Menu
Community /Pin to ProfileBookmark
This should fix the blank issues
if (($first eq "") || ($surname eq "") || ($em eq "") || ($loc eq "") || ($comments eq ""))
{
if ($first eq "")
{ &dienice("You did not enter your first name"); }
if ($surname eq "")
{ &dienice("You did not enter your last name"); }
if ($em eq "")
{ &dienice("You did not enter your e-mail address"); }
if ($loc eq "")
{ &dienice("You did not enter your location"); }
if ($comments eq "")
{ &dienice("You did not enter a comment"); }
}
And put that block after the fullname declaration.Thanks for that. I'll incorporate your suggestion.
However I can't replicate the phenomenom from the client side as the e-mail check prevents anything being sent anyway, I suspect your extra code just does the same blocking. My real question is how is something gettting through even when the e-mail check should stop it?
Yes, that code will block the form from going through unless there's data in every field.
Can you please post either the form or a link to it? I did not see the e-mail validation piece in there.
One other thought - and I've seen this myself at times from forms I've created - is that someone's submitting blank forms with a fake e-mail that meets the format reqs to see if they can fish out the recipient address and spam it.
The website is at
www.jpag.org
and the cgi functions are through buttons WEBMASTER, HON SECRETARY and GUESTBOOK.
I haven't added your additional blocking scripts, pending any further light you can throw. You may be right about phishing.Ah!
This may be the answer:
The e-mail check is in the form script.
Is it possible for someone to remove the script and send blank messages?
I presume your suggested script goes into the cgi (which I posted initially)?
As far as the JavaScript, that's just checking for a format of[email protected] . So, I could enter [email protected] as my e-mail and send blank messages. However, since the sending is done through the CGI, there's no way for them to see where it's going to.
Yes, those fixes go into the CGI script. I have an idea for a much more streamlined approach to the entire guestbook. If you can wait until about 11/25, I should be able to send it over (as I have several other priorities this weekend and early next week). If not, I would suggest adding what I posted earlier and also this as a check at the open GBTRIAL point:
if ((length($comments) < 5) || ((length($comments) >= 5) && ($comments =~ /^ /)))
{ &dienice("You did not enter a comment"); }
else
{ [start of block with open GBTRIAL to above sub dienice] }
That code above should trap anyone who's trying to send blank messages and force them back to the guestbook entry screen.
Hope this helps,
YES!
EVERYTHING, cookies, hidden-field data, checkbox data, etc that is sent to the server from a website should be validated.
It is really easy to create a form on my desktop and point it to your server. I can now send anything I want straight from my desktop to your server.Windycitycoder
Thanks for your help so far. However I am having problems with the code you sent. It returns an internal server error.
I only use cgi rather tentatively and may be misreading your script. I changed ne to != and eq to == Is that right?
Nedals
Do you mean that every field should be filled in? Sometimes I don't mind if a field is left blank. Or does validation have a more subtle meaning in this context? As windycitycoder points out the javascript for the form is to check the form rather than a security block. Is what you call validation with reference to the cgi?
Fields can be blank, but if they are filled in, [b]in your .cgi script[/b] check that the content is what you expect. A user can easily skip all javascript checks.Thanks to you both for helping to clarify the concepts in my mind.
If I can recap:
1Javascript is ok for checking fields are appropriately filled in before the form is submitted, but do not constitute a security device. Sorry! Pressed the wrong button
Thanks to you both for helping to clarify the concepts in my mind.
If I can recap:
1 Javascript is ok for checking fields are appropriately filled in before the form is submitted, but do not constitute a security device.
2 I was being lazy copying windycitycoder's code without trying to understand it. I presume some of the code is the check and goes in the first part, but the message to be returned to the submitter goes elsewhere.
I'll work on it and try and solve it before windycitycoder rejoins us after the 25th.
When you say 'It returns an internal server error.', does it tell you what the error is or just something like '500: internal server error'
You wisely included 'use CGI::Carp qw(warningsToBrowser fatalsToBrowser);'.
That should have return a description of the error. If it did not, you may have a problem with your method of upload.
if ($first eq "") { &dienice("You did not enter your first name"); }
You do not need to compare a string to 'null' (""). In perl a null or 0 is false. This might be better written...
dienice("You did not enter your first name") unless ($first);
You also do not need the leading '&' in current versions of Perl.
