Server side input validation
For some time now we had some simple email registration for the free trial of some of our software products. We are aware that some users do not like it, however, we are a small company and also need to think about some trial follow up reminder, questionnaire, etc.
Of course most annoying for us are invalid email addresses, causing bouncing error messages, blocking our email server, support accounts or a combination of those, … So after some week of too many delivery errors we ended up adding some basic input validation. However due to the complex nature of HTML, Javascript, and XML-RPC based AJAX or variants thereof we only, quickly did so in the JavaScript. Just some simply straight forward checking. You certainly get the idea. For normal customers that worked great.
Guess what happened next? Java spam bots eventually found the form and started feeding the usual v1a6ra, and other related medical, drug and other spam thru the form. Of course they where usually sending some random email address for their spam, resulting in the same, and in the end even higher amount of email delivery errors than we wanted to prevent initially.
After too long time the pain became too big. Yesterday we finally moved the input validation into our server backend as it should be. Never trust the client, always validate 100% on your final server side. Of course one shoudl do so from the beginning. Just that Web 2.0, with HTML, Javascript and all the surrounding “technologies” are such a complex, error prone, and not so easy to debug mess, that this is unfortunately a rather complex affair, …
Let’s see what annoying trickery comes next to that simple form, … ;-)