View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

Secure Use With Universal Email

Thread began 10/07/2009 6:17 pm by Cologne | Last modified 10/09/2009 10:26 am by Cologne | 3583 views | 3 replies

Ray BorduinWebAssist

It depends on how you define missuse...

Basic email injection should not work no matter what when using Universal Email... however there are many more ways you can missuse a form... for instance, simply trying to use a form with a bot testing if it has any vulrnerabilities could be considered misuse in itself.

For the most complete security you can do things like:
1) Use the trigger "current page submit" in universal email. It will do referrer checking to make sure the page is submitted to itself and nobody is posting from their own form.
2) Add email address validation on the email field and don't use that as the to field or mentioned anywhere except the email body.
3) Add alphanumeric validation to the Name field so that no code can be entered, even though it is unlikely the code would work, it prevents them from even trying.
4) Add entry length validation to the Message field. I don't think you expect a large volume of data to be typed into that field, but a hacker would likely have quite a bit if they were trying to use email injeciton techniques.
5) Honeypot validation will often prevent bots... this is just a matter of placing a few blank hidden fields and text fields with style="display:none" and style="visibility:hidden" on the page and verifying they are still blank after the page is submitted. Bots often can't resist filling out all fields in a form and no human could possibly enter a value, so you can catch bots this way.
6) CAPTCHA is a good option, since most bots cannot read them, and would also prevent a submission from a remote domain, the only limitation is that blind people could not fill out your form without help.
7) Obvious question is a great preventor of bots, since it pretty much ensures only a human can fill out and submit the form. It also can be read by screen readers for the blind, and prevents any submission from a remote server.
8) Be sure to use Server Validation where I mention validation, since client validation is really only good for aesthetics and not real security since javascript can always be disabled on the client.

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...