We have a 'Bully Button' form on our website which basically allows a student to report that they are being bullied. This form then get emailed directly to thir Head of Year to be dealt with. We've been getting students abusing this form so we basically want to setup some validation to make sure the reports from the Bully Button are genuine and not a whole page of profanities!!
What I've decided to do is get the student who is reporting the bullying to enter his/her date of birth. This will then be checked against their name and if correct, the form will submit.
I'm not sure how to implement this. I've created an online SQL Database of the students' Names and Dates of Birth in our Hosting Control Panel and connected to it in Dreamweaver (CS6) but am not sure how to do the validation. I guess it's along the same principals as checking a password against a name?
Any help would be greatly appreciated.
Thanks in advance.
Part of using forms on your site is the potential for abuse. Bear in mind, the harder you make it for someone to use your form for legitimate purposes, the fewer legitimate submissions you'll receive.
This also probably wouldn't reduce the spam submissions by students playing with the system. I can still remember the birthdates of quite a few of my classmates and It's been almost 20 years since high school.
You would likely be better off just setting up an email rule to toss offensive language submissions into a junk folder (this can also be done with php before it reaches your email client, many form scripts have it built in but turned off by default). That way, the students using the system for it's intended purpose would have one less step and those playing with the system would have no affect on your email.
Thanks for the reply! Unfortunatley, PHP is not an option. After our meeting this morning, we decided that this will dramatically cut down the amount of ilegitimate emails we receive.
Would anyone else be able to help us?
PHP (or another server scripting language) is 100% required if you want to access a database to verify usernames and passwords from a web page in this manner.
Sorry I should have said in my first post, I currently use ASP/VBScript on the site. Our server is MS Server 2008 so does not allow the use of PHP
Also, I'm not seeking to verify Usernames and Passwords - just a Date of Birth field.
Please don't take offense to this, but ASP is the "or another server scripting language" from my post above in your situation.
EDIT: You also would need to validate both the username and password (child's name and birthdate) together, since you wouldn't want it to work with a random name and birth date.
I'm not sure if you are understanding me! I realise that I need to use a server scripting language such as ASP and VBScript which I currently am using on the site. What I need is a little help is putting this into practise please.
I know how to write the code required but am not sure where to implement it when the submit button is clicked. Would a stored procedure within the Database be the best option?
All you need to do is query the database for the information. There's a lot of variables in between which make it hard to just give you an answer. For instance how is the date stored (timestamp vs number; are conversions needed)?
The thing to consider here first is privacy. If students are supposed to be doing this anonymously I would forego any of this project because anyone can look up someone else's birthday on Facebook to act as someone else. Which is not secure at all and leaves you open to all kinds of forgery issues.
Are you using a Windows Network throughout the school? If so, simply by having a student logged into a computer would allow you to track a form submission by the Windows login identity. I would think this would meet security standards for a school since none of this information should be available to a forward facing server and would need to be queried within a secure school network. However, if students can go onto a library computer and be able to use it without an individual login, then that would defeat this as well.
The students will not be filling ths form anonymously - hence the need to check the name/date of birth entered against the ones in the database which, if correct, will allow the form to be submitted. They will also not be using the form in school - it's for use in the privacy of their homes.
The database is MSSQL and the date of birth column in char as t's the only way I could get the student data to import into the database. No conversions required. All I need to do it check the name and date of birth entered aginst those in the database.
>I know how to write the code required but am not sure
>where to implement it when the submit button is clicked
You don't need a stored procedure. You simply need to query the database in your ASP/VBScript by passing the Name and birthdate from the form to the script and use that in a SELECT statement WHERE clause. Do you understand how HTML forms work?
I have the code sort of working. It works if I enter a wrong name (ie it tells me that the name or date of birth is wrong) but it still goes onto the part where it emails the actual content of the form whereas it should just go back a page and let them check and amend their entry. It's probably to do with the If Then Else statement but it' been a few years since I did any coding so it's a bit beyondme at the moment!!
Any ideas would be gratefuly accepted!!
sName = Request.Form("Name")
DOB = Request.Form("DOB")
'define the connection string, specify database driver
ConnString="Provider=sqloledb;Data Source=db454203171.db.1and1.com;Initial Catalog=db454203171;User Id=dbo454203171;Password=********;"
'declare the SQL statement that will query the database
SQL = "SELECT DOB.* FROM DOB WHERE Name = '" & sName & "' AND DOB = '" & DOB & "'"
'create an instance of the ADO connection and recordset objects
Set Connection = Server.CreateObject("ADODB.Connection")
Set Recordset = Server.CreateObject("ADODB.Recordset")
'Open the connection to the database
'Open the recordset object executing the SQL statement and return records
'first of all determine whether there are any records
If Recordset.EOF Then
Response.Write("You have entered an incorrect Name or Date of Birth - please check it and try again.")
response.write(sName & ", " & DOB)
' Send the user back to ammend their Name/DOB
'close the connection and recordset objects to free up resources
Then the code continues below here which emails the Form back to the relevant person in School.
First of all, I hope that those are not actual database connection details. You should never post real connection details online, especially for a database that contains personal information about children.
Next, your query is susceptible to SQL injection. You need to read about how to prevent them by validating all data passed in and/or using parameterized queries.
Once you've got that solved, you'll want to use a response redirect to send the users to either a failed page that shows the error, or a success page that processes the email. You can't output anything using response.write prior to a redirect.
That's the test database with sample data in it. It doesnt contain any real info and has since been deleted.
Thanks for the help - I'll attempt to sort out the validation. However, I'm still in the dark as to why my code still allows the form to be mailed.
The response.write was there just to make sure the datasbase connection works.
>However, I'm still in the dark as to why
>my code still allows the form to be mailed.
Because you have nothing in your code to stop it. Your test for an empty recordset only sends the user back using client side code - but does not stop the server side code from executing. Perhaps you meant to use an 'else' rather than the 'End If' to conditionally process the email, but I would use a response.redirect instead as I already suggested.
Do you know what? I spent sooooo much time on this yesterday that I must have been blind to that error! I just took another look at it and it's obvious. I've made a few modifications, created a new test database and it works just fine.
Thanks for your help. Just the validation to do now.