We have an inquiry form where users are required with JS to at least enter their name, location, contact information, comment/question, etc. We've been getting A LOT of completely blank and semi-blank forms. We know that if the user has JS disabled, they can click the submit button with nothing filled in. I've looked into the possibility of disabling the submit button unless JS is enabled, but I've read that a lot of people think this is a bad idea. Suggestions? Thank you!
12
-
3Don't create a submit button but submit with a Javascript function.Goikiu– Goikiu2014-01-10 16:18:44 +00:00Commented Jan 10, 2014 at 16:18
-
4also do your validation server side, and reject any submission that don't have the required info.Brian Glaz– Brian Glaz2014-01-10 16:19:19 +00:00Commented Jan 10, 2014 at 16:19
-
1This is why you should always validate on the server. Never trust user input. Have your PHP validate it, and if it's bad, then throw away the data. Why should I be forced to have JS enabled? Also, what if I decide to send you fake data from cURL or something and not a web browser?gen_Eric– gen_Eric2014-01-10 16:19:45 +00:00Commented Jan 10, 2014 at 16:19
-
1@daveL: I know people who use NoScript. They'll only enable JS for a site if they need to.gen_Eric– gen_Eric2014-01-10 16:21:46 +00:00Commented Jan 10, 2014 at 16:21
-
1@daveL We are pretty sure it's people trying to hack. Most of the semi-blank forms have random letters for the name (i.e. "ibkdfwjle") and "Google" for the company. I'm pretty positive no one named ibkdfwjli from Google is trying to ask a legitimate question! ;)HHartman– HHartman2014-01-10 16:33:27 +00:00Commented Jan 10, 2014 at 16:33
|
Show 7 more comments
3 Answers
You can't prevent a blank form from being submitted by various techniques. Your server should be validating the form and rejecting submissions that are not proper. This is a core fundamental of any server that accepts data from any outside source. It must do its own data validation before accepting the data.
It is possible to make a form such that the browser can't submit it to your site via a plain browser without javascript being enabled. For example, if there's no default action for the form in the HTML and the submit action is only implemented in javascript, then the form wouldn't submit if javascript was disabled. There would still be other ways to submit the data without client-side verification which is why server-side validation is always required, but this might stop some user mistakes before they get to your server.
You can also use the <noscript> tag to advise the user that javascript is required.
You can identify many form submissions from robots server-side immediately by just including a form in your field that is populated with a known value via javascript. If, when the form is received on your server, that known value is not present in the form, then the form is likely submitted by something other than a browser with javascript enabled.
You can prevent automatic robot submissions by just not using a regular form action in your HTML. If the submission URL is only in your javascript and the submissions is only done via javascript, then most robots will never see it and never even know to try (because they don't run javascript).
FYI, neither of these last two techniques will prevent hackers from submitting rogue forms/data since they may analyze things enough to understand what is missing, but they can help identify automated attempts at submissions.
Comments
On your server side, thais php trim the data before putting in database or any other operation. Trim removes the empty spaces away.. Also check for sql injections
Comments
First, use the noscript tag to tell users they need javascript when they load the form.
Second, since form submission can't always completely prevented have the HTML form submit to a page which does not process the submission but instead tells them they must have javascript. To handle correct submissions on your form page use javascript to change the form submit action to the correct submit page.