The error message I get when I include windycitycoder's code (or your shortend version) is
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator,[email][email protected][/email] and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
So it would appear to be trapping an error but not responding to the specific error of missing fields.
Searching the forum for similar problems I've discovered the code was originaly given to me by windycitycoder in September last year so I guess I haven't progressed much.
The problem seems to lie in the definition of the dienice function.
Does the [b]exact[/b] code you originally posted (first post) work as expected but allows blank messages?
Just noticed. Rewrite this line as shown here
use CGI::Carp(qw/warningsToBrowser fatalsToBrowser/);
The dienice() sub looks fine and should not be causing a problemYes the Code works as expected receiving genuine emails but without any validation will let any blank mesage through.
I have corrected the line you mention with no apparent effect on anything.
If I include the line
dienice("You did not enter your first name") unless ($first);
in the cgi and try to send a blank message, then I get the general error message I posted before, but I don't see the text in the dienice argument.
Spires, here's the updated guestbook script. I just tested it and everything works perfectly.
Added features (server side)
- Forces user to enter a valid first name, last name, e-mail address (not just[email protected] ), location and actual comment.
Hope this helps!Progress of sorts!
Using windycitycoder's latest cgi script, the general error message is returned if I leave out a field (so presumably blanks cannot be sent) but the submitter is not told what is happening. If all fields are filled in the message is delivered as planned.
So why is the dienice function not working as it should?
Incidentally I gave the new script a new name (Webmaster.cgi) and had the usual hiccup before I remembered to change permissions!
Which version of the dienice function are you using - the original one or the one that was in what I posted earlier today? If it's the original one, please try the one I posted. While working with the script, I noticed that I'd get internal errors (traced back to malformed headers at <h2>Error</h2>) unless I had the start_html and headers() in the function as well.
If you're using the new version, can you see the actual error logs (typically /var/logs/httpd/error_log)? If so, please post the line(s) from the log that occur when you see the error.
To windycitycoder: yes I used your latest code in its entirity, including the new dienice function.
The situation now is that without the extra code messages, including blank fields, get through. With the code and leaving fields blank throws up the general error; filling in all fields lets the message through. I can achieve what I want by having Javascript check for completeness then late the cgi check for security. So genuine customers wouldn't be thwarted and and anyone else would be blocked without explanation.
However, I'm sure you will both agree that that is not entirely satisfactory.
I should mention perhaps that the trials I am doing are with the webmaster form and the webmaster cgi.
The current versions of each are shown below:
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html>
<head>
<script type="text/javascript">
function validate_email(field,alerttxt)
{
with (field)
{
apos=value.indexOf("@")
dotpos=value.lastIndexOf(".")
if (apos<1||dotpos-apos<2)
{alert(alerttxt);return false}
else {return true}
}
}function validate_form(thisform)
{
with (thisform)
{
if (validate_title(title,"Please enter a valid title")==false)
{email.focus();return false}
if (validate_firstname(firstname,"Please enter a valid firstname")==false)
{email.focus();return false}
if (validate_surname(surname,"Please enter a valid surname")==false)
{email.focus();return false}
if (validate_email(email,"Please enter a valid e-mail address")==false)
{email.focus();return false}
if (validate_loc(loc,"Please enter a valid location")==false)
{email.focus();return false}
if (validate_comments(comments,"Please enter some comments")==false)
{email.focus();return false}
}
}
</script>
<meta name="generator" content=
