I have a form which is producing a lot of spam. I have made all inputs required and have attached a captcha. This has not had any affect.
I assume the bots are using form.submit() as for some reason this bypasses all my required fields AND also bypasses my onsubmit="check(e)"
I cannot seem to grab this event .submit() by any means. Does anyone know how to catch this event and make sure it is cancelled. I want the only way to submit the form is through clicking the submit button.
$("#myForm").submit(function(event) {
console.log("Handler for .submit() called.");
if (CaptchaInput.value == "") {
event.preventDefault();
}
});
My code that was supposed to catch a .submit() call and prevent the form submission. This function is never triggered.
<form target="hidden_iframe"
onsubmit="if (CaptchaInput.value == '') { why += '- Please Enter CAPTCHA Code.\n'; alert(why); return false; };return checkform(this)" id="myForm">
I have a form which is producing a lot of spam. I have made all inputs required and have attached a captcha. This has not had any affect.
I assume the bots are using form.submit() as for some reason this bypasses all my required fields AND also bypasses my onsubmit="check(e)"
I cannot seem to grab this event .submit() by any means. Does anyone know how to catch this event and make sure it is cancelled. I want the only way to submit the form is through clicking the submit button.
$("#myForm").submit(function(event) {
console.log("Handler for .submit() called.");
if (CaptchaInput.value == "") {
event.preventDefault();
}
});
My code that was supposed to catch a .submit() call and prevent the form submission. This function is never triggered.
<form target="hidden_iframe"
onsubmit="if (CaptchaInput.value == '') { why += '- Please Enter CAPTCHA Code.\n'; alert(why); return false; };return checkform(this)" id="myForm">
- 7 Verify the submission on the server, not the client, you can never trust anything done on the client – CertainPerformance Commented Sep 5, 2019 at 8:07
3 Answers
Reset to default 7You cannot. I can submit your form without a browser, or with JavaScript disabled. Anyone can just send an HTTP POST request to your server, without going through any client-side process you may introduce.
The solution to your problem is to also verify on the server, and don't rely on the client side validation to have pleted successfully (or indeed, even to have been run at all).
Treat client-side validation as a convenience to your users, they see the error immediately without having to retype and resubmit the entire form.
Madras ghot is a good answer,
you can add ReCAPTCHA frotend and backend setup honey pots and do all sorts of things to deter bots,
but ultimately it es down to the piece of backend code that handles the form which anyone can extract from looking at the network traffic.
Implementing a RefreshToken on every request is a good option but even then it's possible to figure out just by again looking at network traffic.
So really it's a game on cat and mouse and you're never done, aftter implementing every trick there is, you'll still have to maintain a blacklist of keywords/email addresses/ip ranges etc and review it everytime new spam starts leaking through.
You should skip the whole submit button and use javascript to get the value of your input fields. As to my knowledge, bots are not smart enough to click on spans. This is what I use and I don't have any problem with bot submissions.
<div id='contactUs'>
<p><span id='user_message' class='btngover' onclick='go();'>Send</span></p>
<p>
<input id='email' placeholder='Contact email...' autofocus>
<textarea id='subject' placeholder='Message content...'></textarea>
</p>
</div>
function go() {
const email = $('#email').val();
const subject = $('#subject').val();
if (email.trim() === '' || subject.trim() === '') {
alert('All fields are required.');
return;
}
console.log(email + ' ' + subject);
}
You can substitute the 'console.log', and just send it off to your PHP via Jquery AJAX POST.