.asp honeypot for contact form - asp-classic

I'm caught in a hard place where I am being forced to use ASP classic on some web forms. I don't want to get spammed, but I am unaware of how to create a honeypot with .asp classic.
Is this possible or will I have to use a captcha field?
Or is there a better way to prevent spam with asp classic?
Form Fields:
<div class="row">
<div class="col-md-offset-1 col-md-10">
<form class="form-horizontal" role="form" method="post" action="submit.asp">
<div class="form-group">
<div class="col-md-offset-2 col-md-8">
<input type="text" class="form-control" name="Name" placeholder="Name" required/>
</div>
</div>
<div class="form-group">
<div class="col-md-offset-2 col-md-8">
<input type="email" class="form-control" name="Email" placeholder="Email" required/>
</div>
</div>
<div class="form-group">
<div class="col-md-offset-2 col-md-8">
<input type="tel" class="form-control" name="Phone" placeholder="Phone Number">
</div>
</div>
<div class="form-group">
<div class="col-md-offset-2 col-md-8">
<input type="text" class="form-control" name="Subject" placeholder="Subject">
</div>
</div>
<div class="form-group">
<div class="col-md-offset-2 col-md-8">
<textarea name="Info" class="form-control" rows="3" placeholder="Message"></textarea>
</div>
</div>
<div class="form-group">
<div class="col-md-offset-2 col-md-8">
<button class="btn btn-theme btn-lg btn-block"type="submit" value="Send">Send message</button>
</div>
</div>
</form>
<%
Dim EmailFrom
Dim EmailTo
Dim Subject
Dim Name
Dim Phone
Dim Email
Dim Questions
EmailFrom = "name#company.com"
EmailTo = "chad.bridges#company.com"
Subject = Trim(Request.Form("Subject"))
Name = Trim(Request.Form("Name"))
Phone = Trim(Request.Form("Phone"))
Email = Trim(Request.Form("Email"))
Questions = Trim(Request.Form("Info"))
Dim Body
Body = Body & "Name: " & VbCrLf
Body = Body & Name & VbCrLf
Body = Body & "Subject: " & VbCrLf
Body = Body & Subject & VbCrLf
Body = Body & "Phone: " & VbCrLf
Body = Body & Phone & VbCrLf
Body = Body & "Email: " & VbCrLf
Body = Body & Email & VbCrLf
Body = Body & "Questions: " & VbCrLf
Body = Body & Questions & VbCrLf
Dim ObjSendMail
Set ObjSendMail = CreateObject("CDO.Message")
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserver") ="10.000.00.000"
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 00
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpusessl") = False
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout") = 60
ObjSendMail.Configuration.Fields.Update
ObjSendMail.To = "chad.bridges#company.com"
ObjSendMail.Subject = "Website Request"
ObjSendMail.From = EMailFrom
ObjSendMail.TextBody = Body
ObjSendMail.Send
Set ObjSendMail = Nothing
Response.Redirect("Index.html#contact")
%>

