cakephp form getting spammed - how?

Question

I have a simple cakephp form WITH validation that submits to a database. It doesn't require a logged in user.

No using the form normally via a browser and not filling in all required fields causes validation errors and the form is not submitted.

However, I seem to be getting spammed by someone/something. They are filling the generic named fields (name,email,message etc) but not the obscure ones and these records are going into the database so they're obviously bypassing the validation!

My question is HOW??? (and how can I stop them?)

I have the feeling I'm missing an obviously loop hole or something...

This is my add method:

    function add() {
    $this->pageTitle = 'Projects - Submit Project';
    if (!empty($this->data)) {
        $this->Project->create();
        if ($this->Project->save($this->data)) {
            $this->Session->setFlash(__('The Project has been saved', true));
            $this->_sendStaffMail($this->Project->id);
            $this->_sendClientMail($this->Project->id);
            $this->redirect(array('controller' => 'pages', 'action'=>'thanks'));
        } else {
            $this->Session->setFlash(__('The Project could not be saved. Please, try again.', true));
        }
    }
}

And validation from Model:

    var $validate = array(
 'name' => array('notempty'),
 'department' => array('notempty'),
 'client' => array('notempty'),
 'contact_name' => array('notempty'),
 'email' => array('email'),
 'phone' => array('notempty'),
 'title' => array('notempty'),
 'background' => array('notempty'),
 'objectives' => array('notempty'),
 'target_audience' => array('notempty'),
 'message' => array('notempty'),
 'logos' => array('notempty'),
 'images' => array('notempty'),
 'print_info' => array('notempty')

);

I should also mention I have tried playing with the Security component but it seems over kill when my project has tons of forms throughout it (altho they're behind Auth login)

Answer 1

I'm talking really generally here (i.e. not CakePHP specific), but would a captcha field be worthwhile considering?

Also what about the mollom anti-spam service? This free to many website operators except for those that have a lot of traffic. Works with any CMS.

Answer 2

Is your CakePHP accepting security or proof-that-the-user-is-human questions as optional arguments parameters? Have a look at what CakePHP does (i.e. where the execution flows to, what PHP code is run) with the HTTP Form POST CGI parameter data passed to your server from your client-side form.

Are your database login/passwords secure enough?

Answer 3

I'm guessing the post data the spammer is passing doesn't contain fields like target_audience and Cake isn't validating it for that reason when the model is saved.

What you want to do is add 'required' validation rule.

The 'empty' rules only check if the value is passed in the data array that it isn't whitespace, 'required' assures that the field actually exists before the model is saved.

Answer 4

You need to expand your validation array to include a few more options than the simple syntax allows for.

<?php
    public $validate            =    array(
        'name'                  =>   array(
            'nameNotEmpty'      =>   array(
                'required'      =>   true, // make sure the $data[ 'Model' ][ 'name' ] key exists
                'allowEmpty'    =>   false, // make sure the $data[ 'Model' ][ 'name' ] value exists
                'rule'          =>   array( 'notEmpty' ), // make sure the value isn't empty.
                'message'       =>   'Name is required.',
            ),
        ),
    );
?>

The comments on the rule should explain why each key is in there. The notEmpty rule and the allowEmpty => false are redundant but i wanted a rule in the declaration so that you would see the key in there and remember to replace it with an appropriate validation rule ( isUnique, minLength etc )

Edited : more info

Basically what is happening is somebody is posting a request directly to the form action that includes a post array with the obvious keys. As your validation rules stand, if the keys for some of the more specific info are omitted there is no validation check for those fields. To make cake validate not only the data for the keys but also the existence of the key itself use the required => true flag. If the key must also not contain just whitespace or an empty value ( required => true simply makes sure the field was included in the form ) you use the allowEmpty => false.