addition - can't you use some domain variables to check that the refererrer is coming from your domain online. If a user submits from his or her desktop it certainly won't match your domain. Or path info stuff... you know where your form is - you can verify the path maybe OR actually - it just came to me.. Basically the concern is if a page was modified. You can use the HTTP_IF_MODIFIED_SINCE referer to see if it was modified after a certain date. Sure anytime you make a change to that form you have a slight window someone can sneak by and you have to modify that "check" date but it would prevent what you are referring to. hth jay miller Igor Ilyinsky wrote: > Still not sure how what you're saying works. Let me give you a scenario. > > User clicks checkout on the e-commerce app. from his shopping cart. > --> request gets sent to form page; session.notahacker = 1 <-- > The page comes up with a request for his CC info in a form. > The same form has a hidden field with the total purchase amount ($35) > User Clicks Save, to save the html page to his desktop. > User Edits the HTML page to change the amount from $35 to $3 > User Opens the page in a browser from his local machine. > User clicks submit from this page to my web server > --> request gets sent to submit page; session.notahacker is still 1 <-- > > What was solved? > -Igor > > -Original Message- > From: Michael T. Tangorre [mailto:[EMAIL PROTECTED] > Sent: Monday, June 23, 2003 1:38 PM > To: CF-Talk > Subject: Re: CFMX Form Submission Hacking. > > > Form Page - set the session variable equal to 1 > Processing Page - check to see if the session variable equals 1, and if so, > process the form.. THEN > set the session variable to 0 and carry on. That should work for you. > > Mike > > - Original Message - > From: "Igor Ilyinsky" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Monday, June 23, 2003 2:24 PM > Subject: RE: CFMX Form Submission Hacking. > > > >>I'm not sure how that would work Mike... If I set the session variable, > > and the user comes back (within the session timeout timeframe) wouldn't the > session variable persist? It's not like the session is tied to the page > itself. > >>-Igor >> >>-Original Message- >>From: Michael T. Tangorre [mailto:[EMAIL PROTECTED] >>Sent: Monday, June 23, 2003 12:51 PM >>To: CF-Talk >>Subject: Re: CFMX Form Submission Hacking. >> >> >>Why not just set some kind of variable on the form page itself, such as >>session.isOnMyServer >>and then on the processing page, check for the existence of that > > variable... > >>Would that not work for you? >> >>Mike >> >> >>- Original Message - >>From: "Igor Ilyinsky" <[EMAIL PROTECTED]> >>To: "CF-Talk" <[EMAIL PROTECTED]> >>Sent: Monday, June 23, 2003 1:40 PM >>Subject: RE: CFMX Form Submission Hacking. >> >> >> >>>I realize this... It will not completely prevent hacking... >>>but I would like to make sure that if a person is on my form page, they >> >>are not able to save the page, edit some of the hidden form variables, and >>then submit the page to my server. I am aware that the referrer can be >>simulated, but that is a deeper degree of the issue I am trying to solve. >> >>>-Igor >>> >>>-Original Message- >>>From: Dave Watts [mailto:[EMAIL PROTECTED] >>>Sent: Monday, June 23, 2003 11:41 AM >>>To: CF-Talk >>>Subject: RE: CFMX Form Submission Hacking. >>> >>> >>> >>>>Does anyone have a quick snippet of code that does a regex >>>>match against the referrer to check if a form was submitted >>>>from an internal page (with attention to ports if possible). >>>>Too lazy to write it myself, so hoping someone does this to >>>>prevent hacking of form submissions. >>> >>>That wouldn't prevent "hacking of form submissions", as the referer is >>>provided by the browser, not the server. Also, I'm not s
RE: CFMX Form Submission Hacking.
