We need a "contact us" web page/form created and linked to a Windows server running Active Perl. The "Contact us" form must contain the following fields: Subject: Your name: Your email address: Message: ...along with a Submit button. All of this sounds fairly simple, however, there are some features we want built into the Perl handler that makes this form special. Here are the items we want to see added, features that should help reduce the number of SPAM messages and bots: 1) Every field needs to be verified using server-side code. Email addresses entered need to be checked using a good regular expression. All fields should be scanned for HTML tags, SQL injections, excessive length (buffer overflow). Each field should have a maximum length value that cannot be exceeded. A Javascript client side check should exist, and also a server side check. 2) An array of predefined words and phrases will be scanned against, and if any match with what is being submitted from the form occurs, then the contents of the form must not be submitted. The array of phrases/words could be like: www. http:/ viagra porno lottery This list should be in a separate ASCII file that can be easily edited using Notepad. 3) Check for rogue POST and GET values. If the form expects three POSTed fields, the existence of a fourth could indicate a hacking attempt. Check that no additional GET values have been passed. 4) Check the HTTP header. If no user agent (HTTP_USER_AGENT) exists or a referring page (HTTP_REFERER) then the form submission should be refused. continued below...
## Deliverables
We need a "contact us" web page/form created and linked to a Windows server running Active Perl. The "Contact us" form must contain the following fields: Subject: Your name: Your email address: Message: ...along with a Submit button. All of this sounds fairly simple, however, there are some features we want built into the Perl handler that makes this form special. Here are the items we want to see added, features that should help reduce the number of SPAM messages and bots: 1) Every field needs to be verified using server-side code. Email addresses entered need to be checked using a good regular expression. All fields should be scanned for HTML tags, SQL injections, excessive length (buffer overflow). Each field should have a maximum length value that cannot be exceeded. A Javascript client side check should exist, and also a server side check. 2) An array of predefined words and phrases will be scanned against, and if any match with what is being submitted from the form occurs, then the contents of the form must not be submitted. The array of phrases/words could be like: www. http:/ viagra porno lottery This list should be in a separate ASCII file that can be easily edited using Notepad. 3) Check for rogue POST and GET values. If the form expects three POSTed fields, the existence of a fourth could indicate a hacking attempt. Check that no additional GET values have been passed. 4) Check the HTTP header. If no user agent (HTTP_USER_AGENT) exists or a referring page (HTTP_REFERER) then the form submission should be refused. 5) Add a user "time response." All users will take a little time to complete forms whereas bots are almost instantaneous. The Active Perl solution should be something like the following: + The current server time is recorded when the form page is generated. + The time value is encoded into a string. The actual encoding algorithm is up to you, but it must be one that is not obvious and allow decoding back to the original value. I would also recommend using unique user data, such as the IP address, as an encryption key. + The encoded time is put in a hidden form value. + When the form is posted back, the field is checked and decoded back to a time. This can now be compared with the current server time to ensure the response time falls within a specific window, e.g. between 15 seconds and 15 minutes. 6) The Perl code should have fields that define: + An email address to whom the submitted form data is passed on to + An optional "cc" address + Values defining the mail server parameters (the server is running iMail server) 7) The form data should be inserted into a ASCII template file, and then sent to the predefined email addresses. The template should look something like: ---- snip 8< ---- Subject: %Subject% Date/time: %Date% %Time% (e.g., Tuesday, Oct. 3, 2009, 9:34 am) Contact name: %YourName% <%emailAddress%> Message: %MessageBody% IP: %IPAddress% ---- snip 8< ---- 8) The email message should be sent to the mail server using the visitor's email address, so that when we receive the incoming message, all we have to do is hit REPLY and our response will be sent to the visitor. Yes, our email server allows local relaying. 9) Error messages should be displayed above each field in red to indicate which fields failed to be accepted according to the guidelines above. 10) A URL of the page to be displayed upon a successful submission needs to be included in the Perl code. 11) A list of valid referrers must be included in the code, and one of the values must match the incoming referer in order to be accepted as a valid submission. Example: @referers = ( '[login to view URL]', '[login to view URL]', '[login to view URL]'); Again, the code must be in Active Perl and run on a Windows 2000 server. Source code must be liberally commented to our satisfaction.