submit button

Harvey Waxman wrote:

How can I disable a submit button for a form if JS is disabled. In other
words, JS must be enabled to submit the form.

The submit button isn't your problem, if it was, the solution would be
trival. Write the button using javascript, say document.write() it.

But some (most?) browsers can submit a form without a submit button.
Some solutions:

1. Create the entire form using javascript

2. Create the form in HTML with display: none and then
change that to display:'' using script, e.g.:

<form id="formA" style="display: none;" >
<input type="text" value="formA">
...
</form>
<script type="text/javascript">
document.forms['formA'].style.display = '';
</script>
Assuming appropriate feature detection etc.
--
Rob

Harvey Waxman wrote:

How can I disable a submit button for a form if JS is disabled. In other
words, JS must be enabled to submit the form.

<form ...>
....
<script type="text/javascript">
document.writeln('<input type="submit">');
</script>
<noscript>
<span style="color:red">Your message</span>
</noscript>
</form>

Harvey Waxman wrote:

How can I disable a submit button for a form if JS is disabled. In other
words, JS must be enabled to submit the form.

<form ...>
...
<script type="text/javascript">
document.writeln('<input type="submit">');
</script>
<noscript>
<span style="color:red">Your message</span>
</noscript>
</form>

Though I'm considering more user friendly to show some general
hard-to-miss warning atop of it:
<http://groups.google.com/group/comp.infosystems.www.authoring.stylesheets/msg/2f90dbab58ed02a7>

I hope you're not doing this as a security measure, since it will be
possible to submit the form no matter *how* the submit button is
customized.

In article <11*********************@16g2000cwy.googlegroups.c om>,
"Joseph Taylor" <Jo******@gmail.comwrote:

I hope you're not doing this as a security measure, since it will be
possible to submit the form no matter *how* the submit button is
customized.

Thanks

It's more of a nuisance measure. If the form and the asp are in subdirectories
and paths are relative to the document wouldn't that directory be unknown to
the spammer making it impossible to send from anyplace else?

--
Dr. Harvey Waxman

http://righttax.org/blog

I'll work with that and see. Thanks for the suggestion

In article <11**********************@79g2000cws.googlegroups. com>,
"RobG" <rg***@iinet.net.auwrote:

Harvey Waxman wrote:

How can I disable a submit button for a form if JS is disabled. In other
words, JS must be enabled to submit the form.

The submit button isn't your problem, if it was, the solution would be
trival. Write the button using javascript, say document.write() it.

But some (most?) browsers can submit a form without a submit button.
Some solutions:

1. Create the entire form using javascript

2. Create the form in HTML with display: none and then
change that to display:'' using script, e.g.:

<form id="formA" style="display: none;" >
<input type="text" value="formA">
...
</form>
<script type="text/javascript">
document.forms['formA'].style.display = '';
</script>
Assuming appropriate feature detection etc

--
Harvey Waxman DMD

(remove thefrown to email)
http://righttax/blog

In article <11*********************@16g2000cwy.googlegroups.c om>,
"Joseph Taylor" <Jo******@gmail.comwrote:

I hope you're not doing this as a security measure, since it will be
possible to submit the form no matter *how* the submit button is
customized.

I just realized that the full path is available in the address bar :-

--
Harvey Waxman DMD
73 Wright Lane
Wickford, RI 02852
(remove thefrown to email)
http://righttax/blog

Joseph Taylor wrote:

I hope you're not doing this as a security measure, since it will be
possible to submit the form no matter *how* the submit button is
customized.

Doing what? Please provide a minimum quote of what are you replying to.

In relevance to <noscriptblocks they do not prevent users from
reverse engineering the obtained page and say still submit the form;
all what <noscriptblock can do is to alert users that some important
functionality is missing (say data update over ajaxoids is not
possible) and that they should not use the page in the state it is
right now. Will user follow this warning or will she attempt to hack
your source is out of your control. This way an additional server-side
check is highly suggested is any case.

In article <11**********************@j72g2000cwa.googlegroups .com>,
"VK" <sc**********@yahoo.comwrote:

Joseph Taylor wrote:

I hope you're not doing this as a security measure, since it will be
possible to submit the form no matter *how* the submit button is
customized.

