Hello,
I thought I had the spammers shut out, but their back and running right through my php like it wasn't there. I just don't know enough code to secure my forms, please help!
Here is an example of the JUNK getting through:
Here is what I'm using for testing field data
$errors = array();
if($_SERVER['REQUEST_METHOD'] == "POST"){$form_input = $_POST;}elseif($_SERVER['REQUEST_METHOD'] == "GET"){$form_input = $_GET;}else{exit;}
// Remove leading whitespace from all values.
function recursive_array_check(&$element_value)
{
if(!is_array($element_value)){$element_value = ltrim($element_value);}
else
{
foreach($element_value as $key => $value){$element_value[$key] = recursive_array_check($value);}
}
return $element_value;
}
recursive_array_check($form_input);
// Check referrer is from same site.
if(!(isset($_SERVER['HTTP_REFERER']) && !empty($_SERVER['HTTP_REFERER']) && stristr($_SERVER['HTTP_REFERER'],$_SERVER['HTTP_HOST']))){$errors[] = "You must enable referrer logging to use the form";}
// Strip HTML tags from all fields.
function recursive_array_check2(&$element_value)
{
if(!is_array($element_value)){$element_value = strip_tags($element_value);}
else {
foreach($element_value as $key => $value){$element_value[$key] = recursive_array_check2($value);}
}
return $element_value;
}
recursive_array_check2($form_input);
// Validate FirstName field.
if(isset($form_input['FirstName']) && !empty($form_input['FirstName']))
{
if(preg_match("`[\r\n]`",$form_input['FirstName'])){$errors[] = "You have submitted an invalid new line character";}
if(preg_match("/[^a-z' -]/i",stripslashes($form_input['FirstName']))){$errors[] = "You have submitted an invalid character in the frist name field";}
}
// Validate LastName field.
if(isset($form_input['LastName']) && !empty($form_input['LastName']))
{
if(preg_match("`[\r\n]`",$form_input['LastName'])){$errors[] = "You have submitted an invalid new line character";}
if(preg_match("/[^a-z' -]/i",stripslashes($form_input['FirstName']))){$errors[] = "You have submitted an invalid character in the last name field";}
}
// Validate Phone field.
if(isset($form_input['Phone']) && !empty($form_input['Phone']))
{
if(preg_match("`[\r\n]`",$form_input['Phone'])){$errors[] = "You have submitted an invalid new line character";}
// if(preg_match("/[^a-z' -]/i",stripslashes($form_input['FirstName']))){$errors[] = "You have submitted an invalid character in the phone field";}
}
// Validate Street1 field.
if(isset($form_input['Street1']) && !empty($form_input['Street1']))
{
if(preg_match("`[\r\n]`",$form_input['Street1'])){$errors[] = "You have submitted an invalid new line character";}
}
// Validate Street2 field.
if(isset($form_input['Street2']) && !empty($form_input['Street2']))
{
if(preg_match("`[\r\n]`",$form_input['Street2'])){$errors[] = "You have submitted an invalid new line character";}
}
// Validate City field.
if(isset($form_input['City']) && !empty($form_input['City']))
{
if(preg_match("`[\r\n]`",$form_input['City'])){$errors[] = "You have submitted an invalid new line character";}
}
// Validate email field.
if(isset($form_input['Email']) && !empty($form_input['Email']))
{
if(preg_match("`[\r\n]`",$form_input['Email'])){$errors[] = "You have submitted an invalid new line character";}
if(!preg_match('/^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-z]{2,4}$/i',$form_input['Email'])){$errors[] = "Email address is invalid";}
}
// Display any errors and exit if errors exist.
if(count($errors)){foreach($errors as $value){print "$value<br>";}
exit;}
As far as I can tell they are not adding new recipients or blind copying, but I could be very wrong - I hope not. So that means they are just spamming us, which is still no good.
Why isn't this php striping those <>?/|{[ html tags?
And how can I be sure they are not using our forms to send out their spam to others?
And why is safe guarding form-data so hard and confusing? Doing a search only brings up conflicting information and websites of discussions where no one agrees and no solutions are given.
Oy! I need straight, simple answers - can anyone help me?
Thanks