Issue with mischief-maker

I set up a registration form using form builder with validation, security and email. Have tested and everything works correct, although I received a bogus registration this morning. It looks as if they by passed the form and went straight to the email and filled in their own info and sent it. Is their a way to prevent this from happening. Like putting a validation on the wave_ part that unless the information is posted from a specific form it generates an error? I have attached a screen shot of the email.

set the trigger for the Server Validation behavior to use any form post.

But set the trigger for any other behaviors, like Universal Email or insert record, to use Current Page Submit.

You are correct I used "any post" on Universal Email. I have changed it as you suggested. Though, I would like to know what the difference would be if I used the trigger for submit button of the specific form compared to Current Page Submit. As I have the insert record trigger setup for the specific form button pressed.

the current page submit trigger looks at the $_SERVER['HTTP_REFERRER'] variable and the $_SERVER['SERVER_NAME'] variable to make sure that they match.

the $_SERVER['SERVER_NAME'] is set by the server to the servers domain. the $_SERVER['HTTP_REFERRER'] is set to domain of the page that the post came from.

current page submit also looks at the page name of the referer, and makes sure they match.

A common tactic that a hacker will use is to visit your form page, and view source in the browser, then copy the source code.

He will then create a new page with your source code, set the action of the form to post to the form on your domain, upload it to his server to try and hack your form.

In this case, the Button submit trigger will still work, because he is just copying your form, element for element.

If you use the Current page submit trigger it wont work though, since the HTTP REFERRER will not math the SERVER_NAME


Setting the Server Validation behavior to use the Any form submit trigger will run the validation any time a post is made to the page. you want the validation to occur no matter what.

you only want the Insert or Email to send if the form that is being posted is on your server.

Thank you Jason, a very good explanation that I think many others will like, as I did. As always you and the rest of the staff do a great job. Thanks for the help

You're welcome.

I am having another issue with the lost password page. I have attached a screen shot. I have the validation setup to validate the email address on the form and the total rows must be one. It is setup to validate from the submit button of the form. Should this be validating on page submit instead, or how should I go about handling this issue?

please send a copy of your page and the webassist/email folder so i can examine the code.

I have attached the files.

try changing the validation trigger to use the email address form element instead of the button press:

change:
if (isset($_POST["form_submit_x"])) {

to:
if (isset($_POST["emailAddress"])) {