"HTML Tidy for Windows (vers 1st March 2005), see www.w3.org">
<title>Guestbook</title>
</head>
<body>
<form action="Webmaster.cgi" onsubmit="return validate_form(this);" method="post">
<table summary="message for webmaster">
<tr>
<td>Title</td>
<td><input name="title" type="text" value=""></td>
</tr>
<tr>
<td>First Name</td>
<td><input name="firstname" type="text" value=""></td>
</tr>
<tr>
<td>Surname</td>
<td><input name="surname" type="text" value=""></td>
</tr>
<tr>
<td>E-Mail</td>
<td><input name="email" type="text" value=""></td>
</tr>
<tr>
<td>Location</td>
<td><input name="loc" type="text" value=""></td>
</tr>
<tr>
<td>Comments</td>
<td>
<textarea name="comments" rows="15" cols="32">
</textarea></td>
</tr>
</table>
<br>
<br>
<input type="submit" value="SEND"></form>
</body>
</html>
and
#!/usr/bin/perl -wT
use CGI qw(:standard);
use CGI::Carp qw(warningsToBrowser fatalsToBrowser);
use strict;
my $title = param('title');
my $first = param('firstname');
my $surname = param('surname');
my $em = param('email');
my $loc = param('loc');
my $comments = param('comments');
my $fullname = "";
if ($title ne "")
{ $fullname .= $title;}
$fullname .= " ";
$fullname .= $first;
$fullname .= " ";
$fullname .= $surname;
print header;
print start_html("Results");
$ENV{PATH} = "/usr/sbin";
open (MAIL, "|/usr/sbin/sendmail -oi -t") or
&dienice("Can't fork for sendmail: $!n");
my $recipient = '[email protected] ';
print MAIL "To: $recipientn";
print MAIL "From: JPAGgn";
print MAIL "Subject: JPAG Message for Hon Secnn";
print MAIL "From: $fullname( " . $em . " ) " . "n";
print MAIL "Location: $locnn";
print MAIL "n";
print MAIL "This message is via the JPAG website.n";
print MAIL "Do not use the reply facility for your reply but click on the e-mail address supplied.nn";
print MAIL "$commentsn";
close(MAIL);
print <<EndHTML;
<h2>Thank You</h2>
<p>Thank you for writing!</p>
<p>Use Back Button to return to previous pages.</p>
<p>Your message was as follows</p>
<p>$comments</p>
<p>From: $fullname $loc $em</p>
EndHTML
print end_html;
sub dienice {
my($errmsg) =@_ ;
print "<h2>Error</h2>n";
print "<p>$errmsg</p>n";
print end_html;
exit;
}And I should have added that I have yet to see the text of the arguments in the dienice function fed back as an error. Update
I don't know what I did but I tried retyping some of the code and it now works!
Except:
It only gives a message for the first omission. Should it give a multiple message for each
field missing, rather than have the user repeatedly be sent back to the form?
That is interesting. I do not see anything wrong with the code. Maybe someon submits these blamk forms form a fake e-mail. Have you checked it? The spammers can do it, check out thisStackoverflow thread or you can ask here as well.
CGI Blank messages being received from the web page.
I have a website with the facility to send e-mails to the webmaster and the Hon Sec using CGI. There is a low level checking procedure which checks for a valid e-mail address by format
The system seems to work fine in that messages do get sent to both webmaster and secretary but messages won’t be sent unless the sender supplies an email of the correct form (even though it is a made-up one).
However recently we have both received completely blank messages. Can anyone explain to me what is happening?
This is the CGI code:
#!/usr/bin/perl -wT
use CGI qw(:standard);
use CGI::Carp qw(warningsToBrowser fatalsToBrowser);
use strict;
my $title = param(‘title’);
my $first = param(‘firstname’);
my $surname = param(‘surname’);
my $em = param(’email’);
my $loc = param(‘loc’);
my $comments = param(‘comments’);
my $fullname = “”;
if ($title ne “”)
{ $fullname .= $title;}
$fullname .= ” “;
$fullname .= $first;
$fullname .= ” “;
$fullname .= $surname;
print header;
print start_html(“Results”);
# Set the PATH environment variable to the same path
# where sendmail is located:
$ENV{PATH} = “/usr/sbin”;
# open the pipe to sendmail
open (MAIL, “|/usr/sbin/sendmail -oi -t”) or
&dienice(“Can’t fork for sendmail: $!n”);
# change this to your own e-mail address
my $recipient = ‘
# Start printing the mail headers
# You must specify who it’s to, or it won’t be delivered:
print MAIL “To: $recipientn”;
# From should probably be the webserver.
print MAIL “From: JPAGgn”;
