表单正在提交空数据

Form is submitting empty data

我们有一个站点,其中有许多不同的表单提交相同的数据格式。 (以前的开发者是这样做的,为什么我永远不知道) 我的问题是,我可以找出哪个页面提交了这个表单数据吗?所以我可以进入文件并解决问题?另外,我知道他们有很多旧代码,(HTML 4) 我只是想解决问题,这样我就可以返回并将其更新为 (HTML 5)。一旦修复。

对于为什么数据会提交空白结果,我有 2 个假设:

  1. 没有客户端或服务器端验证正在进行。
  2. 垃圾邮件机器人可能会绕过验证,只是向电子邮件提交空白数据。

我找到了一个我认为是该问题的问题之一的文件,并修改了以下代码以尝试阻止空白表单提交结果的发生。这仍然容易受到空白提交结果的影响吗?

表格: 

<cfparam name="form.firstName"  default="">
<cfparam name="form.lastName"   default="">
<cfparam name="form.email"      default="">
<cfparam name="form.subject"    default="">
<cfparam name="form.comments"   default="">

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<title>Example form problem</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>

<meta name="viewport" content="initial-scale=1">

    <link type="text/css" rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/base/jquery-ui.css" />
    <link rel="shortcut icon" property="icon" href="favicon.ico" />
    <link rel="stylesheet" type="text/css" href="//cloud.typography.com/7136474/785948/css/fonts.css" />

    <link rel="stylesheet" href="css/style.css" TYPE="text/css">
    <link rel="stylesheet" href="css/online-reservations.css" TYPE="text/css"> 

    <link href="css/flexnav.css" media="screen, projection" rel="stylesheet" type="text/css">   

    <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js"></script>
    <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js"></script>

    <script src="js/jquery.flexnav.js" type="text/javascript"></script>
    <script type="text/javascript">     

        jQuery(document).ready(function($) {
            // initialize FlexNav
            $(".flexnav").flexNav();
        });

    </script>

</head>

<body id="contact">

<div id="pageHeader">
<ul>  
    <li class="right">        
            <br/>
            <div class="login" style="margin-top:11px;"><span><a href="../account.cfm" title="Register or login to your account">LOGIN</a></span></div>      
    </li>
</ul>
</div><!-- END pageHeader-->


<!-- Nav -->
<div class="nav-wrapper">
<cfinclude template="includes/mobile-menu.cfm" >
</div>
<!-- /Nav -->

<br/><br/>
<br/><br/>    
<br/><br/>

<div class="full-width-light-bg blue little">
<div class="page-width light-bg">
<h1 class="skinny">Contact Us</h1>
<br/> 

<form name="ContactForm" action="_email_results.cfm" method="POST">

<div id="frmReservation">

<div class="input-wrapper">
<span>First Name</span>
<input name="FirstName" 
                message="Please enter your first name" 
                type="Text" 
                maxlength="50"
                id="firstName"
                required
</div><!--/input-wrapper-->


<div class="input-wrapper">
<span>Last Name</span>
<input  name="LastName" 
                message="Please enter your last name" 
                type="Text" 
                maxlength="50"
                id="lastName"
                required
</div><!--/input-wrapper-->


<div class="input-wrapper">
<span>E-mail Address</span>
  <input    name="email" 
                message="Please enter a valid email address" 
                type="email" 
                maxlength="50"
                id="email"
                validate="Email"
                required
</div><!--/input-wrapper-->


<div class="input-wrapper">
<span>Subject</span>
<input
    name="Subject"
    id="subject"
    type="Text"
    required >
</div><!--/input-wrapper-->


<div class="input-wrapper">
<span>Comment</span>
    <textarea name="Comments" wrap="hard"></textarea>
</div><!--/input-wrapper-->


<center><br/>
<input
    class="redButton"
    id="submitButton"
    Type=submit
    Value="Send"
    title="Submit Contact Us Form">
</center>
    <cfinclude template="../../cfformprotect/cffp.cfm">