I have had good luck with using 3 types of spam prevention on every submit page even sign in and sign up pages. Because ASP is kind of old you might want to keep it simple and only use numeric values as checks with one hidden spam bot field.
Keep the human approach.
Note: Code is just pieces of my active site, take the ideas and be creative for your site.
Email Forms: hidden field, math question and captcha.
Registration page: math question and captcha.
Login (sign in): math question.
1. Hidden field
<input type="hidden" name="email" value="" />
Maybe your code looks like this:
Response.Write("<input type=""hidden"" name=""email"" value="""" />" & vbCrLf)
2. Numeric question:
This requires a simple function and it does a very good job. We want to randomize numbers 1 to 9 so no answer is ever higher than 18 and never 0.
str1R = RandomNumber(1,9)
str2R = RandomNumber(1,9)
Session("str3") = (str1 + str2)
Function RandomNumber(LowNumber, HighNumber)
RANDOMIZE
RandomNumber = Round((HighNumber - LowNumber + 1) * Rnd + LowNumber)
End Function
HTML might look like:
<label>Question: What is <%=str1R%> + <%=str2R%> ?</label>
<div>
<div>
<input type="number" name="question" id="question" required />
<input type="hidden" name="a" id="a" value="1" />
</div>
</div>
strA = Request.Form("a")
strQuestion = Left(Request.Form("question"),2)
If IsNumeric(strQuestion) Then
'do notta
Else
strQuestion = -1
End If
If IsNumeric(Session("str3R")) Then
Session("str3R") = Trim(Session("str3R"))
Else
Session("str3R") = 0
End If
strMath = ((Session("str3R") - strQuestion) = 0) 'Now we have True or False
If (strMath = True) Then 'Do your ASP Classic Stuff.
Select Case strA
Case 1
'Sends Email
Case 2
'Submits Registration
End Select
End If
3. CAPTCHA I mean the CheckCAPTCHA() function not those "I can't ever seem to read" I've used numeric values for Captcha for 16 years and only had 2 complaints, when I tried the more complex versions so many couldn't see the letters and numbers very clearly. (ASP = OLD + Members)
Google:
Dim newBitmap(21,87) Dim vDistort(8)
In the number one slot of your google results should be the full ASP Classic Numeric Captcha code. It's old, It's Numbers, It works.
I don't think modern BOTS even detect this old bitstream. (humor)
If you need working examples just ask, takes a bit to setup a test page but if you're new to forms and need spam prevention it's best to learn more than one method.
At any "False" point of all form submissions you should know if it's Human or BOT.
I often stop code on BOT traffic with Response.End
With Humans I response with instructions and what might have gone wrong "The math question, you missed it by x much"
The Math Question can be replaced with an image "What is in this picture?" using a dog,apple, cat, something with limited possible responses.

I recommend going with the general best practices for preventing form spam. This is typically done on the client side (honeypots, captchas, etc.) so using Classic ASP (a server side technology) doesn't matter. Also, there's nothing special about Classic ASP that will help or hinder your attempts to block spam.
With that said, you'll find some good ideas in the answers to this question:
How to prevent robots from automatically filling up a
form?

Related

Replicating remote site "attack" by force sending specific form data to a page

I have this simple form:
<form method="post" id="theForm" action="user-password.asp">
<input type="hidden" name="what" value="process" />
<fieldset>
<div>
<label for="email">Username or Email</label>
<input type="text" class="form-control" id="email" name="email" placeholder="Username or Email" />
</div>
<div>
<button type="submit" class="btn btn-success top10">Submit</button>
</div>
</fieldset>
</form>
I have a script which emails me when my Classic ASP pages error - I use this to get all of the form contents:
For ix = 1 to Request.Form.Count
fieldName = Request.Form.Key(ix)
fieldValue = Request.Form.Item(ix)
bb = bb & fieldName & ": " & fieldValue & vbcrlf
Next
bb = newstr(bb)
For the above page, the page errored with:
A trappable error (C0000005) occurred in an external object. The script cannot continue running.
The form contents were like this:
form: email[$acunetix]: 1
what: process
In order to improve the error handling on the page, I'd like to be able to replicate loading the form with whatever it was that was used to generate the form input which made the page error - in the above example the form field name is not email but is email[$acunetix], which seems to have broken the page when it tries to process the form.
However, I don't know what was done to do that. The same IP address spent about 40 minutes forcing all kinds of stuff onto my pages which eventually crashed my site requiring a server reboot.
I realise that is down to me not writing robust enough code - but - I wondered how I can replicate sending the form data shown above to the page, as I'm stuck trying to work out how to do that.

Classic ASP - submitting unknown number and name of fields?

