simcoweb

frost, thanks for the post. I'm slugging through this and keep hitting errors that I don't quite get. But first, on this part of your code: I'm using this: since the way i'm interpreting this is these jerkwads are using the comments box of the form to enter url's and other spam words. By checking just this field I can determine if the form submission contains any of those key words. If so, then it would reject it immediately after 'Submit' and throw them to the reject.htm page. So, the $str should be checking against the $_POST['comments'] field. Do I have this right?

Ok, I inserted these code ideas into my existing script but ran into errors, tweaked it a bit, ran into more errors, etc. Basically what I want it to do is to work as part of the 'validation' of the form results. So that's the way I approached it as part of the validation section. Here's the code: <?php // ebook registration and database insertion include 'db_config.inc'; if (isset($_POST['Submit'])) { // our attempt to stop spammers $wordfile = file_get_contents('words.txt'); $notallowed = explode(",",$wordfile); $str = $_POST['comments']; foreach ($notallowed as $keyword) { $keyword = trim($keyword); if(preg_match('/'.$keyword.'/i',$str)) { header("location: reject.htm");exit; //Or whatever the logout url is } else { //Whatever you get the drift :-P // post our variables from the registration form $name = mysql_real_escape($_POST['name']); $phone = mysql_real_escape($_POST['phone']); $email = mysql_real_escape($_POST['email']); $facing_foreclosure = $_POST['name']; $referred_by = mysql_real_escape($_POST['referred_by']); $comments = mysql_real_escape($_POST['comments']); $today = date("F j, Y, g:i a"); // input error checking if ($name=="") { $err.= "Please enter your name.<br/>"; } if (!$phone==""){ $err.= "Please enter your phone number.<br/>"; } if (!$email) { $err.= "Please provide your email address<br>"; } if ($email) { if (!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)) { $err.= $email. " is not a valid email address.<br/>"; } } if ($err=="") { // make database connection db_conn(); // mail the results to admin send_ebook_mail(); // run the query ebook_insert(); } } } } ?> This code is a bit modified from the first attempt where I did not have the 'if (isset($_POST['Submit'])){' part included. Without it it was throwing this error as soon as you arrive at the page: This is that section of the code: // our attempt to stop spammers $wordfile = file_get_contents('words.txt'); $notallowed = explode(",",$wordfile); $str = mysql_real_escape($_POST['comments']); foreach ($notallowed as $keyword) { $keyword = trim($keyword); if(preg_match('/'.$keyword.'/i',$str)) { header("location: reject.htm");exit; //Or whatever the logout url is } else { I don't understand why that's throwing that error. So, I added the 'if(isset)' line so the code wouldn't parse when arriving at it. Here's what I get at that point: Warning: Invalid argument supplied for foreach() in /home/content/C/o/r/website/html/ebook.php on line 123 Which is a 'foreach' loop that displays the error messages from the validation. Not quite sure why this is happening. Once again, i'm trying to add further 'filtering' and validation to the form. The original form parsing script worked fine but these bozos want to keep submitting it with cialis and viagra ads in it which is what we're trying to stop. Ideas?

I can't see where you've defined the value of $id. That's probably why it shows 0 each time.

cooldude832, I was pondering that as well and exchange the opening of the text file for a mysql query. These are all great ideas and suggestions. Thanks to all!

Ok, cool. Now, final question on the words. Does Cialis = cialis ? Should I add all variations to the list? Cialis cialis CIALIS for example? Or can we write it where case doesn't matter?

Caeser, quick question. On the 'words.txt' file, i'm guessing the words should be entered one per line like so? word word word word or could they be like so: word, word, word, word using the comma separator. I'm also thinking of just using a database table for them. Later on that, though.

NOW we're talkin! Kick 'em the hell outta there, baby. I'm CERTAIN that no innocents will be extricated from the site since the site is about foreclosure and the words Cialis, Viagra, erection, etc. etc. etc. would NOT be used in the content of a legitimate inquiry. Ok, let me tweak that a bit and i'll post back. Thanks!

I'm already doing this: // post our variables from the registration form $name = mysql_real_escape($_POST['name']); $phone = mysql_real_escape($_POST['phone']); $email = mysql_real_escape($_POST['email']); $facing_foreclosure = $_POST['name']; $referred_by = mysql_real_escape($_POST['referred_by']); $comments = mysql_real_escape($_POST['comments']); $today = date("F j, Y, g:i a"); But need to know if perhaps there's a way to enhance that and also separately have some type of word filter working off a text list of taboo words.

Thanks for that snippet, Caeser. I think what I'd like to do instead of replacing it is just block it. So, if they enter those words outlined in the filter array it would block the submission of the form completely citing 'you have entered unauthorized words: echo the words in question'. So, building off of your array for the unacceptable words, i'm assuming i'd have to do some sort of match of the input against the array then display the error message in the event there's one or more matches. Any ideas on how to code that?

Ok, I have a contact form I created for a client where people register to download an Ebook. Problem is in the comments field these spam monkeys are putting in crap like this: generic viagra cialis levitra soma propecia [url=http://intra.som.umass.edu/mannino/_disc1/000017e4.htm ] generic viagra [/url] [url=http://intra.som.umass.edu/mannino/_disc1/000017e5.htm ] cialis [/url] [url=http://intra.som.umass.edu/mannino/_[/code] Where they're using typical bulletin board style coding for their html. So: 1. is there a way to reject certain words from being used in the form fields? 2. what syntax would I use to strip out this lame attempt of inserting links into the comments <textarea>? 3. how can I send 40,000 volts through their mouse when they hit the submit button? Thanks!