</div><!--/#frmReservation-->
</form>   

<br class="clear" /><br/>

</div><!--END page-width light-bg-->
</div><!--END full-width-light-bg little-->


<script type="text/javascript" src="js/toggle-menu.js"></script>
    <script type="text/javascript">
        var firstName = document.getElementById('firstName');
        var lastName = document.getElementById('lastName');
        var email = document.getElementById('email');
        var subject = document.getElementById('subject');
        var submitButton = document.getElementById('submitButton');

        submitButton.addEventListener('click', function(e){
            //console.log('test');
            if(firstName.value == '' || lastName.value == '' || email.value == '' || subject.value == ''){
                alert('Please fill out all fields.');
                // Prevent form submission
                e.preventDefault();
            }
        });

    </script>
</body>
</html>

表单数据:

<cfparam name="form.firstName"  default="">
<cfparam name="form.lastName"   default="">
<cfparam name="form.email"      default="">
<cfparam name="form.subject"    default="">
<cfparam name="form.comments"   default="">

<!doctype html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="refresh" content="3; url=index.cfm">
<title>Thank you for submitting your notes</title>
<link rel="stylesheet" type="text/css" href="//cloud.typography.com/7136474/785948/css/fonts.css" />
<link rel="stylesheet" href="css/style.css" TYPE="text/css">
</head>

<body id="contact">
<br/><br/>
<h1 align="center" class="color-white">Thank You For Contacting Us!</h1>
<div align="center" class="color-white">You will be re-directed</div>
<CFOUTPUT>
<CFSAVECONTENT variable="EmailContent">
<font Face="arial,helvetica" size="1">
<table bgcolor="white" width="600" style="font-family:'Arial',Helvetica;font-size:11px;">
<tr bgcolor="BAD8EA">
    <td colspan=3>Center Reservation</td>
</tr>
<tr>
    <td width="150">Date: #DateFormat(NOW())# at #Timeformat(NOW())#</td>
    <td>&nbsp;</td>
</tr>

<tr bgcolor="e43226">
    <td colspan=3></td>
</tr>
<tr>
    <td>First Name:</td>
    <td>#form.firstName#</td>
</tr>

<tr bgcolor="e43226">
    <td colspan=3></td>
</tr>
<tr>
    <td>Last Name:</td>
    <td>#form.lastName#</td>
</tr>

<tr bgcolor="e43226">
    <td colspan=3></td>
</tr>
<tr>
    <td>Email Address</td>
    <td>#form.email#</td>
</tr>

<tr bgcolor="e43226">
    <td colspan=3></td>
</tr>
<tr>
    <td>Subject:</td>
    <td>#form.subject#</td>
</tr>

<tr bgcolor="e43226">
    <td colspan=3></td>
</tr>
<tr>
    <td>Comments:</td>
    <td>#form.comments#</td>
</tr>

<tr bgcolor="e43226">
    <td colspan=3></td>
</tr>

</table>
</font>
</CFSAVECONTENT>
</CFOUTPUT>

<cfif form.firstName EQ '' || form.lastName EQ '' || form.email EQ '' || form.subject EQ ''>
    <!--- Do nothing do not email the results --->
    <cfelse>
        <!--- Submit the form --->
        <cfmail to      ="test@test.com"
                cc      ="test@test.com"
                bcc     =""
                from    ="#AppVars.mailfrom#"
                server  ="#AppVars.mailserver#"
                type    ="html"
                subject ="Form issue">
            #EmailContent#  
        </cfmail>
</cfif>

</body>
</html>

这与其说是一个答案,不如说是一个很长的评论,但这里是。考虑使用 CSRF 令牌。

有表格的页面应该有

<input name="token" value="#csrfToken#" type="hidden" />

响应页面应该有

<cfif !CSRFverifyToken(form.token)>
   <p>I am going going to run this page</p>
   <cfexit>
</cfif>

这可能有助于解决一些攻击

Cross Site Request Forgery also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a malicious attack to exploit a website's trust in a user's browser. The attacker tries to get the user's own web browser (or web application) to execute unwanted commands.

有关 CSRF 的更多信息:https://whosebug.com/tags/csrf/info

直接回答:要计算出哪个页面提交了数据,您需要将 cgi.http_referrer 与表单一起存储。

我也会在上面建议 CSRF 答案,但你的问题是问如何找出提交的表单,而不是如果提交了。

我还会在您的网络服务器上设置您的 content-security-policy headers 以限制信息来源。