[houcfug] Re: HTML puzzle

[Angeli Wahlstedt]

Hey, Seth –

 

Well, what do you know – I did some experimenting using Google Toolbar’s 
Autofill, and your guess was spot-on! I was able to duplicate the exact error 
that the user had. You definitely win a cigar here. J

 

I guess the moral of this story is: don’t rely on the MAXLENGTH attribute to 
restrict the lengths of your data anymore. Using drop-down lists would help in 
some cases but not all. Sigh!

 

n  Angeli

 

From: houcfug@googlegroups.com [mailto:houc...@googlegroups.com] On Behalf Of 
Seth Bienek
Sent: Tuesday, April 14, 2009 7:10 PM
To: houcfug@googlegroups.com
Cc: <houcfug@googlegroups.com>
Subject: [houcfug] Re: HTML puzzle

 

Just had a thought: if a person were using a browser plugin that remembers 
their info and plugs it into forms for them (google toolbar does this for 
example), that app would likely use the DOM to set the value of the form field, 
which might side-step the browser's function of limiting input based on key 
strokes..?

 

Just a theory, but I'll bet if you contact the user they would tell you they 
use a form helper.  :)

 

Take Care,

 

Seth 

On Apr 14, 2009, at 6:34 PM, "Angeli Wahlstedt" <ang...@ideasculpt.com> wrote:

Sure, here it is (the code trimmed for brevity)…as you can see, it’s pretty 
barebones. No Javascript except for the GrayItOut () which just grays out the 
submit button – validation is done server-side.

 

Angeli

 

 

<form action="index.cfm" method="post" name="myForm" onSubmit="return GrayItOut 
(myForm);">

               <tr>

                              <td align="right">State:*</td>

                              <td align="left">

                                             <input type="text" name="state" 
value="" size="2" maxlength="2">

                              </td>

               </tr>

               <tr>

                              <td colspan="2" align="center">

                                             <input type="submit" name="Submit" 
value="Bid On Me!">

                              </td>

               </tr>

</form>

 

 

From: houcfug@googlegroups.com [mailto:houc...@googlegroups.com] On Behalf Of 
Manish Gupta
Sent: Tuesday, April 14, 2009 6:25 PM
To: houcfug@googlegroups.com
Subject: [houcfug] Re: HTML puzzle

 

just curious - can you paste your HTML input tag here.....

 

On Tue, Apr 14, 2009 at 5:21 PM, Angeli Wahlstedt <ang...@ideasculpt.com> wrote:

Actually, the email showed all the scopes, including FORM. The original page 
was a data entry screen for a private auction, and it takes in your name, 
address, contact info and things like that, and the form data that showed up in 
the email looks completely legitimate – a residential address of some guy in 
Colorado. No obvious made-up data that I can see. If it’s a spam-bot or the 
like, someone is certainly going to a lot of trouble to make it look 
legitimate. J

 

That data entry screen hadn’t been changed for several years, so it rules out 
the cached page theory. Maybe some weird browser bug, who knows? Anyway, I’ll 
just chalk it up as a fluke and not worry about it unless it comes up again. 
The action page already has CFQUERYPARAM’s and other safety guards in place,  
anyway.

 

n  Angeli

 

From: houcfug@googlegroups.com [mailto:houc...@googlegroups.com] On Behalf Of 
Seth Bienek
Sent: Tuesday, April 14, 2009 4:58 PM
To: houcfug@googlegroups.com
Cc: houcfug@googlegroups.com


Subject: [houcfug] Re: HTML puzzle

 

Smells like a spam bot to me.  They forge user agent strings, and will guess at 
field values to get their form submitted.  

 

If you don't include the form scope in your error emails, you should consider 
doing so, as it will give you more insight, no matter what the issue turns out 
to be.

 

Take Care,

 

Seth



On Apr 14, 2009, at 4:43 PM, "Ecung II,Ramon J" <rjec...@mdanderson.org> wrote:

Whoops I read that too fast and thought you were using CFINPUT. Sorry. 

 

Yeah you’re right that looks like IE7 on Vista unless it’s a forged user-agent. 
 

 

I would say the user either had a cached version of the page that didn’t have 
the size/maxlength attributes or a bug in the browser or something else off the 
wall. It could be a hack attempt, but there’s more interesting things to try 
than “Colorado”.

 

 

Ramon Ecung, BS, ACHDS, MCP

713-794-4273 | rjec...@mdanderson.org | Unit 421

 

From: houcfug@googlegroups.com [mailto:houc...@googlegroups.com] On Behalf Of 
Angeli Wahlstedt
Sent: Tuesday, April 14, 2009 4:38 PM
To: houcfug@googlegroups.com
Subject: [houcfug] Re: HTML puzzle

 

Actually, there’s no Javascript tied to that INPUT tag…besides, isn’t the 
SIZE/MAXLENGTH restriction handled by the browser itself, no matter if 
Javascript is turned on or off?

 

Angeli

 

From: houcfug@googlegroups.com [mailto:houc...@googlegroups.com] On Behalf Of 
Ecung II,Ramon J
Sent: Tuesday, April 14, 2009 4:34 PM
To: houcfug@googlegroups.com
Subject: [houcfug] Re: HTML puzzle

 

Maybe a user has their javascript turned off? Or they’re running through some 
sort of proxy like privoxy that changes the html/javascript code to block ads 
and such?

 

Ramon Ecung, BS, ACHDS, MCP

713-794-4273 | rjec...@mdanderson.org | Unit 421

 

From: houcfug@googlegroups.com [mailto:houc...@googlegroups.com] On Behalf Of 
Angeli Wahlstedt
Sent: Tuesday, April 14, 2009 4:32 PM
To: houcfug@googlegroups.com
Subject: [houcfug] HTML puzzle

 

Okay, this is more of a HTML issue than a Cold Fusion issue (though it’s being 
generated by a Cold Fusion page) but I got a head-scratcher I’d like to run by 
you folks.

 

I just got an automatically generated email from one of the sites I work on, 
containing a Cold Fusion error. The error was caused by a CFQUERYPARAM tag 
trying to save a too-long string to a database. I went to the original page, 
thinking that an INPUT tag is missing a MAXLENGTH attribute somewhere. But it 
turns out that the INPUT tag indeed has its both SIZE and MAXLENGTH in place. 
It works as it should when I tested it in IE 7.0 and Foxfire. 

 

So, the question is, how did this too-long string (which was the value 
“Colorado”) get past a 2-character text box? One possibility would be a 
custom-written form outside the web server, but the HTTP_REFERRER  variable 
pointed at the original page on the web server.  If it helps anything, the user 
agent was “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; SLCC1;.NET 
CLR 2.0.50727; .NET CLR 3.0.04506; MS-RTC LM 8” which looks like IE 7.0, if I’m 
reading it correctly.

 

 

Puzzledly yours,

Angeli Wahlstedt, IdeaSculpt LLC

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 




br> 
br> 


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the "Houston ColdFusion 
Users' Group" discussion list. 
To unsubscribe, send email to houcfug-unsubscr...@googlegroups.com 
For more options, visit http://groups.google.com/group/houcfug?hl=en
-~----------~----~----~----~------~----~------~--~---

 


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the "Houston ColdFusion 
Users' Group" discussion list.
To unsubscribe, send email to houcfug-unsubscr...@googlegroups.com
For more options, visit http://groups.google.com/group/houcfug?hl=en
-~----------~----~----~----~------~----~------~--~---