表单正在提交空数据

问题描述 投票:0回答:2

我们有一个站点,有很多不同的表单提交相同的数据格式。 (之前的开发人员这样做了,为什么我永远不会知道)我的问题是,我能找出哪个页面提交了这个表单数据吗?所以我可以进入该文件并解决问题?另外,我知道他们的代码很多,(HTML 4)我只是试图解决问题所以我可以回去更新它(HTML 5)。一旦它被修复。

我有两个假设,为什么数据可以提交空白结果:

  1. 没有客户端或服务器端验证。
  2. 垃圾邮件机器人可能绕过验证并仅向电子邮件提交空白数据。

我去了一个我认为是该问题的问题之一的文件,并修改了以下代码以尝试阻止空白表单提交结果的发生。这仍然容易受到空白提交结果的影响吗?

形成:

<cfparam name="form.firstName"  default="">
<cfparam name="form.lastName"   default="">
<cfparam name="form.email"      default="">
<cfparam name="form.subject"    default="">
<cfparam name="form.comments"   default="">

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<title>Example form problem</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>

<meta name="viewport" content="initial-scale=1">

    <link type="text/css" rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/base/jquery-ui.css" />
    <link rel="shortcut icon" property="icon" href="favicon.ico" />
    <link rel="stylesheet" type="text/css" href="//cloud.typography.com/7136474/785948/css/fonts.css" />

    <link rel="stylesheet" href="css/style.css" TYPE="text/css">
    <link rel="stylesheet" href="css/online-reservations.css" TYPE="text/css"> 

    <link href="css/flexnav.css" media="screen, projection" rel="stylesheet" type="text/css">   

    <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js"></script>
    <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js"></script>

    <script src="js/jquery.flexnav.js" type="text/javascript"></script>
    <script type="text/javascript">     

        jQuery(document).ready(function($) {
            // initialize FlexNav
            $(".flexnav").flexNav();
        });

    </script>

</head>

<body id="contact">

<div id="pageHeader">
<ul>  
    <li class="right">        
            <br/>
            <div class="login" style="margin-top:11px;"><span><a href="../account.cfm" title="Register or login to your account">LOGIN</a></span></div>      
    </li>
</ul>
</div><!-- END pageHeader-->


<!-- Nav -->
<div class="nav-wrapper">
<cfinclude template="includes/mobile-menu.cfm" >
</div>
<!-- /Nav -->

<br/><br/>
<br/><br/>    
<br/><br/>

<div class="full-width-light-bg blue little">
<div class="page-width light-bg">
<h1 class="skinny">Contact Us</h1>
<br/> 

<form name="ContactForm" action="_email_results.cfm" method="POST">

<div id="frmReservation">

<div class="input-wrapper">
<span>First Name</span>
<input name="FirstName" 
                message="Please enter your first name" 
                type="Text" 
                maxlength="50"
                id="firstName"
                required
</div><!--/input-wrapper-->


<div class="input-wrapper">
<span>Last Name</span>
<input  name="LastName" 
                message="Please enter your last name" 
                type="Text" 
                maxlength="50"
                id="lastName"
                required
</div><!--/input-wrapper-->


<div class="input-wrapper">
<span>E-mail Address</span>
  <input    name="email" 
                message="Please enter a valid email address" 
                type="email" 
                maxlength="50"
                id="email"
                validate="Email"
                required
</div><!--/input-wrapper-->


<div class="input-wrapper">
<span>Subject</span>
<input
    name="Subject"
    id="subject"
    type="Text"
    required >
</div><!--/input-wrapper-->


<div class="input-wrapper">
<span>Comment</span>
    <textarea name="Comments" wrap="hard"></textarea>
</div><!--/input-wrapper-->


<center><br/>
<input
    class="redButton"
    id="submitButton"
    Type=submit
    Value="Send"
    title="Submit Contact Us Form">
</center>
    <cfinclude template="../../cfformprotect/cffp.cfm">