# print a subject line so you know it’s from your form cgi.
print MAIL “Subject: JPAG Guestbook messagenn”;
# Now print the body of your mail message.
print MAIL “From: $fullname ()
print MAIL “Location: $locn”;
print MAIL “Comments: $commentsn”;
# Be sure to close the MAIL input stream so that the
# message actually gets mailed.
close(MAIL);
open GBTRIAL, “>>GBFile.txt”;
print GBTRIAL $fullname;
print GBTRIAL “, “;
print GBTRIAL $loc;
print GBTRIAL “n”;
print GBTRIAL $comments;
print GBTRIAL “n”;
print GBTRIAL “n”;
close GBTRIAL;
# Now print a thank-you page
print <<EndHTML;
<h2>Thank You</h2>
<p>Thank you for writing!</p>
<p>Use Back Button to return to previous pages.</p>
<p>Your message was as follows</p>
<p>$comments</p>
<p>From: $fullname $loc $em</p>
EndHTML
print end_html;
# The dienice subroutine handles errors.
sub dienice {
my($errmsg) =
print “<h2>Error</h2>n”;
print “<p>$errmsg</p>n”;
print end_html;
exit;
}
Sign in
to post a comment23 Comments(s) ↴
0
@windycitycoderNov 13.2008 — #I have a website with the facility to send e-mails to the webmaster and the Hon Sec using CGI. There is a low level checking procedure which checks for a valid e-mail address by format[email protected]
The system seems to work fine in that messages do get sent to both webmaster and secretary but messages won't be sent unless the sender supplies an email of the correct form (even though it is a made-up one).
However recently we have both received completely blank messages. Can anyone explain to me what is happening?
[/quote]
This should fix the blank issues
if (($first eq "") || ($surname eq "") || ($em eq "") || ($loc eq "") || ($comments eq ""))
{
if ($first eq "")
{ &dienice("You did not enter your first name"); }
if ($surname eq "")
{ &dienice("You did not enter your last name"); }
if ($em eq "")
{ &dienice("You did not enter your e-mail address"); }
if ($loc eq "")
{ &dienice("You did not enter your location"); }
if ($comments eq "")
{ &dienice("You did not enter a comment"); }
}
And put that block after the fullname declaration.
reply?
0
@spiresgateauthorNov 13.2008 — #However I can't replicate the phenomenom from the client side as the e-mail check prevents anything being sent anyway, I suspect your extra code just does the same blocking. My real question is how is something gettting through even when the e-mail check should stop it?
reply?
0
@windycitycoderNov 13.2008 — #Thanks for that. I'll incorporate your suggestion.
However I can't replicate the phenomenom from the client side as the e-mail check prevents anything being sent anyway, I suspect your extra code just does the same blocking. My real question is how is something gettting through even when the e-mail check should stop it?[/QUOTE]
Yes, that code will block the form from going through unless there's data in every field.
Can you please post either the form or a link to it? I did not see the e-mail validation piece in there.
One other thought - and I've seen this myself at times from forms I've created - is that someone's submitting blank forms with a fake e-mail that meets the format reqs to see if they can fish out the recipient address and spam it.
reply?
0
@spiresgateauthorNov 14.2008 — #Thanks again.The website is at
and the cgi functions are through buttons WEBMASTER, HON SECRETARY and GUESTBOOK.
I haven't added your additional blocking scripts, pending any further light you can throw. You may be right about phishing.
reply?
0
@spiresgateauthorNov 14.2008 — #This may be the answer:
The e-mail check is in the form script.
Is it possible for someone to remove the script and send blank messages?
I presume your suggested script goes into the cgi (which I posted initially)?
reply?
0
@windycitycoderNov 14.2008 — #Ah!
This may be the answer:
The e-mail check is in the form script.
Is it possible for someone to remove the script and send blank messages?
I presume your suggested script goes into the cgi (which I posted initially)?[/QUOTE]
As far as the JavaScript, that's just checking for a format of
Yes, those fixes go into the CGI script. I have an idea for a much more streamlined approach to the entire guestbook. If you can wait until about 11/25, I should be able to send it over (as I have several other priorities this weekend and early next week). If not, I would suggest adding what I posted earlier and also this as a check at the open GBTRIAL point:
if ((length($comments) < 5) || ((length($comments) >= 5) && ($comments =~ /^ /)))
{ &dienice("You did not enter a comment"); }
else
{ [start of block with open GBTRIAL to above sub dienice] }
That code above should trap anyone who's trying to send blank messages and force them back to the guestbook entry screen.
