Sitellite 4.2.12 introduced the Security widget to the MailForm API. This widget makes it incredibly easy to add a CAPTCHA security field to your forms. However, this release also added several other form enhancements that make Sitellite's form security much stronger. The steps Sitellite now takes to ensure your forms cannot be abused are:

• Form email recipient is hidden to prevent harvesting by email harvester "bots"
• Required fields and field length restrictions help prevent meaningless submissions by abusive human users
• Email field is validated for correct format, although fake email addresses still pass through (address validation would slow things down)
• Input data is sanitized to prevent email header abuse such as blind carbon copies (bcc).
• Referrer checking is enabled to help reduce spoofed forms.
• Strips all markup and code from all input data automatically when MailForm clean_input parameter is set to true, or clean_input = yes is set in a form's settings.php file.
• Blacklist support at the database level, built into all default forms. Simply add their IP address to the sitellite_form_blacklist table and all messages will be blocked. Enabled by default, disabled by setting blacklist = no in a form's settings.php file.
• Form input on the built-in forms is optionally logged to the Form Submissions table, including the submitter's IP address, date/time, etc.
• Checks that the submitter's browser supports cookies, which may help to prevent abuse by less sophisticated spambots.
• Captcha ("please enter the text you see") as an optional feature.

This tutorial will show you how to control these features in your own forms.

Required Fields and Field Lengths

To make a field required, simply add a validation rule to it. To ensure it has a maximum length, set the length property for the field. For example:

[first_name]

type = text
alt = First Name
length = 20
rule 1 = not empty, Please enter your first name to continue.

Validation is performed at the server, but is also enforced in the browser via the maxlength form element attribute.

Validating Email Fields

To validate an email value for correct syntax, use the "email" rule:

rule 1 = email, Your email address appears to be invalid.

Sanitizing Header Fields

To sanitize fields used in mail headers (ie. the From or CC fields), use the "header" rule:

rule 1 = header, Your name appears to be invalid.

Referrer and Request Method Checking

To verify the referrer and the request method, add the verify_sender = yes option to your [Form] header block. If you don't specify a request method, MailForm defaults to POST automatically.

[Form]

verify_sender = yes

Strip Markup and Code

To strip any markup (ie. HTML, Javascript) or code (ie. PHP) from your input data automatically, add the clean_input setting to the [Form] header block:

[Form]

verify_sender = yes
clean_input = yes

Blacklists

Blacklists are enabled by default. To disable them for a form, add blacklist = no to the form header block.

To add an IP address to your blacklist, go to Control Panel > Tools > DB Manager and select the sitellite_form_blacklist table. Add a new entry to that table with the IP address to block and your blacklist has been updated.

Checking for Cookies

By default, MailForm also checks that the submitter's browser supports cookies by setting a temporary cookie when the form is rendered and checking for it in the browser's cookies when the form is submitted.

This can be disabled by setting verify_session = no in the form's header block.

CAPTCHA Usage

The new Security widget makes it easy to add CAPTCHA's to your forms. Simply add a Security widget to your form settings and you're all set.

[security_test]

type = security
alt = "Man or machine: the ultimate test"

This actually generates a CAPTCHA made from ASCII representations of the letters and numbers (using a neat tool called Figlet), which works but isn't the safest way to do things. The benefit here is that this works on all sites, regardless of your PHP setup. Other CAPTCHA implementations all require a working PHP GD extension.

However, if you do have the GD extension installed, Sitellite can use that instead to increase the security of your form even more simply by adding one line to the form settings:

[security_test]

type = security
alt = "Man or machine: the ultimate test"
verify_method = turing

If your server doesn't support GD though, your page will let you know by dying on you, so you'll find out right away whether you have to stick with Figlet or whether you can use the Turing image generator for your CAPTCHA's.

As you can see, Sitellite goes the extra mile to ensure your forms aren't being abused by spammers or attackers, and makes it easy on you to carry this level of safety and protection into your custom applications.