</div><!--/#frmReservation-->
</form>   

<br class="clear" /><br/>

</div><!--END page-width light-bg-->
</div><!--END full-width-light-bg little-->


<script type="text/javascript" src="js/toggle-menu.js"></script>
    <script type="text/javascript">
        var firstName = document.getElementById('firstName');
        var lastName = document.getElementById('lastName');
        var email = document.getElementById('email');
        var subject = document.getElementById('subject');
        var submitButton = document.getElementById('submitButton');

        submitButton.addEventListener('click', function(e){
            //console.log('test');
            if(firstName.value == '' || lastName.value == '' || email.value == '' || subject.value == ''){
                alert('Please fill out all fields.');
                // Prevent form submission
                e.preventDefault();
            }
        });

    </script>
</body>
</html>

表格数据:

<cfparam name="form.firstName"  default="">
<cfparam name="form.lastName"   default="">
<cfparam name="form.email"      default="">
<cfparam name="form.subject"    default="">
<cfparam name="form.comments"   default="">

<!doctype html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="refresh" content="3; url=index.cfm">
<title>Thank you for submitting your notes</title>
<link rel="stylesheet" type="text/css" href="//cloud.typography.com/7136474/785948/css/fonts.css" />
<link rel="stylesheet" href="css/style.css" TYPE="text/css">
</head>

<body id="contact">
<br/><br/>
<h1 align="center" class="color-white">Thank You For Contacting Us!</h1>
<div align="center" class="color-white">You will be re-directed</div>
<CFOUTPUT>
<CFSAVECONTENT variable="EmailContent">
<font Face="arial,helvetica" size="1">
<table bgcolor="white" width="600" style="font-family:'Arial',Helvetica;font-size:11px;">
<tr bgcolor="BAD8EA">
    <td colspan=3>Center Reservation</td>
</tr>
<tr>
    <td width="150">Date: #DateFormat(NOW())# at #Timeformat(NOW())#</td>
    <td>&nbsp;</td>
</tr>

<tr bgcolor="e43226">
    <td colspan=3></td>
</tr>
<tr>
    <td>First Name:</td>
    <td>#form.firstName#</td>
</tr>

<tr bgcolor="e43226">
    <td colspan=3></td>
</tr>
<tr>
    <td>Last Name:</td>
    <td>#form.lastName#</td>
</tr>

<tr bgcolor="e43226">
    <td colspan=3></td>
</tr>
<tr>
    <td>Email Address</td>
    <td>#form.email#</td>
</tr>

<tr bgcolor="e43226">
    <td colspan=3></td>
</tr>
<tr>
    <td>Subject:</td>
    <td>#form.subject#</td>
</tr>

<tr bgcolor="e43226">
    <td colspan=3></td>
</tr>
<tr>
    <td>Comments:</td>
    <td>#form.comments#</td>
</tr>

<tr bgcolor="e43226">
    <td colspan=3></td>
</tr>

</table>
</font>
</CFSAVECONTENT>
</CFOUTPUT>

<cfif form.firstName EQ '' || form.lastName EQ '' || form.email EQ '' || form.subject EQ ''>
    <!--- Do nothing do not email the results --->
    <cfelse>
        <!--- Submit the form --->
        <cfmail to      ="[email protected]"
                cc      ="[email protected]"
                bcc     =""
                from    ="#AppVars.mailfrom#"
                server  ="#AppVars.mailserver#"
                type    ="html"
                subject ="Form issue">
            #EmailContent#  
        </cfmail>
</cfif>

</body>
</html>
coldfusion html-form cfml
2个回答
2
投票

这是一个长期评论而不是答案,但是这里有。考虑使用CSRF令牌。

有表单的页面应该有

<input name="token" value="#csrfToken#" type="hidden" />

响应页面应该有

<cfif !CSRFverifyToken(form.token)>
   <p>I am going going to run this page</p>
   <cfexit>
</cfif>

这可能有助于处理一些攻击

跨站请求伪造也称为一键式攻击或会话骑行,缩写为CSRF(有时发音为sea-surf)或XSRF,是利用网站对用户浏览器的信任的恶意攻击。攻击者试图让用户自己的Web浏览器(或Web应用程序)执行不需要的命令。

有关CSRF的更多信息:https://stackoverflow.com/tags/csrf/info

0
投票

直接答案:找出你需要存储cgi.http_referrer以及表单的数据提交的页面。

我也建议上面的CSRF回答,但你的问题是如何找出提交的表格,而不是如果它。

我还会在您的网络服务器上设置内容安全策略标头,以限制信息来源。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.