I have a large recordset being displayed to a user. Each record has an edit button which allows users to edit various data in the record. Certain records have more fields than others so the edit form has various different names and number of fields.
For example one record would produce the following if the edit button is clicked:
<form id="frm1" name="frm1" method="post" action="changeJob.asp?jobNo=1101&jQueryID=1" target="_blank">
<input type='text' name='Qty13' value='8' size="3" maxlength="3"/>
<input type="submit" name="btnFrm1" id="button" value="Submit" />
</form>
However another record would generate this:
<form id="frm2" name="frm2" method="post" action="changeJob.asp?jobNo=1102&jQueryID=2" target="_blank">
<input type='text' name='Qty15' value='8' size="3" maxlength="3"/>
<input type='text' name='Qty16' value='8' size="3" maxlength="3"/>
<input type='text' name='Qty17' value='8' size="3" maxlength="3"/>
<input type='text' name='Qty18' value='8' size="3" maxlength="3"/>
<input type="submit" name="btnFrm2" id="button" value="Submit" />
</form>
As above, each of the input fields is assigned its unique name eg "Qty14" and its form has its own name eg "frm2". These need to be unique because I have some jQuery plus and minus buttons which allow users to increment the quantities.
In changeJob.asp how can I determine which fields are being submitted where they have unique names and number? I can get the form name using a hidden field easily enough.
I am trying to achieve something like:
For Each field in frm1
** Do SQL Update ** Next
Any guidance would be most appreciated :)
Just iterate all the form collection and look for keys starting with the desired name:
Dim strSQL, curValue, blnFirst
blnFirst = True
strSQL = "Update MyTable Set "
For Each key In Request.Form
If Left(key, 3)="Qty" Then
'prevent nasty hacking
If IsNumeric(Replace(key, "Qty", "")) Then
curValue = Request.Form(key)
If IsNumeric(curValue) Then
If Not(blnFirst) Then
strSQL = strSQL & ", "
End If
strSQL = strSQL & key & "=" & curValue
blnFirst = False
End If
End If
End If
Next
If blnFirst Then
'no values, show alert of some sort...
Else
strSQL = strSQL & " Where [filter here]"
'...
End If
This will build dynamic query based on the submitted values.
If each value need separate update the code becomes more simple, hope you can change it yourself. :)
I would love to help. Needing just a bit more info because I don't want to tell you stuff you already know. Can you tell me if you have code already to fill the form... as in... is this form for editing new and/or old data or only new records?
Also, have you thought of having one form but then have your server-side code (ASP) generate input boxes dynamically? This is my recommendation because having more than one form in this case (unless I'm missing something) is ... inelegant.
You can download this zip file which has two asp pages in it that demonstrate a more dynamic approach: http://www.oceanmedia.net/files/hk_config.zip

Checkbox boolean value Classic ASP

I have a checkbox
<input type="checkbox" name="chkNGI" id="prod_ngi_sn" value="1">
When it is checked I pass the value 1, but when it is not checked any value is passed.
I have to pass the value 0.
I've tried
<input type="checkbox" name="chkNGI" id="prod_ngi_sn" <%if prod_ngi_sn.checked then value="1" else value="0" end if%>>
But didn't work.
tks
Checkboxes only pass values when ticked. You need logic on the server side to accommodate that.
Dim chkNGI
chkNGI = Request("chkNGI") & ""
If chkNGI = "" Then
chkNGI = "0"
End If
<script>
function calcParam() {
var checked = document.getElementById("prod_ngi_sn").checked;
if (checked)
document.getElementById("hiddenNGI").value = "1";
else
document.getElementById("hiddenNGI").value = "0"; }
</script>
<input type="hidden" name="chkNGI" id="hiddenNGI">
<input type="checkbox" name="checkNGI" id="prod_ngi_sn" onClick="calcParam()">
You can try this single line solution
Information: RS=Recordset Object
<input type="checkbox" <%If RS("ColumnName")=True Then Response.Write(" checked='checked' ")%> name="tableColumn" value="1" >
I know this question is old, but I recently had to refactor some legacy code for a company in Classic ASP, and ran into this problem. The existing code used a hidden form field with the same name as the checkbox and looked for either "false" or "false, true" in the results. It felt kludgy, but the code also performed actions based on dynamically named checkbox fields with prefixes, so inferring "false" from a missing field would introduce different complications.
If you want a checkbox to return either "0" or "1", this technique should do the trick. It uses an unnamed checkbox to manipulate a named hidden field.
<html>
<body>
<% If isempty(Request("example")) Then %>
<form>
<input type="hidden" name="example" value="0">
<input type="checkbox" onclick="example.value=example.value=='1'?'0':'1'">
<input type="submit" value="Go">
</form>
<% Else %>
<p>example=<%=Request("example")%></p>
<% End If %>
</body>
</html>
Create a hidden input with the name "chkNGI".
Rename your current checkbox to something different.
Add handled for onClick on the checkbox and using a small javascript function, depending on the state of the checkbox, write 0 or 1 in the hidden input.
As an example,
<script>
function calcParam() {
var checked = document.getElementById("prod_ngi_sn").checked;
if (checked)
document.getElementById("hiddenNGI").value = "1";
else
document.getElementById("hiddenNGI").value = "0";
}
</script>
<input type="hidden" name="chkNGI" id="hiddenNGI">
<input type="checkbox" name="checkNGI" id="prod_ngi_sn" onClick="calcParam()">
Your solution in post to saving page;
save.asp
<%
' connection string bla bla
' RS = Recordset Object
If Request.Form("tableColumn")=1 Then
RS("ColumnName") = 1
Else
RS("ColumnName") = 0
End If
' other columns saving process bla bla bla
%>