Hope this helps,
reply?
0
@NedalsNov 15.2008 — #Is it possible for someone to remove the script and send blank messages?[/QUOTE]
YES!
EVERYTHING, cookies, hidden-field data, checkbox data, etc that is sent to the server from a website should be validated.
It is really easy to create a form on my desktop and point it to your server. I can now send anything I want straight from my desktop to your server.
reply?
0
@spiresgateauthorNov 15.2008 — #Thanks for your help so far. However I am having problems with the code you sent. It returns an internal server error.
I only use cgi rather tentatively and may be misreading your script. I changed ne to != and eq to == Is that right?
Nedals
Do you mean that every field should be filled in? Sometimes I don't mind if a field is left blank. Or does validation have a more subtle meaning in this context? As windycitycoder points out the javascript for the form is to check the form rather than a security block. Is what you call validation with reference to the cgi?
reply?
0
@NedalsNov 15.2008 — #Do you mean that every field should be filled in? Sometimes I don't mind if a field is left blank. Or does validation have a more subtle meaning in this context? As windycitycoder points out the javascript for the form is to check the form rather than a security block. Is what you call validation with reference to the cgi?[/QUOTE]
Fields can be blank, but if they are filled in, [b]in your .cgi script[/b] check that the content is what you expect. A user can easily skip all javascript checks.
reply?
0
@spiresgateauthorNov 16.2008 — #If I can recap:
1Javascript is ok for checking fields are appropriately filled in before the form is submitted, but do not constitute a security device.
reply?
0
@spiresgateauthorNov 16.2008 — #Thanks to you both for helping to clarify the concepts in my mind.
If I can recap:
1 Javascript is ok for checking fields are appropriately filled in before the form is submitted, but do not constitute a security device.
2 I was being lazy copying windycitycoder's code without trying to understand it. I presume some of the code is the check and goes in the first part, but the message to be returned to the submitter goes elsewhere.
I'll work on it and try and solve it before windycitycoder rejoins us after the 25th.
reply?
0
@NedalsNov 16.2008 — #A few notes to keep you going. ?Windycitycoder
Thanks for your help so far. However I am having problems with the code you sent. It returns an internal server error.
I only use cgi rather tentatively and may be misreading your script. I changed ne to != and eq to == Is that right?[/QUOTE]
When you say 'It returns an internal server error.', does it tell you what the error is or just something like '500: internal server error'
You wisely included 'use CGI::Carp qw(warningsToBrowser fatalsToBrowser);'.
That should have return a description of the error. If it did not, you may have a problem with your method of upload.
>>> I changed ne to != and eq to == Is that right?
In your case, no
eq, ne, lt, gt are used when comparing strings
==, !=, <, > are used when comparing numbers.
if ($first eq "") { &dienice("You did not enter your first name"); }
You do not need to compare a string to 'null' (""). In perl a null or 0 is false. This might be better written...
dienice("You did not enter your first name") unless ($first);
You also do not need the leading '&' in current versions of Perl.
reply?
0
@spiresgateauthorNov 17.2008 — #Thanks NedalsThe error message I get when I include windycitycoder's code (or your shortend version) is
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator,
More information about this error may be available in the server error log.
So it would appear to be trapping an error but not responding to the specific error of missing fields.
Searching the forum for similar problems I've discovered the code was originaly given to me by windycitycoder in September last year so I guess I haven't progressed much.
The problem seems to lie in the definition of the dienice function.
reply?
0
@NedalsNov 17.2008 — #Just to clarify...Does the [b]exact[/b] code you originally posted (first post) work as expected but allows blank messages?
Just noticed. Rewrite this line as shown here
use CGI::Carp(qw/warningsToBrowser fatalsToBrowser/);
The dienice() sub looks fine and should not be causing a problem
reply?
0
@spiresgateauthorNov 18.2008 — #I have corrected the line you mention with no apparent effect on anything.
