nunu78

THANK YOU! That was very helpful. I used the preg_match to create similar function as the strip_tags is and so far testing has proved it works. YAY! ;D

the first two choices should be removed. The main idea is that spam messages would be removed. All legitimate (known) users know that html and links are forbidden and I am just looking for a way to automatically stop spam messages that include links of any kind.

[url=http://pomogli3.nm.ru/giorgio-gori-giornalista-morto.ht ml]giorgio gori giornalista morto[/url] this is one way of getting the link pass strip_tags. And the output that I want is for the script to recognise this as an link and stop it from going to the actual guestbook (opens up a spampage or gives the error 404 page). Is there something similar to strip_tags (and if tags are stripped, message is blocked) that would prevent the use of [ ] tags?

bump...

I'd like some help with this, as I am still new to php... What I want the code do is: 1) get rid of messages if they contain tags of any kind (thanks to genericnumber1 this works) 2) if the message did not contain tags, but masked URLS using [ ] and < find those (or the always present href, as I've tried myself) and get rid of the message if they do appear in the message All help is appreciated. $strippedInput = strip_tags($message); if($message != $strippedInput) { header('location:trap.php'); // something to redirect back, maybe with an error die(); } if (!preg_match("/href/i", $message)) { header('location:trap.php'); // something to redirect back, maybe with an error die(); } all the code here: <?php // You can customize the date and time format using PHP. As they are set now, // the date will appear in the form "Sunday, January 11, 2004" and the time in // the form "1:04 pm". Another common date format would be 01.11.04; to change // it to this, replace 'l, F j, Y' with 'm.d.y'. More info can be found at // http://us2.php.net/manual/en/function.date.php. $dateFormat = 'd.m.Y'; $timeFormat = 'H:i'; if (empty($_POST['message'])) { header('Location: '.$_POST['bookurl'].'?contents=blank'); } else { $entryFile = 'entries.txt'; $formatFile = 'format.php'; $message = stripslashes($_POST['message']); $allowedTags = '<a><em><strong><b><i><img>'; $stripAttrib = 'javascript:|onclick|ondblclick|onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress|onkeydown|onkeyup|style|class|id'; function removeEvilTags($source) { global $allowedTags; $source = strip_tags($source, $allowedTags); return preg_replace('/<(.*?)>/ie', "'<'.removeEvilAttributes('\\1').'>'", $source); } function removeEvilAttributes($tagSource) { global $stripAttrib; return stripslashes(preg_replace("/$stripAttrib/i", 'forbidden', $tagSource)); } function word_wrap($message) { $maxLength = 60; $cut = ' '; $result = ''; $wordlength = 0; $length = strlen($message); $tag = FALSE; for ($i = 0; $i < $length; $i++) { $char = substr($message, $i, 1); if ($char == '<') { $tag = TRUE; } elseif ($char == '>') { $tag = FALSE; } elseif (!$tag && $char == ' ') { $wordlength = 0; } elseif (!$tag) { $wordlength++; } if (!$tag && !($wordlength%$maxLength)) { $char .= $cut; } $result .= $char; } return $result; } $strippedInput = strip_tags($message); if($message != $strippedInput) { header('location:trap.php'); // something to redirect back, maybe with an error die(); } if (!preg_match("/href/i", $message)) { header('location:trap.php'); // something to redirect back, maybe with an error die(); } $message = word_wrap(removeEvilTags($message)); $message = str_replace(array('&', "\r\n\r\n"), array('&', '</p><p>'), $message); $message = str_replace(array('&gt;', '&lt;', "\r\n"), array('>', '<', '<br />'), $message); $signername = strip_tags(stripslashes($_POST['signername'])); $email = urlencode(strip_tags(stripslashes($_POST['email']))); $url = urlencode(strip_tags(stripslashes($_POST['url']))); $url = str_replace(array('%2F', '%3A'), array('/', ':'), $url); $formatted = file_get_contents($formatFile); $variables = array("\n", '%%signername%%', '%%email%%', '%%url%%', '%%message%%', '%%date%%', '%%time%%'); $inputs = array('', $signername, $email, $url, $message, date($dateFormat), date($timeFormat)); $formatted = str_replace($variables, $inputs, $formatted); $oldEntries = fopen($entryFile, 'r'); $content = fread($oldEntries, filesize($entryFile)); fclose($oldEntries); $newContent = $formatted."\n".$content; $allEntries = fopen($entryFile, 'w'); fwrite($allEntries, $newContent); fclose($allEntries); header('Location: '.$_POST['bookurl']); } ?>

Or would it just be easiest to look for specific words or phrases in the message and block it based on that? For example block all messages that has the "http://www" in it? *goes to try to find how to do that*

function cleanForMarkup($string, $doLineBreaks = true) { $string = trim($string); $string = htmlentities($string, ENT_QUOTES); if ($doLineBreaks) $string = nl2br($string); return $string; } Might this be useful for me?

Well, it's parts from here and there and so far my coding in php is so beginners level, that I can't do a thing about it. But if it keeps the spam away, I can always write a note next to the send button in the form, asking not to use line change/enter. I just want to keep the spam away!

nope, both solutions cause the message to disappear... and I have to keep those as people who post to my guestbook keep hitting enter when they have longer messages and want to start new paragraphs and separate different matters in the message...

I think it might be some kind of a bug... When I added the $source = htmlentities($source); part to the code (in the right place of course) it refused also messages where when testing I wrote test test using ENTER-key to change the line between words. And before adding that piece of code it worked just fine. And I am sure it's not the code that does that, but a bug. But is the bug somewhere in my files or is it somewhere on the server or where, that I don't know as of now. Thanks for helping with the spamfight though! Much appreciated!

I will try that one as well. Thank you! This at least keeps the spam away for a while, I hope. I am having issues with my textarea in the form, it refuses messages that have been paragarphed. I guess that's another topic if I can't do anything to it myself.

THANK you for answering... and another question right away: I assume that this decodes <br> and <p> as well. How would I go about if I would want to allow those two?

I seem to be the only one writing to this topic but anyway... I just found out why the strip_tags part is not working. The spammers are using < instead of < and the result is obvious. Any way to stop messages with < ?

Okay, since yesterday evening the blocking of html-code hasn't been working as well as it did for a month, there seems to be a way to bypass this strip_tag code... ANY help is appreciated!

Anyone?