Doing what? Please provide a minimum quote of what are you replying to.

In relevance to <noscriptblocks they do not prevent users from
reverse engineering the obtained page and say still submit the form;
all what <noscriptblock can do is to alert users that some important
functionality is missing (say data update over ajaxoids is not
possible) and that they should not use the page in the state it is
right now. Will user follow this warning or will she attempt to hack
your source is out of your control. This way an additional server-side
check is highly suggested is any case.

Sorry, just tried to save some space.

I understand that this is a losing battle, that determined hackers can continue
to offer me tons of viagra etc.

Still, I'm trying to learn. What I'd like to do is to have an asp validation
for one field that will reject a submission but I haven't been able to get it
to work. The form never gets submitted so I obviously have copied or placed
the code incorrectly. Here is the asp code
<%
Validated_Form = true
IF st <"RI" THEN
Validated_Form = false
END IF

IF NOT Validated_Form THEN
%>
<HTML>
<BODY>
Error. Click back in your browser and activate Javascript.
</HTML>
</BODY>

<%
ELSE
Dim name,address,city,st,email,show,comments
name = Request.Form("name")
address = Request.Form("address")
city = Request.Form("city")
st = Request.Form("st")
email = Request.Form("email")
comments = Request.Form("comments")
show = Request.Form("show")
Dim ObjMail
Set ObjMail = Server.CreateObject("CDONTS.NewMail")
ObjMail.To = "xx***@xxx.xxx"
ObjMail.From = "xx***@xxx.xxx"
ObjMail.Subject = "Petition"
ObjMail.Body = "Name" & vbtab & name & vbcrlf&_
"Address" & vbtab & address & vbcrlf&_
"City" & vbtab & city & vbcrlf&_
"State" & vbtab & st & vbcrlf&_
"Email" & vbtab & email & vbcrlf&_
"Add Name?" & vbtab & show & vbcrlf&_
"Comments" & vbtab & comments
ObjMail.Send
Set ObjMail = Nothing
Response.Write"Thank You"
%>
<HTML>
<BODY>
<B>Thank you for filling out the form!</B>
<BR><BR>
</body></html>
<%
END IF
%>

Thanks

--
Harvey Waxman
remove spam to email
http://righttax.org/

Harvey Waxman wrote:

I understand that this is a losing battle, that determined hackers can continue
to offer me tons of viagra etc.

Still, I'm trying to learn. What I'd like to do is to have an asp validation
for one field that will reject a submission but I haven't been able to get it
to work.

If you want to complicate spammers life a little bit and if you are OK
with rendering your form useless without script support, then you could
obfuscate action attribute:

function setFormAction() {
document.forms['MyForm'].action = realURL;
}
window.onload = setFormAction;
....
<form name="MyForm" action="go_away_nasty_spammer">
....

But of course it's all baby toys :-) A real automated spam protection
can be made only server-side by generating sessionID, verification
number and obfuscated picture with verification number. Then you send
both picture and sessionID to client, on submit finding the relevant
verification number by sessionID and checking it agains the user input.

JavaScript is not of big help here.

Understood, thanks

In article <11*********************@j72g2000cwa.googlegroups. com>,
"VK" <sc**********@yahoo.comwrote:

Harvey Waxman wrote:

I understand that this is a losing battle, that determined hackers can
continue
to offer me tons of viagra etc.

Still, I'm trying to learn. What I'd like to do is to have an asp
validation
for one field that will reject a submission but I haven't been able to get
it
to work.

If you want to complicate spammers life a little bit and if you are OK
with rendering your form useless without script support, then you could
obfuscate action attribute:

function setFormAction() {
document.forms['MyForm'].action = realURL;
}
window.onload = setFormAction;
...
<form name="MyForm" action="go_away_nasty_spammer">
...

But of course it's all baby toys :-) A real automated spam protection
can be made only server-side by generating sessionID, verification
number and obfuscated picture with verification number. Then you send
both picture and sessionID to client, on submit finding the relevant
verification number by sessionID and checking it agains the user input.

JavaScript is not of big help here.

--
Harvey Waxman
remove spam to email
http://righttax.org/