Passing a parameter from Radio Button & Check Box, to an email, using an HTML page

I have a form that is HTML, it involves a few string questions, a radio button, and a check box question. After the form is filled out, the info is then passed to an aspx page which sends out an email with the info. I am able to pass the string questions to the email, but am having trouble passing the radio button answer and the check box answers to the aspx and to then to the email. I have the code for the HTML set, I need help with the code for the ASPX page.(it is VB) Here is the code I have so far.
HTML
<form id="form" method="post" action="SendEmail.aspx" enctype="multipart/form-data" name="questions">
<div class="Qblock">Name: <input type="text" class="input" value="" name="contact_name" /></div>
<div class="Qblock">Phone #: <input type="text" class="input" value="" name="contact_phone" /></div>
<div class="Qblock">E-Mail: <input type="text" class="input" value="" name="contact_email" /></div>
<div class="Qblock">How many years have you been in this industry?<input type="text" class="input" value="" name="contact_long" /></div>
<div class="Qblock">What is your specialty?<input type="text" class="input" value="" name="contact_special" /></div>
<div class="Qblock">Do you have a cell phone?
<input type="radio" name="P1" value="Yes" /> Yes <input type="radio" name="p1" value="No" /> No <br /></div>
<div class="Qblock">Can you do any of the following? (check all that apply)<br />
<input type="checkbox" name="ckBox" value="CustSer" /> Handle Customer Service<br />
<input type="checkbox" name="ckBox" value="ReadForm" /> Read Expense Reports<br />
<input type="checkbox" name="ckBox" value="NewCust" /> Sign Up New Customers<br /></div>
ASPX
Protected Sub RetrieveValues()
Dim sTemp As String = String.Empty
sFromName = "asMark#gmail.com"
sToName = "asMarkContent#gmail.com"
sSubject = "Web - Contact Us Inquiry"
sTemp = String.Format("{0}{1}{2}", "<<< Marketing Opportunities >>>", vbCrLf, vbCrLf)
sTemp = String.Format("{0}{1}{2}{3}", sTemp, "Name: ", Request.Params("contact_name"), vbCrLf)
sTemp = String.Format("{0}{1}{2}{3}", sTemp, "Phone: ", Request.Params("contact_phone"), vbCrLf)
sTemp = String.Format("{0}{1}{2}{3}", sTemp, "Email: ", Request.Params("contact_email"), vbCrLf)
sTemp = String.Format("{0}{1}{2}{3}", sTemp, "How many years have you been in this industry? ", Request.Params("contact_long"), vbCrLf)
sTemp = String.Format("{0}{1}{2}{3}", sTemp, "What is your specialty? ", Request.Params("contact_special"), vbCrLf)
End Sub
First, let me introduce you to the StringBuilder which makes code a little easier to read.
Second, radio buttons will come over as a normal name/value pair just like regular text fields so you can process them the same way. Whatever you put in the value on the HTML side will be what's submitted and what you have is good. I would recommend that you make sure the name values both use the same case, however. On the ASPX side you should be fine but its a good practice to assume some things might be case-sensitive. (You have P1 and p1 right now.) You might also want to default one of the radio button to checked, probably the no one. If you don't and someone fills out the form without checking either the email will be empty for that field.
Checkboxes will come over as a comma-separated list so if someone checks all three options you'll get the string CustSer, ReadForm, NewCust. You might want to give the values something a little more descriptive but that's up to you. But you can treat the checkbox the same way as any other form field and just use it by name.
Protected Sub RetrieveValues()
Dim sTemp As New System.Text.StringBuilder()
sTemp.AppendFormat("{0}{1}{1}", "<<< Marketing Opportunities >>>", vbCrLf)
sTemp.AppendFormat("{0}{1}{2}", "Name: ", Request.Params("contact_name"), vbCrLf)
sTemp.AppendFormat("{0}{1}{2}", "Phone: ", Request.Params("contact_phone"), vbCrLf)
sTemp.AppendFormat("{0}{1}{2}", "Email: ", Request.Params("contact_email"), vbCrLf)
sTemp.AppendFormat("{0}{1}{2}", "How many years have you been in this industry? ", Request.Params("contact_long"), vbCrLf)
sTemp.AppendFormat("{0}{1}{2}", "What is your specialty? ", Request.Params("contact_special"), vbCrLf)
sTemp.AppendFormat("{0}{1}{2}", "Do you have a cell phone? ", Request.Params("P1"), vbCrLf)
sTemp.AppendFormat("{0}{1}{2}", "Can you do any of the following? ", Request.Params("ckBox"), vbCrLf)
End Sub
Lastly, I would recommend using Request.Form over Request.Params. If someone went to your page and manually added any of the form fields to the query string the form field itself would get ignored. For instance, if they navigated to Form.aspx?contact_name=Bob Dole and filled out Bob Smith in the name field you would see Bob Dole on the server side. This is because the query string is searched for before the form fields. In this case it doesn't really matter that much but in future forms some malicious website could link to your website and pass weird values to the form. I'd recommend just always using Request.Form and Request.QueryString.
Okay, the last paragraph was "lastly" so I guess this is "one more thing". The method you are using is only half of the way to ASP.Net. What you have is more of the conversion from ASP classic/PHP to .Net. It's not wrong at all but you are missing the full power of ASP.Net web controls. There's way more than I can write but to give you an idea you would replace:
<input type="text" class="input" value="" name="contact_special" />
With:
<asp:Textbox runat="server" id="contact_special" />
This would allow you to use a RequiredFieldValidator which would use both javascript and server-side code to make sure that the field was filled out:
<asp:RequiredFieldValidator runat="server" ControlToValidate="contact_special" ErrorMessage="Required" />
Don't make this change for this form probably but going forward I would encourage you to investigate the web controls.