Wouldn't this be a good place to use request scope variables instead of session? Just asking, never done anything like this before. Steve -Original Message- From: Igor Ilyinsky [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2003 2:47 PM To: CF-Talk Subject: RE: CFMX Form Submission Hacking. Still not sure how what you're saying works. Let me give you a scenario. User clicks checkout on the e-commerce app. from his shopping cart. --> request gets sent to form page; session.notahacker = 1 <-- The page comes up with a request for his CC info in a form. The same form has a hidden field with the total purchase amount ($35) User Clicks Save, to save the html page to his desktop. User Edits the HTML page to change the amount from $35 to $3 User Opens the page in a browser from his local machine. User clicks submit from this page to my web server --> request gets sent to submit page; session.notahacker is still 1 <-- What was solved? -Igor -Original Message- From: Michael T. Tangorre [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2003 1:38 PM To: CF-Talk Subject: Re: CFMX Form Submission Hacking. Form Page - set the session variable equal to 1 Processing Page - check to see if the session variable equals 1, and if so, process the form.. THEN set the session variable to 0 and carry on. That should work for you. Mike - Original Message - From: "Igor Ilyinsky" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Monday, June 23, 2003 2:24 PM Subject: RE: CFMX Form Submission Hacking. > I'm not sure how that would work Mike... If I set the session variable, and the user comes back (within the session timeout timeframe) wouldn't the session variable persist? It's not like the session is tied to the page itself. > > -Igor > > -Original Message- > From: Michael T. Tangorre [mailto:[EMAIL PROTECTED] > Sent: Monday, June 23, 2003 12:51 PM > To: CF-Talk > Subject: Re: CFMX Form Submission Hacking. > > > Why not just set some kind of variable on the form page itself, such as > session.isOnMyServer > and then on the processing page, check for the existence of that variable... > > Would that not work for you? > > Mike > > > - Original Message - > From: "Igor Ilyinsky" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Monday, June 23, 2003 1:40 PM > Subject: RE: CFMX Form Submission Hacking. > > > > I realize this... It will not completely prevent hacking... > > but I would like to make sure that if a person is on my form page, they > are not able to save the page, edit some of the hidden form variables, and > then submit the page to my server. I am aware that the referrer can be > simulated, but that is a deeper degree of the issue I am trying to solve. > > > > -Igor > > > > -Original Message- > > From: Dave Watts [mailto:[EMAIL PROTECTED] > > Sent: Monday, June 23, 2003 11:41 AM > > To: CF-Talk > > Subject: RE: CFMX Form Submission Hacking. > > > > > > > Does anyone have a quick snippet of code that does a regex > > > match against the referrer to check if a form was submitted > > > from an internal page (with attention to ports if possible). > > > Too lazy to write it myself, so hoping someone does this to > > > prevent hacking of form submissions. > > > > That wouldn't prevent "hacking of form submissions", as the referer is > > provided by the browser, not the server. Also, I'm not sure what you mean > by > > "attention to ports". > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > voice: (202) 797-5496 > > fax: (202) 797-5444 > > > > > > > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFMX Form Submission Hacking.
Still not sure how what you're saying works. Let me give you a scenario. User clicks checkout on the e-commerce app. from his shopping cart. --> request gets sent to form page; session.notahacker = 1 <-- The page comes up with a request for his CC info in a form. The same form has a hidden field with the total purchase amount ($35) User Clicks Save, to save the html page to his desktop. User Edits the HTML page to change the amount from $35 to $3 User Opens the page in a browser from his local machine. User clicks submit from this page to my web server --> request gets sent to submit page; session.notahacker is still 1 <-- What was solved? -Igor -Original Message- From: Michael T. Tangorre [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2003 1:38 PM To: CF-Talk Subject: Re: CFMX Form Submission Hacking. Form Page - set the session variable equal to 1 Processing Page - check to see if the session variable equals 1, and if so, process the form.. THEN set the session variable to 0 and carry on. That should work for you. Mike - Original Message - From: "Igor Ilyinsky" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Monday, June 23, 2003 2:24 PM Subject: RE: CFMX Form Submission Hacking. > I'm not sure how that would work Mike... If I set the session variable, and the user comes back (within the session timeout timeframe) wouldn't the session variable persist? It's not like the session is tied to the page itself. > > -Igor > > -Original Message- > From: Michael T. Tangorre [mailto:[EMAIL PROTECTED] > Sent: Monday, June 23, 2003 12:51 PM > To: CF-Talk > Subject: Re: CFMX Form Submission Hacking. > > > Why not just set some kind of variable on the form page itself, such as > session.isOnMyServer > and then on the processing page, check for the existence of that variable... > > Would that not work for you? > > Mike > > > - Original Message - > From: "Igor Ilyinsky" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Monday, June 23, 2003 1:40 PM > Subject: RE: CFMX Form Submission Hacking. > > > > I realize this... It will not completely prevent hacking... > > but I would like to make sure that if a person is on my form page, they > are not able to save the page, edit some of the hidden form variables, and > then submit the page to my server. I am aware that the referrer can be > simulated, but that is a deeper degree of the issue I am trying to solve. > > > > -Igor > > > > -Original Message- > > From: Dave Watts [mailto:[EMAIL PROTECTED] > > Sent: Monday, June 23, 2003 11:41 AM > > To: CF-Talk > > Subject: RE: CFMX Form Submission Hacking. > > > > > > > Does anyone have a quick snippet of code that does a regex > > > match against the referrer to check if a form was submitted > > > from an internal page (with attention to ports if possible). > > > Too lazy to write it myself, so hoping someone does this to > > > prevent hacking of form submissions. > > > > That wouldn't prevent "hacking of form submissions", as the referer is > > provided by the browser, not the server. Also, I'm not sure what you mean > by > > "attention to ports". > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > voice: (202) 797-5496 > > fax: (202) 797-5444 > > > > > > > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. http://www.cfhosting.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFMX Form Submission Hacking.