This part: for ($i = 0; $i < $result; $i++) { doesn't make any sense since it's checking if $i is < (less than) $results. The $results contains the data from your query, not an integer.

You could use something like this: // display results $totalColumns = 5; $i = 1; echo "<table border='0' cellpadding='2'>"; while ($row = mysql_fetch_array($results)){ if ($i == 1) echo "<tr>"; echo "<td>"; echo "place your database row calls in here"; echo "</td>"; if ($i == $totalColumns) { echo "</tr>"; $i = 0; } $i++; } echo "</table>";

<?php // select all from your database and display in a table // first you have to make sure you're connected to the database which can be done // using a separate file that has that info and include it like this include 'dbinfo.php'; // now that you are connected you can query the database $sql = "SELECT * FROM tablenamegoeshere"; // that * means to summon everything. Now we execute the query and put all the data into a variable $results $results = mysql_query($sql) or die(mysql_error()); // the $results variable now contains all your field data which needs to be separated into the proper columns // now we are going to start our display of the data in a table and rows echo "<table width='100%' border='1'>"; echo "<th>Field One</th><th>Field Two</th><th>Field Three</th>"; // The <th> tag makes a name at the top of each column for the field // now we use a while loop to create as many table rows as needed and as many table cells <td> as needed while ($row = mysql_fetch_array($results)) { echo "<tr><th>".$row['fieldname1']."</td><td>".$row['fieldname2']."></td><td>".$row['fieldname3']."</td></tr>"; } // now we close the table tag echo "</table>\n"; // my example shows just 3 table fields. However, you can use as many as you need with the only problem being // how much space you have width wise. So, if you had 30 fields then obviously you can't have them go all // in one row. You may have to go vertical with those. // now all you need to do is close the script. This is a very simple and plain search and display. You can use // it as a guide on how to do it. If you need more specific data and not everything from the database then use // this method for the search $sql = "SELECT something, something2, something3, etc FROM nameoftable WHERE somefield='someinfo'"; // that would narrow it down. You'd use the same display method if you wish. ?>

Which echoes?

Post your form code just to be sure.

Heh, well, make sure that those $_POST['blah'] fields I used in the example match the names of your form fields. My sample was just that..a sample.

Ok, let's walk through that a step at a time: get the user's ip address from the userdb where the 'id' is 'refer' then it will insert..blah blah Now, all you need is to make sure you pass the 'refer' through the URL so the $_GET snags it.

You've got the right idea but just need to carry forward what happens if everything checks out. I doubt seriously if you want to exit the script if, indeed, the fields match properly. You might try it like this: $errors = array(); if (empty($_POST['oldpass']) || empty($_POST['newpass']) || empty($_POST['cnewpass'])) { $errors[] = "You did not complete all the password fields. Please try again."; } else { $newpass = $_POST['newpass']; $cnewpass = $_POST['cnewpass']; if ($newpass != $cnewpass) { $errors[] = "The new password and confirm password fields do not match. Please try again"; } else { //execute all your good code here since it's passed all the tests } } For the errors, you want those to display somewhere in the page probably above the form. So, you'd insert this code in there: <? // Loop through all errors if(!empty($errors)) { ?> <ul> <? foreach($errors as $message) { ?> <li id='errorMess'><?= @$message ?></li> <? } ?> </ul> <? } ?> You don't have to stretch it out quite like that but I was feeling lazy. This will loop through the $errors array and display the error messages. The basic principal of the if/else is IF this condition IS NOT met then DO THIS.

Well, you're telling the query to select the one the 'ipaddress' that matches $refip so $refip needs to already have a value set for it. Usually that is done by something like a: $refip = $_POST['refip']; from a form, for example. Or, possibly something passed in the url like this: $refip = $_GET['refip']; Now, in your query, it will match the value of that $refip with the value in the 'ipaddress' field.

This segment: WHERE `ipaddress` = '$refip' Where/how is $refip set?

In the first one: if (($oldpass==NULL)||( $newpass==NULL)||( $cnewpass==NULL)) { echo "You have not entered all the fields"; }else{ exit(); } you're telling it to check that those have been set or 'not empty' basically. But, IF they ARE set you're telling the script to 'exit'. In the 2nd one: // if($newpass!=$cnewpass) { echo "Passwords do not match"; } else { } you're saying that IF the DON'T match then echo the error but IF THEY DO MATCH you're telling it to do nothing. That 2nd curly bracket should be below all the code you want to execute IF they DO MATCH.

This may not be the only error but you're missing an closing } here: if (!($valid_user)) { session_unset(); // Unset session variables. session_destroy(); // End Session we created earlier. // escape from php mode. ?>

These variables: $refer '$refip $ip $username have to have their values set somehow/somewhere. Show me how you set the values.

if (($oldpass==NULL)||( $newpass==NULL)||( $cnewpass==NULL)) { echo "You have not entered all the fields"; }else{ exit(); } // if($newpass!=$cnewpass) { echo "Passwords do not match"; } else { } In each of those if/else statements you don't set any rules for the 'else' part. What they are saying is IF these don't match echo the error but IF they do match then do...... ?

Please show us where/how you have those variables defined.