ASP (VBscript) radio buttons not returning value

I have 2 very simple pages, an HTML page and a classic ASP page .. the html page has a form which calls (and sends) the data to the ASP form (which then prints out the data)
The problem is I'm not getting the value of the radio button, I'm simply just getting "on".
Here is the html:
<form action="form.asp" method="post">
<strong>Gender:</strong>
<input type="radio" value"male" name="gender">Man
<input type="radio" value"female" name="gender">Woman<p></p>
<strong>Size:</strong>
<input type="text" width="20" name="size" size="4"><p></p>
<strong>Color:</strong>
<select size="1" name="color">
<option>blue</option>
<option>green</option>
<option>black</option>
</select><p></p>
<input type="submit" value="Send Order">
</form>
and here is the ASP
<%
Dim strgen, strsize, strcol
strgen = Request.form("gender")
intsize = Request.form("size")
strcol = Request.form("color")
Response.write "Your gender: " & strgen & "<br />"
Response.write "Your size: " & intsize & "<br />"
Response.write "The color you ordered: " & strcol & "<br />"
%>
Like I said, all I'm getting for "strgen" is "on" ...
There's typos in your code, missing equals sign.
value"male"
should be
value="male"
Because the value was ignored it was returning the default value of "on"
Try using an html validator as www.htmlvalidator.com. This site offers a free one which is good (I'm using the professional version myself).
This will find such types immediatly (and will save you countless hours of searching).

Resources