If I include the line
dienice("You did not enter your first name") unless ($first);
in the cgi and try to send a blank message, then I get the general error message I posted before, but I don't see the text in the dienice argument.
reply?
0
@windycitycoderNov 18.2008 — #Yes the Code works as expected receiving genuine emails but without any validation will let any blank mesage through.
I have corrected the line you mention with no apparent effect on anything.
If I include the line
dienice("You did not enter your first name") unless ($first);
in the cgi and try to send a blank message, then I get the general error message I posted before, but I don't see the text in the dienice argument.[/QUOTE]
Spires, here's the updated guestbook script. I just tested it and everything works perfectly.
Added features (server side)
- Forces user to enter a valid first name, last name, e-mail address (not just
<i>
</i>#!/usr/bin/perl -wT
use CGI qw(:standard escape);
use CGI::Carp qw(warningsToBrowser fatalsToBrowser);
use strict;
## Variables ##
my $mailprog = '/usr/sbin/sendmail';
my $gbf = 'GBFile.txt';
my $title = param('title');
my $first = param('firstname');
my $surname = param('surname');
my $em = param('email');
my $loc = param('loc');
my $comments = param('comments');
my $fullname = "";
my $recipient = '[email protected]';
my $whofrom = '[email protected]';
## Variables ##
## Functions - Main Follows ##
sub dienice
{
my($errmsg) = @_;
print header;
print start_html("Error");
print "<h2>Error</h2>n";
print "<p>$errmsg</p>n";
print end_html;
exit;
}
## Functions - Main Follows ##
## Check to see that all required values are there
if (($first eq "") || ($surname eq "") || (length($em) < 7) ||
($loc eq "") || ($comments eq "") || ((length($comments) < 5) ||
((length($comments) >= 5) && ($comments =~ /^ /))))
{
if ($first eq "")
{ &dienice("You did not enter your first name!"); }
elsif ($surname eq "")
{ &dienice("You did not enter your last name!"); }
elsif (length($em) < 7)
{ &dienice("You did not enter a valid e-mail address!"); }
elsif ($loc eq "")
{ &dienice("You did not enter your location!"); }
else
{ &dienice("You did not enter any comments!"); }
}
## If the above if is false, then it's a valid submission, so start working with it.
## Build full name
if ($title ne "")
{ $fullname = $title; $fullname .= " "; }
$fullname .= $first;
$fullname .= " ";
$fullname .= $surname;
print header;
print start_html("Results");
$ENV{PATH} = "/usr/sbin";
open(MAIL, "|$mailprog -oi -t") or &dienice("Can't fork for sendmail: $!n");
print MAIL "To: $recipientn";
print MAIL "From: JPAGg <$whofrom>n";
print MAIL "From: $fullname ( " . $em . " )" . "nn";
print MAIL "Location: $locn";
print MAIL "Comments: $commentsn";
close(MAIL);
open(GBTRIAL, ">>$gbf");
print GBTRIAL $fullname . ", " . $loc . "n" . $comments . "nn";
close(GBTRIAL);
# Now print a thank-you page
print "<h2>Thank You</h2><p>Thank you for writing!</p><p>Use Back Button to return to previous pages.</p>";
print "<p>Your message was as follows</p><p>$comments</p><p>From: $fullname $loc $em</p>";
print end_html;
Hope this helps!
reply?
0
@spiresgateauthorNov 18.2008 — #Using windycitycoder's latest cgi script, the general error message is returned if I leave out a field (so presumably blanks cannot be sent) but the submitter is not told what is happening. If all fields are filled in the message is delivered as planned.
So why is the dienice function not working as it should?
Incidentally I gave the new script a new name (Webmaster.cgi) and had the usual hiccup before I remembered to change permissions!
reply?
0
@windycitycoderNov 18.2008 — #Progress of sorts!
Using windycitycoder's latest cgi script, the general error message is returned if I leave out a field (so presumably blanks cannot be sent) but the submitter is not told what is happening. If all fields are filled in the message is delivered as planned.
So why is the dienice function not working as it should?
