SOLVED

Backend form validation

Go to solution
Anonymous
Not applicable

Backend form validation

Hi there,

I am building a landing page with a Marketo form on it to capture basic user data. In our own backend, we have a custom validation logic for email-addresses to filter out non-company emails and competitors. I am trying to use the Forms 2 API to do that for me, but I see no way to embed my own backend-call there, wait for it's result or then abort the submission. Setting the `Mkto.validateField`-function seems to have a similar issue, as it's a synchronous call and I can't wait for an asynchronous web request there. Any help would be appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
SanfordWhiteman
Level 10 - Community Moderator

Re: Backend form validation

There are examples of this concept if you search the Community.

Use a boolean in a closure (outside form.validate() scope) to manage the overall valid/invalid state.

In form.validate(), set form.submittable(boolean_state).

In your callback function, on a positive result set boolean_state = true and call form.submit().

Not sure why you'd waste latency doing this on your back end, though. If it's just pattern matching, you can implement it in JS and increase responsiveness for the end user.

View solution in original post

7 REPLIES 7
SanfordWhiteman
Level 10 - Community Moderator

Re: Backend form validation

There are examples of this concept if you search the Community.

Use a boolean in a closure (outside form.validate() scope) to manage the overall valid/invalid state.

In form.validate(), set form.submittable(boolean_state).

In your callback function, on a positive result set boolean_state = true and call form.submit().

Not sure why you'd waste latency doing this on your back end, though. If it's just pattern matching, you can implement it in JS and increase responsiveness for the end user.

View solution in original post

Anonymous
Not applicable

Re: Backend form validation

Thank you, that did work. I do see how this is an overall ugly flow, but unfortunately I've got a business requirement to do the validation that way. It's more than just a pattern comparison, and we'd also not like to put a list of our "acknowledged" competitors into the public Javascript.

SanfordWhiteman
Level 10 - Community Moderator

Re: Backend form validation

and we'd also not like to put a list of our "acknowledged" competitors into the public Javascript.

Comparing hashes would take care of that.

Anonymous
Not applicable

Re: Backend form validation

Since the entire hashing-logic (including salt) and the hashes would be in the public JS, competitors could easily attack that list. There's not that incredibly many possible competitors that this would be infeasible.

SanfordWhiteman
Level 10 - Community Moderator

Re: Backend form validation

No more vulnerable than what you have now. Competitors can already hit your web service with plain text and see if they get a positive result. If the hashes were local, they'd hash known domains and compare to your list.

So unless you're doing some major tarpitting on your server to slow down queries, either way will quickly reveal what subset of an already small set of potential domains is on your blacklist.

SanfordWhiteman
Level 10 - Community Moderator

Re: Backend form validation

It's more than just a pattern comparison

By "more than a pattern comparison" do you mean you're also checking the source IP?

At any rate... such measures are ultimately frivolous, since they can all be gotten around by posting the form without going through the JS.  You might as well shadowban the people on the server side (like pass the info to a webhook and delete the leads if they don't pass inspection). This way, they don't immediately know you're banning them, and if/when they figure it out and submit from another location and/or domain, they would've done that anyway.

Anonymous
Not applicable

Re: Backend form validation

Yeah, I came across this post by some guy in the search of answers (not that I wasn't aware of that issue before though) I assure you I am not relying on JS to secure input into our backend (or Marketo for that matter).