Block or limit visitor's(just viewing a website, no user registration) multiple form submission in Laravel by getting client IP and saving it in database then use it to detect spamming visitors. is that possible?
I wouldn't recommend using a visitors IP to prevent future requests to your site via forms. IP's are very rarely static for the average user. If the user knows what they're doing, they'd just have to restart their internet connection and their ISP would give them a different IP address. Additionally, they could just proxy their requests utilising IP rotation to bypass your "security".
If you're trying to prevent bots from submitting forms. A good method is to implement a hidden input field with no value. If the form is submitted and the input field has been populated then you know it's a bot. It's not the most reliable method as the bot has to be a dumb bot.
The only truly "reliable" method I can think of is Client-Side > Server-Side validation such as Google ReCaptcha.
Ofcourse the alternate method is just accept that your form will get spammed and find a way to handle the spam after it's been submitted.
Related
Hi I have a pardot form handler set up on a website for a client and it is receiving a lot of spam submissions. We set up a honeypot and recaptcha and while they are working, they not seem to be effective in stopping the spam.
We now think the spam submissions are coming from outside our site. I set up a field on our site that sends the url of the page to Pardot when the form is submitted. The ones we sent from our site have the correct url, while the spam submissions don't have the field filled out at all.
Has anyone come across something like this and how did you stop the spam?
I just stumbled across this question now so you may have already got a solution.
If not...
There are bots out there that will be looking for forms that post to Pardot and spamming them. The bot will hit the Form Handler URL directly (e.g go.pardot.com/l/2232) - it will not actually fill in the form on your site.
It seems like you may have already tried to use the Pardot honeypot technique:
https://help.salesforce.com/articleView?id=pardot_forms_add_honeypot.htm&type=0
Alas, this won't really work as the bots aren't filling in those fields.
Some possible solutions:
Use a Pardot Form, instead of a Pardot From Handler, if you can. These forms have additional spam protection.
Instead of your form posting directly to Pardot, send the information to another service first and try to detect spam there. For example, we use Wordpress forms and we clean out spammy enquiries within the Wordpress code before sending it on to Pardot (using CURL). You'll need your web developer to help with this though.
Lastly, use unique "External Field Names", combined with the Honeypot technique listed above. So instead of fields names such as "firstName", "phone" etc, use "web_first_name", "web_phone".
I have come across the same issue - Bots attack Pardot Form Handlers and their URLs.
A bot is scraping our website, looking for the form URL. The later they target precisely this URL separately and that's why captcha or honey pot or anything done on the actual website is not helping!
How did I solved this?
Instead of the form posting to the Pardot Form Handler URL, I changed so that the form is posting to our own server side. Then from our server side we're posting to the Pardot Form Handler URL, but only if the visitor is not a bot.
I've removed the url from the form action and set it dynamically once the submit button is being clicked. That moment, I am combining the url in several steps, e.g.
let actionURL = "https://":
actionURL += "go.company.com";
actionURL += "/1234445457/deeger";
actionURL += "/sdfsddffffd";
$('#subscribeForm').attr('action', actionURL);
$("#subscribeForm").submit();
This prevents the bot from scanning the url on the form in plain text.
If the endpoint url is already compromised, you have to create a new form handler first.
Need help in implementing email based approval system. Ex: Manager gets an auto triggered mail for his/her approval with a approval link in email body, when the manager clicks on the the link, it should validate the manager and then approve it. I tried searching on the internet but didn't find relevant resource.
Request you to Please help me with your ideas, suggestions or how I should proceed, or any plugin or jar is available??? It would be very helpful to me... Thanking you...
EDIT: Thanking you for replying. We have a java web app build using spring framework (MVC) where in employees can apply leaves which has to be approved by his/her manager. If an employee applies leave then a mail is triggered for approval to his/her manager with the leave details. After looking the mail, the manager logs-in to the application to approve or reject the leaves. So request you to Please help me in how to give a direct link in the mail to approve or reject the leaves.
For one of our applications we had the same requirements - employees can submit vacation requests and supervisors will be notified via mail. We have written an article about the exact way we did it - available here.
So in a nutshell, we are using Spring Integration and GMail. Each new vacation request yields an email send to all supervisors. Supervisors can reply with either approve or reject. We only accept email addresses from our domain, but since these can be faked we introduced a shared secret - a UUID added to the mail's subject which then relates to the id of the vacation request.
Once an email comes in we run the business logic to figure out whether a request shall be approved or rejected.
As I stated in my comment, I used Velocity to template my email message. You don't have to use it, but it made my job easier. You should be able to read up on it.
Java itself has the ability to send emails in it's Java EE framework using JavaMail, or you can use Spring's wrappers. You will need access to a mail server of some sorts, and would highly recommend that you setup an email box specifically for this process. I actually used my gmail account during testing, but I wouldn't recommend that for a long-term solution. I assume your company would have an email server setup somewhere you can use.
