Some Things Master Form V4 Can Do That V3 Can Not
Form Hijacking Attempt Notifications
When Master Form V4 detects an attempt to hijack its forms
by using the sophisticated "inserting header line breaks"
exploit, you'll be notified — and the compromised email
will not be sent anywhere else.
("Web Page Form Anti-Hijacking Considerations" linked from
/boncgi is a good article if you're
curious how this type of form hijacking works.)
Use the new control panel to specify the email address
these and other administrative notices shall be sent to.
It is automatic protection.
JavaScript Output for Content Syndication
The feature causes Master Form V4 to convert the content of
form fields you specify into JavaScript code when they're
written to a file. This allows others (or yourself) to
import the contents of the file into their (or your) web
pages with just a JavaScript tag, like:
<script
src="http://example.com/file.js"
type="text/javascript"
language="JavaScript">
</script>
This is an excellent way to post site news, specials, daily
thoughts, and other things to be updated without the hassle
of modifying the page itself.
The JavaScript method can also be used in conjunction with
a comment form to allow web site visitors to publish their
own thoughts. The latest comment can be posted below the
previous comments, or each new comment can replace all
others before it.
Global Maximum Form Data Size
This is a security feature to limit how much information can
be sent to your server with any one form submission. Specify
the limit in the control panel.
While individual upload file sizes can also be limited, the
CGI program needs to process the information to determine
the size of the individual files.
A cracker could overload the server's processing capacity
by uploading huge files, even files using forms the cracker
itself creates for the purpose.
The number provided in the control panel as the upload data
size limit is designed to prevent server overload using the
file upload exploit. Master Form V4 does this by checking
the total submitted data size *before* it processes any
of the submitted data.
Emailing To A List Of Addresses
This is a powerful feature. One little placeholder in the
Bcc line of the email template can cause the email to be
sent to every address contained within a file.
The file can be any plain text file on the server.
It might be a file exported from Excel or other desktop
computer software, a file Master Form V4 itself builds from
form submissions, or even files of complete emails that
Thunderbird, Eudora, and other email programs maintain as
their email folders.
Do you see possibilities?
Some uses I had in mind when I developed the feature are:
-
Devise a double opt-in subscription system.
(Example set of files soon to come.)
-
Maintain a list of folks who want to be notified
when a certain web page changes, or a price changes,
or software is updated (hint to self).
-
Send an email to all addresses in the "Friends and
Family" folder of your email program.
-
Send a periodical email, like an ezine or product
updates, to a small list. (Lists larger than
400-1000, depending on your server's speed and
resources, may time out the browser/server
connection.)
-
Send an email when your blog is updated to those
who asked to be notified.
The email address importing placeholder doesn't have to
be in the Bcc line of the email template. It can also be
in the email body. Thus, it can be used to extract email
addresses from files and then emailed to you. The emails
arrive all one line, comma-separated.
Received Line Pointing To Form User's IP Address
The "Received:" lines in email headers are a track record
of which servers received the email when the email was
en route to its destination. While the domain names and
some other information can be spoofed, the IP address of
the sending server, under usual circumstances, can not be
spoofed.
This allows spam to be traced to the ISP it was sent from.
Some spammers insert extraneous received lines to obfuscate
the real ones and to confuse automated tracers. Few can
hide from manual tracing by experts.
Some webmasters like to send an acknowledgement email to
those who use their forms. That's okay. Master Form V4
makes it easy to do that.
But when the email sent to the form user quotes part of the
contents of the form, it becomes a spammer magnet.
In those situation, where an email is sent to an address
provided on the form, containing other content provided on
the same form, then it may be prudent to include a received
header line pointing to the IP address of the user.
The Master Form V4 Manual at /mfv4
contains an example of how to do that.
Read More
Those are five Master Form V4 features that V3 doesn't have.
/mfv4 has links to purchase, to upgrade,
and to download. It also has links to demonstrations and to
complete downloadable example file sets.
Additional demonstrations and example file sets will be
added intermittently.
Question:
Did you find this article interesting and understandable? How can it be improved?
Your response is anonymous.
When done typing, click anywhere outside the box. [more info]
Will Bontrager
©2005 Bontrager Connection, LLC
Please note:
Articles on this website are presented "as is". However -
If you have a question about a CGI script, HTML, CSS, PHP, or JavaScript
Ask one of our Experts and you'll have your answer!
Click here for details.