Form Page - set the session variable equal to 1 Processing Page - check to see if the session variable equals 1, and if so, process the form.. THEN set the session variable to 0 and carry on. That should work for you. Mike - Original Message - From: "Igor Ilyinsky" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Monday, June 23, 2003 2:24 PM Subject: RE: CFMX Form Submission Hacking. > I'm not sure how that would work Mike... If I set the session variable, and the user comes back (within the session timeout timeframe) wouldn't the session variable persist? It's not like the session is tied to the page itself. > > -Igor > > -Original Message- > From: Michael T. Tangorre [mailto:[EMAIL PROTECTED] > Sent: Monday, June 23, 2003 12:51 PM > To: CF-Talk > Subject: Re: CFMX Form Submission Hacking. > > > Why not just set some kind of variable on the form page itself, such as > session.isOnMyServer > and then on the processing page, check for the existence of that variable... > > Would that not work for you? > > Mike > > > - Original Message - > From: "Igor Ilyinsky" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Monday, June 23, 2003 1:40 PM > Subject: RE: CFMX Form Submission Hacking. > > > > I realize this... It will not completely prevent hacking... > > but I would like to make sure that if a person is on my form page, they > are not able to save the page, edit some of the hidden form variables, and > then submit the page to my server. I am aware that the referrer can be > simulated, but that is a deeper degree of the issue I am trying to solve. > > > > -Igor > > > > -Original Message- > > From: Dave Watts [mailto:[EMAIL PROTECTED] > > Sent: Monday, June 23, 2003 11:41 AM > > To: CF-Talk > > Subject: RE: CFMX Form Submission Hacking. > > > > > > > Does anyone have a quick snippet of code that does a regex > > > match against the referrer to check if a form was submitted > > > from an internal page (with attention to ports if possible). > > > Too lazy to write it myself, so hoping someone does this to > > > prevent hacking of form submissions. > > > > That wouldn't prevent "hacking of form submissions", as the referer is > > provided by the browser, not the server. Also, I'm not sure what you mean > by > > "attention to ports". > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > voice: (202) 797-5496 > > fax: (202) 797-5444 > > > > > > > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFMX Form Submission Hacking.
I'm not sure how that would work Mike... If I set the session variable, and the user comes back (within the session timeout timeframe) wouldn't the session variable persist? It's not like the session is tied to the page itself. -Igor -Original Message- From: Michael T. Tangorre [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2003 12:51 PM To: CF-Talk Subject: Re: CFMX Form Submission Hacking. Why not just set some kind of variable on the form page itself, such as session.isOnMyServer and then on the processing page, check for the existence of that variable... Would that not work for you? Mike - Original Message - From: "Igor Ilyinsky" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Monday, June 23, 2003 1:40 PM Subject: RE: CFMX Form Submission Hacking. > I realize this... It will not completely prevent hacking... > but I would like to make sure that if a person is on my form page, they are not able to save the page, edit some of the hidden form variables, and then submit the page to my server. I am aware that the referrer can be simulated, but that is a deeper degree of the issue I am trying to solve. > > -Igor > > -Original Message- > From: Dave Watts [mailto:[EMAIL PROTECTED] > Sent: Monday, June 23, 2003 11:41 AM > To: CF-Talk > Subject: RE: CFMX Form Submission Hacking. > > > > Does anyone have a quick snippet of code that does a regex > > match against the referrer to check if a form was submitted > > from an internal page (with attention to ports if possible). > > Too lazy to write it myself, so hoping someone does this to > > prevent hacking of form submissions. > > That wouldn't prevent "hacking of form submissions", as the referer is > provided by the browser, not the server. Also, I'm not sure what you mean by > "attention to ports". > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > voice: (202) 797-5496 > fax: (202) 797-5444 > > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFMX Form Submission Hacking.