The process flow would be:
Employee fills out request
System generates an email to employee's manager(s) with a link to approve
Manager clicks on link, taken to approval page
Manager approves/denies request
The next question is how to build the URL. I would suggest using something like a UUID or something like that, or the request ID if that makes it easier. You can generate a UUID from any seed String or set of bytes. I like UUID because it obviscates the data being sent.
Anyway, the URL will basically point to a Spring form that will allow the user to approve that request. So, thinking about what you would need, I would expect some DB record that relates the information in the incoming request to the time off request that was filled out. Read in the record, load the page and display it. Simple enough.
The next issue is locking it down so only the authorized people can approve. Again, making a huge assumption here, but I am guessing you are using Spring Security? If you are, you should be able to add a condition to the Controller's handler for this approval form that requires the user to be authenticated (read here) and add a java.security.Principal to the handler methods arguments (read 15.3.2.3 here for what you can pass into a Controller's handler). With the Principal object in-hand, you should be able to compare that to a list of approvers associated with the request record in the DB. I would then have the system generate approval/denial emails that code to all concerned parties.
Let me reiterate that this is NOT the only solution, only one possible solution. This is why I feel this is not a good question for StackOverflow, as it asks a very broad question that doesn't really have a single right answer.
I'm doing some updates for an intranet i created few years ago using ASP Classic. What i've been ask to do is to ALERT all users when news on intranet is added. Basically i need to check on database when news is added and than trigger an action to all intranet users saying you have New Message
I'have done a lot of research on this and i could't really find a good example for it.
Your help will be much appreciated.
Cheers
Vullnet
Basically to need to poll the server using AJAX and check for new messages.
I suppose you have a messages table with and ID that counts up. You need to track each user's last message pointer, and send this as part of your AJAX request ad a parameter. If the server's ID is higher thsn the user's then they have a new message.
Based on the AJAX response you then alert the user.
You need to make an ASP that responds to your AJAX call, Pass it a number and it responds with "OK" (not new) or "NEW".
IT works the same way, regardless of the server-side language. Use jQuery to perform your AJAX calls.
I'm setting up a website that uses paypal to process payments.
The easiest way to implement the checkout form would be to create an HTML form that submits directly to paypal, sending the order details and redirecting the user to paypal in order to finalize the transaction.
However, there is a security vulnerability with this process. The client could edit the information submitted to paypal, such as changing the price of the checkout to $0.00.
What is an accepted way to handle this type of situation? Is it to submit the form back to my server, then do some processing in PHP, then submit verified data to paypal and redirect the user to paypal? Is this possible?
Thanks!
There are two main ways to handle this issue.
The first is somewhat like what you outline: You send the filled in form to PayPal, and provide a callback-url. When PayPal has processed the payment, they will call your provided url, and you can check whether or not the information given in that call is the same as what you provided. For this to work, you need to store the information in the meantime, like in a database. You will then only give access to the product after the validation has happened.
You can also encrypt the information you send to PayPal, making it practically impossible to alter information in your form.
See https://www.x.com/developers/paypal for details.
I am building an MVC application (using the Zend Framework).
When users first register, the applicaiton sends them an email. My question is, where should I trigger this email from? The model or the controller? My thoughts are as follows:
In some ways, the model makes sense, since sending a registration email is part of my business logic. Users must click the link in the mail to validate their email address.
But by putting it in the model, I am 'encumbering' the model. The model's registerUser action is then only useful within the context of an application that needs emails sent for every registration.
Instead, by triggering the email from within the controller, my controller would be a litter 'fatter', but my model a little more 'fine grained'.
I have written an email service which actually configures and sends the email, and I think this is a good design decision. I am really just asking where I should be calling this service from.
Your thoughts are most appreciated!
According to Zend Framework's definition of MVC, you should put send the email from the controller:
Controllers...decide which view to display based on the user's request.
Models, on the other hand, contain:
...basic functionality behind a set of abstractions.
An email may be considered a "view" in that it displays information to the user. It is the controller's job to activate this "view."
In my opinion, I would want this in the model, as I would consider this an assumed process of the create user method, rather than any specific interaction with the user making the request.
In other words, since I would always want this email sent, regardless of the source of the request, I would identify this as a natural byproduct of the create user action, similar to a record being saved in a database.
You might want to look into using something like NServiceBus to queue messages to be sent to your Email Service.
This way you can have NServiceBus subscribe to an event that occurs and omit any manual firing of the email service etc.
Ultimately you want a failsafe way of ensuring your messages get to the intended people. This kind of framework will greatly help you ensure that this happens.
Alternatively you could store the emails to be sent inside your database and have your email service check the database queue every x minutes for new emails to send and omit the need for triggering the email sending.
Again, doing it this way will ensure at the least that the emails get sent. Should the network go down or some other disruption occur during the sending of each email you can simply leave them in the queue until the network comes back up.