Would it be difficult to split the add resource form into 2 or three pages? Similar to Yahoo where you fill in a couple of fields and the press the NEXT button to continue, etc.

I'm thinking about spammers and people who may target my add.cgi script.

Maybe its been done already, but I couldn't find any relevant threads?


All the best
Shaun

No, just pass the variables back to the add.cgi and send them back out.

Use a proceedure such as "do=page2", "do=page3"...., "do=review" to tell the script what to do next.

Unfortunately, this will not solve your problem, since you can pass all the variables to the add.cgi at once at any time.

You'd have to do something like check referrers, to make sure you are getting the pages from your own site, or not pass the variables back to each form, but store them in a "session" on the server.

This still won't solve the problem completely, since a robot could submit the forms in 3 pages, just as easily as in one.

The only way to make it really annoying for a robot developer would be to have 3 or 4 pages, that asked for information in random fashion, and used variable tags. For instance, create a session for that user, and generate random fields for each of the expected tags.

Name => esksure,
URL => sarenve,

Then, in the form,

Name: <input name="esksure" value="" size="40">
URL: <input name="sarenve" value="" size="40">


And, you need to randomize what tags appear on what form as well.

It's much harder for a robot to pick out the text tag "Name:" and hit the right input box, than it is to find a tag with the name="value" in it. You are not giving it anything to latch on to. For a search engine like "yahoo" it would pay to develop complex support, but for most other sites, it's too complicated, and the benefits are too small.

Are you following?? <G>

Of course, this depends on how badly you don't want automatic submissions to your site, but I do plan to implement something like this on a couple of sites where the topics are sort of "prime" for spam.




http://www.postcards.com
FAQ: http://www.postcards.com/FAQ/LinkSQL/

Ahh so it can be done

I'm not sure I want to go to the levels you mentioned, but I would like to use a multi-page submission form just to keep the spammers at bay a little bit.

Could you give me some pointers on how I'd go about setting this up?


All the best
Shaun

Sure,

Go look for a program "Hamcards" at either cgi-resources.com or through the hamnetcenter.com (hamweather.com) site.

They have a very good mechanism for passing parameters, and it's very close to the Links style... they use %%tag%% so that it can be put in the URL line, where links uses <%tag%> so it has to be passed as a value.

I based the program I'm using at postcards.com on that program, and he's the one who set me onto links as a site development tool. You can still see references to "hamcards" on my site, but the program I'm using bears little resemblance code-wise to the original any more (I've changed most of the tags to Links tags, changed the parser to the links parser, etc).



http://www.postcards.com
FAQ: http://www.postcards.com/FAQ/LinkSQL/

OK, so I can put the visitors data into <%tags%> and use them on pages 2, 3, etc. - simple enough.

How would I get the add.cgi to actually display page 2 when someone presses the 'Next' button for example? Would I add ?something to the end to let it know?

All the best
Shaun

For each page, you pass back as a "hidden" tag in the "do" parameter, what page you are on.

Or, the way Hamcards did it, was to pass the next template to the program in the "next" variable (as a hidden tag).

When the script got a submission, it checked the "passvar" parameter for the name of the next page, and looked for a template name "filename.html" or for "preview" or "submit".

On the last template page, the "passvar" tag was set to "preview", and when the program saw it, it output the "preview" page, with the option to proceed, or go back and make changes.

If you proceeded, the 'passvar' tag was set to 'submit' and the script took that as indication everything was ok, and went on to _finally_ process the input.

This doesn't allieviate the error checking! All it does is tell the program that you are at the end of the templates, or have special templates. You still need to make sure the values are what you expect, and all values are provided.

But, what you do is set up a variable that tells the script what to do with the input -- either pass it on to the next template (named in one of the passed variables) or to process the input in some way.

Your TEMPLATES pass the name of the next template back to the script. so the script doesn't care if you have 1 template, or 100 templates, it only cares what the "passvar" parameter tells it to do with the passed data -- pass it on, or process it.




http://www.postcards.com
FAQ: http://www.postcards.com/FAQ/LinkSQL/

BTW... it's up to you to make sure that all input is passed back to the template as "hidden" (or editable) form values!

If you _know_ what tags (input) each form should have, you can hard-code it so that the form is processed and the tags replaced, and any extra information passed in the form is ignored (hacked input).

This is not as _cool_ as it sounds, since if you just use the 'passvar' idea, and turn all the passed input into form tags, then neither the program, nor the templates, care what "extra" tags are passed along so you can make changes, or add fields easily.

The down side is you need to check your input more carefully than if you are only using x-number of tags, and specifically hard-code them in the templates and check for them in the script.

Sorry if this is a bit confusing, but that's why I pointed you to that program -- it shows off the logic very, very well.

http://www.postcards.com
FAQ: http://www.postcards.com/FAQ/LinkSQL/