Why not just set some kind of variable on the form page itself, such as session.isOnMyServer and then on the processing page, check for the existence of that variable... Would that not work for you? Mike - Original Message - From: "Igor Ilyinsky" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Monday, June 23, 2003 1:40 PM Subject: RE: CFMX Form Submission Hacking. > I realize this... It will not completely prevent hacking... > but I would like to make sure that if a person is on my form page, they are not able to save the page, edit some of the hidden form variables, and then submit the page to my server. I am aware that the referrer can be simulated, but that is a deeper degree of the issue I am trying to solve. > > -Igor > > -Original Message- > From: Dave Watts [mailto:[EMAIL PROTECTED] > Sent: Monday, June 23, 2003 11:41 AM > To: CF-Talk > Subject: RE: CFMX Form Submission Hacking. > > > > Does anyone have a quick snippet of code that does a regex > > match against the referrer to check if a form was submitted > > from an internal page (with attention to ports if possible). > > Too lazy to write it myself, so hoping someone does this to > > prevent hacking of form submissions. > > That wouldn't prevent "hacking of form submissions", as the referer is > provided by the browser, not the server. Also, I'm not sure what you mean by > "attention to ports". > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > voice: (202) 797-5496 > fax: (202) 797-5444 > > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFMX Form Submission Hacking.
I realize this... It will not completely prevent hacking... but I would like to make sure that if a person is on my form page, they are not able to save the page, edit some of the hidden form variables, and then submit the page to my server. I am aware that the referrer can be simulated, but that is a deeper degree of the issue I am trying to solve. -Igor -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2003 11:41 AM To: CF-Talk Subject: RE: CFMX Form Submission Hacking. > Does anyone have a quick snippet of code that does a regex > match against the referrer to check if a form was submitted > from an internal page (with attention to ports if possible). > Too lazy to write it myself, so hoping someone does this to > prevent hacking of form submissions. That wouldn't prevent "hacking of form submissions", as the referer is provided by the browser, not the server. Also, I'm not sure what you mean by "attention to ports". Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. http://www.cfhosting.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFMX Form Submission Hacking.
I have had many problems with cgi referrer however.. depending on antivirus and firewalls - that is not a dependable variable to use. But you can probably take that same thought and embed or hide some variables on your forms and check for those. Depends on how secure you need it - and if it's stopping spiders and bots or humans. hth jay miller Michael T. Tangorre wrote: > I would check the cgi.http_referer variable > > For instance, form is on page http://somesite.com/myform.cfm > > On the form processing page, say something like: > > if cgi.http_referer EQ "http://somesite.com/myform.cfm"; > process > else > die > > hth, > > > Mike > > - Original Message - > From: "Igor Ilyinsky" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Monday, June 23, 2003 12:24 PM > Subject: CFMX Form Submission Hacking. > > > >>Does anyone have a quick snippet of code that does a regex match against > > the referrer to check if a form was submitted from an internal page (with > attention to ports if possible). Too lazy to write it myself, so hoping > someone does this to prevent hacking of form submissions. > >>TIA >>-Igor >> > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Host with the leader in ColdFusion hosting. Voted #1 ColdFusion host by CF Developers. Offering shared and dedicated hosting options. www.cfxhosting.com/default.cfm?redirect=10481 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFMX Form Submission Hacking.
>I would check the cgi.http_referer variable >For instance, form is on page http://somesite.com/myform.cfm >On the form processing page, say something like: >if cgi.http_referer EQ "http://somesite.com/myform.cfm"; >process >else >die Be careful with dealing with cgi.http_referer some firewall products will change how the name/value pairs appear. - Original Message - From: "Igor Ilyinsky" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Monday, June 23, 2003 12:24 PM Subject: CFMX Form Submission Hacking. > Does anyone have a quick snippet of code that does a regex match against the referrer to check if a form was submitted from an internal page (with attention to ports if possible). Too lazy to write it myself, so hoping someone does this to prevent hacking of form submissions. > > TIA > -Igor > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFMX Form Submission Hacking.
