7 Replies Latest reply on Aug 10, 2018 1:27 AM by Fabian Grewing

    Backend form validation

    Fabian Grewing

      Hi there,

       

      I am building a landing page with a Marketo form on it to capture basic user data. In our own backend, we have a custom validation logic for email-addresses to filter out non-company emails and competitors. I am trying to use the Forms 2 API to do that for me, but I see no way to embed my own backend-call there, wait for it's result or then abort the submission. Setting the `Mkto.validateField`-function seems to have a similar issue, as it's a synchronous call and I can't wait for an asynchronous web request there. Any help would be appreciated.

        • Re: Backend form validation
          Sanford Whiteman

          There are examples of this concept if you search the Community.

           

          Use a boolean in a closure (outside form.validate() scope) to manage the overall valid/invalid state.

           

          In form.validate(), set form.submittable(boolean_state).

           

          In your callback function, on a positive result set boolean_state = true and call form.submit().

           

          Not sure why you'd waste latency doing this on your back end, though. If it's just pattern matching, you can implement it in JS and increase responsiveness for the end user.

          1 of 1 people found this helpful
            • Re: Backend form validation
              Fabian Grewing

              Thank you, that did work. I do see how this is an overall ugly flow, but unfortunately I've got a business requirement to do the validation that way. It's more than just a pattern comparison, and we'd also not like to put a list of our "acknowledged" competitors into the public Javascript.

                • Re: Backend form validation
                  Sanford Whiteman

                  and we'd also not like to put a list of our "acknowledged" competitors into the public Javascript.

                  Comparing hashes would take care of that.

                    • Re: Backend form validation
                      Fabian Grewing

                      Since the entire hashing-logic (including salt) and the hashes would be in the public JS, competitors could easily attack that list. There's not that incredibly many possible competitors that this would be infeasible.

                        • Re: Backend form validation
                          Sanford Whiteman

                          No more vulnerable than what you have now. Competitors can already hit your web service with plain text and see if they get a positive result. If the hashes were local, they'd hash known domains and compare to your list.

                           

                          So unless you're doing some major tarpitting on your server to slow down queries, either way will quickly reveal what subset of an already small set of potential domains is on your blacklist.

                      • Re: Backend form validation
                        Sanford Whiteman

                        It's more than just a pattern comparison

                        By "more than a pattern comparison" do you mean you're also checking the source IP?

                         

                        At any rate... such measures are ultimately frivolous, since they can all be gotten around by posting the form without going through the JS.  You might as well shadowban the people on the server side (like pass the info to a webhook and delete the leads if they don't pass inspection). This way, they don't immediately know you're banning them, and if/when they figure it out and submit from another location and/or domain, they would've done that anyway.