Looking for Validation – Again

The sales department started getting blank contact forms.  Truly a life or death dilemma- how do you set up a followup pipeline for a blank form?  Do you contact the nameless one via email or phone?  Or maybe by midnight seance, shrouded in red robes and chanting in Latin?

Seriously though- blank forms lead to spam forms lead to slammed inboxes.  Turns out, the new improved contact form had no server side checks going on.  After launch, we were fine for a while, until we realized this, as well as the fact that the client side validation relied entirely on html5-standard ‘required’ tag on input elements.  This is an awesome feature, but simply has no effect in some older browsers (IE9 particularly).  Also, spam bots don’t care about your pretty client side checks.  You can turn the field’s outline red and disable the submit button all day- they’ll just disable the javascript and send the invalid form right through.

So we needed to add server side checks.  Easy enough usually, but for a complication with the submission process.  The form is sent, and some processing happens.  2 emails are sent.  This can take milliseconds, or it can take 2 seconds (or more).  After testing, it seemed too slow- even with a spinner/processing animation, it detracted from the user experience.

So we did a slight cheat.  Implemented a couple more client side checks (to handle submissions via legacy browser versions that don’t support the ‘required’ tag), and added some server side checks.  But those server side checks are only implemented after we update the UI on the front end.  So, if a regular user submits the form, they get the nice flow- if something’s wrong with a field, an error message shows, they can’t submit, they fix the problem.  When they do submit a valid form, the screen immediately shows the ‘thank you’ message.

But if some nefarious entity is trying to circumvent the form, the server side checks come into play.  That entity gets no nice message asking them to fix the mistakes and try again- the submission silently fails.

Are we being unfair to spammers or bots?  Maybe.  Will these checks fail a more sophisticated spamming attack?  Certainly- we didn’t implement a captcha-type validation system, but these will prevent some spamming, so it’s a good solution for now.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s