I would check the cgi.http_referer variable For instance, form is on page http://somesite.com/myform.cfm On the form processing page, say something like: if cgi.http_referer EQ "http://somesite.com/myform.cfm"; process else die hth, Mike - Original Message - From: "Igor Ilyinsky" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Monday, June 23, 2003 12:24 PM Subject: CFMX Form Submission Hacking. > Does anyone have a quick snippet of code that does a regex match against the referrer to check if a form was submitted from an internal page (with attention to ports if possible). Too lazy to write it myself, so hoping someone does this to prevent hacking of form submissions. > > TIA > -Igor > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFMX Form Submission Hacking.
> Does anyone have a quick snippet of code that does a regex > match against the referrer to check if a form was submitted > from an internal page (with attention to ports if possible). > Too lazy to write it myself, so hoping someone does this to > prevent hacking of form submissions. That wouldn't prevent "hacking of form submissions", as the referer is provided by the browser, not the server. Also, I'm not sure what you mean by "attention to ports". Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. http://www.cfhosting.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
CFMX Form Submission Hacking.
Does anyone have a quick snippet of code that does a regex match against the referrer to check if a form was submitted from an internal page (with attention to ports if possible). Too lazy to write it myself, so hoping someone does this to prevent hacking of form submissions. TIA -Igor ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Auto form submission
you can use an inline JavaScript to submit the form. document.formName.submit() this should fire after all the form variables if you want to auto submit. Joe Certified Advanced ColdFusion Developer [EMAIL PROTECTED] -Original Message- From: Candace Cottrell [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 11:18 PM To: CF-Talk Subject: Auto form submission Is there a way a form can be submitted withoutthe user having to click a sumbit button? (automatically) Here's the scenario: I have a multi-part form that uses the Forta tag cf_embedfields. On the first page of the form, the user select an image type. This can be an linked image, an uploaded image or no image. This and other form data is posted to the next page. On page 2, if the user selected an upload, I have them upload an image and click a "Next" button. If they selected a link, they paste a link into a textbox and click the "Next" button. However, my problem is if they selected "None", I dont want them to have to go through this process of clicking the button. I want the form to auto-submit a hidden field with the value "none" and continue the form filling process. I've thought of cflocation and cfheader, but these wont submit the form to an action page and, therefore, embed the field on pages 1 and 2. Does this make any sense and can it be done? Thanks in advance :) Candace K. Cottrell, Web Developer The Children's Medical Center One Children's Plaza Dayton, OH 45404 937-641-4293 http://www.childrensdayton.org [EMAIL PROTECTED] __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Auto form submission
- Original Message - From: "Candace Cottrell" <[EMAIL PROTECTED]> > Is there a way a form can be submitted withoutthe user having to click a > sumbit button? (automatically) --- I think you need to look in JavaScript: form.submit(); HTH, - Gyrus - [EMAIL PROTECTED] work: http://www.tengai.co.uk play: http://www.norlonto.net - PGP key available __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Auto form submission
Is there a way a form can be submitted withoutthe user having to click a sumbit button? (automatically) Here's the scenario: I have a multi-part form that uses the Forta tag cf_embedfields. On the first page of the form, the user select an image type. This can be an linked image, an uploaded image or no image. This and other form data is posted to the next page. On page 2, if the user selected an upload, I have them upload an image and click a "Next" button. If they selected a link, they paste a link into a textbox and click the "Next" button. However, my problem is if they selected "None", I dont want them to have to go through this process of clicking the button. I want the form to auto-submit a hidden field with the value "none" and continue the form filling process. I've thought of cflocation and cfheader, but these wont submit the form to an action page and, therefore, embed the field on pages 1 and 2. Does this make any sense and can it be done? Thanks in advance :) Candace K. Cottrell, Web Developer The Children's Medical Center One Children's Plaza Dayton, OH 45404 937-641-4293 http://www.childrensdayton.org [EMAIL PROTECTED] __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: SSL on form submission
Just create the table in access and then use CF to read the file contents and insert the data into the table. If it is a single column, is the first row a column name and the rest the data for that column? Douglas Brown Email: [EMAIL PROTECTED] - Original Message - From: "Kola Oyedeji" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Saturday, August 03, 2002 11:13 AM Subject: RE: SSL on form submission > Hi > > here is my problem i have a text file with a single column which i would > like to get into an access database (i know i know). Now I know > i can use dts to import the data into sql server but from there can i import > the data/table into access? > > Thanks > > Kola > > __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
