Developer forum

Forum » CMS - Standard features » DM Forms sql injection check. How to exclude a field.

DM Forms sql injection check. How to exclude a field.

Remi Muller
Reply

DW version 8.3.1.1

 

 

I have a form where i want to allow html to be posted on 1 field. If i try this i get a 404 error. I am almost sure this is the dw sql injection check.

When i disable the sql injection from Management Center then i still get the 404 on the form post.

I also tried excluding the fieldname in MC by adding it to "Ignore the following fields" without success.

 

 

Is there a way i can allow html to be posted on a DM Form field and how i can do this?

 

 

 

 

 

 

 


Replies

 
Nicolai Høeg Pedersen
Reply

If you disable it totally or put the field name in the exception list, it should Work.

 

Be aware of casing and make sure it is a POST. Make sure the form is generated by the forms module - if you hardcode the hidden fields named FormCH1_f, FormCH1_s, FormCH1_i it will also fail.

 

Also in management center you can add an email to send a report to if something gets caught. Try that and see if you get and email. It could also be something else catching the form.

 

If you trace the post with fiddler or similar, you can se on the response headers where the 404 comes from. It will say something like "DW inj.check" - if not, the 404 is from somewhere else.

 

BR Nicolai

 
Remi Muller
Reply

I was a bit confused. When i disable the "Spam check" then the form submits.

I do not want to do this in production of course.

 

 

On the previous dw version i did not have this spam check being triggered.

There is sent a spam email indeed. Subject = "... Bad form (((\%3C)|<|\[)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>|\])) Bad form (EMAIL ADDED) "

The spam check "Bad form (EMAIL ADDED)" is new i guess?

 

 

"Ignore the following fields" is not ment for by passing the Spam check?

It would be nice if we could exclude fields from being spam checked as wel.

 

 

 

 

 

 
Remi Muller
Reply

There is a new field "_sys_to_email" on the form with value "bot@dynamicweb.com".

What is this for?

 

 

 
Remi Muller
Reply

Can someone explain the extended spam checking and this new sys email field? Thanks.

 

 
Nicolai Høeg Pedersen
Reply

Hi Remi

 

There are 2 levels of form checks.

First one is the SQL-Injection check - it checks for a range of illegal operations in POSTS and a different set in GET. More is allowed on POSTS than GET, i.e. HTML.

 

The second level is form antispam that has a number of checks. It only runs on forms from the 2 forms modules - it has these checks:

  • These will always be run - even if antispam is disabled
    • It has to be a post
    • The client needs a User agent
    • It needs to have a referer on the header from the same site
    • If the post does not have a session already (must have shown a page before the actual post)
  • These will be run if antispam is enabled - if any 2 or more fails, the request will be ended.
    • It does not allow markup and [url]
    • It will not allow the same email address 3 times in the same post
    • FormCH1_f - checksum to make sure it is the right form being posted
    • FormCH1_s - checksum to see if it is the same session that created the form is also the one posting it
    • FormCH1_h - new one, javascript based session checksum
    • FormCH1_i - checksum to see if it is the same IP that created the form is also the one posting it
    • _sys_to_email is a new field it contains bot@dynamicweb.com. It has to be empty when posted. That is handled by a script in the frontend coming out of the form modules.

Hope this clarifies.

 

Nicolai

 
Nuno Aguiar
Reply

Hi Nicolai,

 

This is great to know, but can you tell me what js file and/or how the script that handles the email is rendered?

 

I cannot see it, with and without "Disable DWScript.js on layouts"  checkbox enabled. Using verion 8.3.0.7

 

Best Regards,

Nuno

 
Nicolai Høeg Pedersen
Reply

the js comes inline witht the validation scripts in the forms module - and only in 8.3.1+

 
Nuno Aguiar
Reply

Thanks Nicolai. I was under the impression it was for 8.3

 
Remi Muller
Reply

Thanks for the explanation!

It is currently not possible to exclude fields from spam checking.

By passing fields only works if you do not want a sql injection check. Right?

 

 

Is it possible that DW adds functionality to by pass fields from spam checking?

 
Nicolai Høeg Pedersen
Reply

Hi Remi

 

Yes only possible to bypass SQL injection.

 

Will add the option to do it for spam checking as well - hopefully for 8.4.

 

BR Nicolai

 

You must be logged in to post in the forum