Incidentally I gave the new script a new name (Webmaster.cgi) and had the usual hiccup before I remembered to change permissions![/QUOTE]
Which version of the dienice function are you using - the original one or the one that was in what I posted earlier today? If it's the original one, please try the one I posted. While working with the script, I noticed that I'd get internal errors (traced back to malformed headers at <h2>Error</h2>) unless I had the start_html and headers() in the function as well.
If you're using the new version, can you see the actual error logs (typically /var/logs/httpd/error_log)? If so, please post the line(s) from the log that occur when you see the error.
reply?
0
@spiresgateauthorNov 19.2008 — #I can see this is going to turn out to be due to a silly mistake somewhere, so I do apologise to you both for using you as proofreaders. I appreciate your help anyway.To windycitycoder: yes I used your latest code in its entirity, including the new dienice function.
The situation now is that without the extra code messages, including blank fields, get through. With the code and leaving fields blank throws up the general error; filling in all fields lets the message through. I can achieve what I want by having Javascript check for completeness then late the cgi check for security. So genuine customers wouldn't be thwarted and and anyone else would be blocked without explanation.
However, I'm sure you will both agree that that is not entirely satisfactory.
I should mention perhaps that the trials I am doing are with the webmaster form and the webmaster cgi.
The current versions of each are shown below:
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html>
<head>
<script type="text/javascript">
function validate_email(field,alerttxt)
{
with (field)
{
apos=value.indexOf("@")
dotpos=value.lastIndexOf(".")
if (apos<1||dotpos-apos<2)
{alert(alerttxt);return false}
else {return true}
}
}function validate_form(thisform)
{
with (thisform)
{
if (validate_title(title,"Please enter a valid title")==false)
{email.focus();return false}
if (validate_firstname(firstname,"Please enter a valid firstname")==false)
{email.focus();return false}
if (validate_surname(surname,"Please enter a valid surname")==false)
{email.focus();return false}
if (validate_email(email,"Please enter a valid e-mail address")==false)
{email.focus();return false}
if (validate_loc(loc,"Please enter a valid location")==false)
{email.focus();return false}
if (validate_comments(comments,"Please enter some comments")==false)
{email.focus();return false}
}
}
</script>
<meta name="generator" content=
"HTML Tidy for Windows (vers 1st March 2005), see www.w3.org">
<title>Guestbook</title>
</head>
<body>
<form action="Webmaster.cgi" onsubmit="return validate_form(this);" method="post">
<table summary="message for webmaster">
<tr>
<td>Title</td>
<td><input name="title" type="text" value=""></td>
</tr>
<tr>
<td>First Name</td>
<td><input name="firstname" type="text" value=""></td>
</tr>
<tr>
<td>Surname</td>
<td><input name="surname" type="text" value=""></td>
</tr>
<tr>
<td>E-Mail</td>
<td><input name="email" type="text" value=""></td>
</tr>
<tr>
<td>Location</td>
<td><input name="loc" type="text" value=""></td>
</tr>
<tr>
<td>Comments</td>
<td>
<textarea name="comments" rows="15" cols="32">
</textarea></td>
</tr>
</table>
<br>
<br>
<input type="submit" value="SEND"></form>
</body>
</html>
and
#!/usr/bin/perl -wT
use CGI qw(:standard);
use CGI::Carp qw(warningsToBrowser fatalsToBrowser);
use strict;
my $title = param('title');
my $first = param('firstname');
my $surname = param('surname');
my $em = param('email');
my $loc = param('loc');
my $comments = param('comments');
my $fullname = "";
if ($title ne "")
{ $fullname .= $title;}
$fullname .= " ";
$fullname .= $first;
$fullname .= " ";
$fullname .= $surname;
print header;
print start_html("Results");
# Set the PATH environment variable to the same path
# where sendmail is located:
$ENV{PATH} = "/usr/sbin";
# open the pipe to sendmail
open (MAIL, "|/usr/sbin/sendmail -oi -t") or
&dienice("Can't fork for sendmail: $!n");
# change this to your own e-mail address
my $recipient = '
# Start printing the mail headers
# You must specify who it's to, or it won't be delivered:
print MAIL "To: $recipientn";
# From should probably be the webserver.
print MAIL "From: JPAGgn";
# print a subject line so you know it's from your form cgi.
print MAIL "Subject: JPAG Message for Hon Secnn";
# Now print the body of your mail message.
print MAIL "From: $fullname
print MAIL "Location: $locnn";
print MAIL "n";
print MAIL "This message is via the JPAG website.n";
print MAIL "Do not use the reply facility for your reply but click on the e-mail address supplied.nn";
print MAIL "$commentsn";
# Be sure to close the MAIL input stream so that the
# message actually gets mailed.
close(MAIL);
# Now print a thank-you page
print <<EndHTML;
<h2>Thank You</h2>
<p>Thank you for writing!</p>
<p>Use Back Button to return to previous pages.</p>
<p>Your message was as follows</p>
<p>$comments</p>
<p>From: $fullname $loc $em</p>
EndHTML
print end_html;
# The dienice subroutine handles errors.
sub dienice {
my($errmsg) =
print "<h2>Error</h2>n";
print "<p>$errmsg</p>n";
print end_html;
exit;
}
reply?
0
@spiresgateauthorNov 19.2008 — #reply?
0
@spiresgateauthorNov 21.2008 — #I don't know what I did but I tried retyping some of the code and it now works!
Except:
It only gives a message for the first omission. Should it give a multiple message for each
field missing, rather than have the user repeatedly be sent back to the form?
reply?
0
@Leo_WalkerAug 01.2016 — #I have a website with the facility to send e-mails to the webmaster and the Hon Sec using CGI. There is a low level checking procedure which checks for a valid e-mail address by format[email protected]
The system seems to work fine in that messages do get sent to both webmaster and secretary but messages won't be sent unless the sender supplies an email of the correct form (even though it is a made-up one).
However recently we have both received completely blank messages. Can anyone explain to me what is happening?
This is the CGI code:
#!/usr/bin/perl -wT
use CGI qw(:standard);
use CGI::Carp qw(warningsToBrowser fatalsToBrowser);
use strict;
my $title = param('title');
my $first = param('firstname');
my $surname = param('surname');
my $em = param('email');
my $loc = param('loc');
my $comments = param('comments');
my $fullname = "";
if ($title ne "")
{ $fullname .= $title;}
$fullname .= " ";
$fullname .= $first;
$fullname .= " ";
$fullname .= $surname;
print header;
print start_html("Results");
# Set the PATH environment variable to the same path
# where sendmail is located:
$ENV{PATH} = "/usr/sbin";
# open the pipe to sendmail
open (MAIL, "|/usr/sbin/sendmail -oi -t") or
&dienice("Can't fork for sendmail: $!n");
# change this to your own e-mail address
my $recipient = '[email protected] ';
# Start printing the mail headers
# You must specify who it's to, or it won't be delivered:
print MAIL "To: $recipientn";
# From should probably be the webserver.
print MAIL "From: JPAGgn";
# print a subject line so you know it's from your form cgi.
print MAIL "Subject: JPAG Guestbook messagenn";
# Now print the body of your mail message.
print MAIL "From: $fullname( " . $em . ") " . "nn";
print MAIL "Location: $locn";
print MAIL "Comments: $commentsn";
# Be sure to close the MAIL input stream so that the
# message actually gets mailed.
close(MAIL);
open GBTRIAL, ">>GBFile.txt";
print GBTRIAL $fullname;
print GBTRIAL ", ";
print GBTRIAL $loc;
print GBTRIAL "n";
print GBTRIAL $comments;
print GBTRIAL "n";
print GBTRIAL "n";
close GBTRIAL;
# Now print a thank-you page
print <<EndHTML;
<h2>Thank You</h2>
<p>Thank you for writing!</p>
<p>Use Back Button to return to previous pages.</p>
<p>Your message was as follows</p>
<p>$comments</p>
<p>From: $fullname $loc $em</p>
EndHTML
print end_html;
# The dienice subroutine handles errors.
sub dienice {
my($errmsg) =@_ ;
print "<h2>Error</h2>n";
print "<p>$errmsg</p>n";
print end_html;
exit;
}[/QUOTE]
That is interesting. I do not see anything wrong with the code. Maybe someon submits these blamk forms form a fake e-mail. Have you checked it? The spammers can do it, check out this
reply?
