dingi
-
Posts
21 -
Joined
-
Last visited
Posts posted by dingi
-
-
Thank you for you timely response in explaining me the drawback of using cookie as the basis for blocking login attempts. Your suggestion of using IP address to do this is correct. But can you give some tips as to how to go about it with some php codes? thanks
-
The index.php is used to login to my admin panel to create forms myself. But this admin login needs brute-force protection. So I decided to limit the number of login attempts to 3. I tried the code below but could not get it work
The Code I tried is: (Login limit code)
if($login_incorrect){
if(isset($_COOKIE['login'])){
if($_COOKIE['login'] < 3){
$attempts = $_COOKIE['login'] + 1;
setcookie('login', $attempts, time()+60*10); //set the cookie for 10 minutes with the number of attempts stored
} else{
echo 'You are banned for 10 minutes. Try again later';
}
} else{
setcookie('login', 1, time()+60*10); //set the cookie for 10 minutes with the initial value of 1
}
}
The above code or similar code needs to be inserted in the index.php. Please see the index.php code below:
if(!empty($_SESSION['logged_in']) && $_SESSION['logged_in'] == true){
header("Location: http{$ssl_suffix}://".$_SERVER['HTTP_HOST'].get_dirname($_SERVER['PHP_SELF'])."/manage_form.php");
exit;
}
if(!empty($_POST['submit'])){
$username = trim($_POST['admin_username']);
$password = trim($_POST['admin_password']);
if(($username != ADMIN_USER) || ($password != ADMIN_PASSWORD)){
$_SESSION['AP_LOGIN_ERROR'] = 'Please enter the correct user and password!';
}else{
$_SESSION['logged_in'] = true;
if(!empty($_SESSION['prev_referer'])){
$next_page = $_SESSION['prev_referer'];
unset($_SESSION['prev_referer']);
header("Location: http{$ssl_suffix}://".$_SERVER['HTTP_HOST'].$next_page);
exit;
}else{
header("Location: http{$ssl_suffix}://".$_SERVER['HTTP_HOST'].get_dirname($_SERVER['PHP_SELF'])."/manage_form.php");
exit;
}
}
}
if(!empty($_GET['from'])){
$_SESSION['prev_referer'] = base64_decode($_GET['from']);
}
$hide_nav = true;
?>]
I don't know where to insert the " login limit code" in the index.php Also it seems that the "login limit code" definitions doesn't match with definitions of the code in the index.php. I am stuck up at this point not knowing how to alter the "Login limit code" and insert it in appropriate place in the index.php. Please read both the codes above and help me implement it to work. Expecting someone to solve it. Thanks
-
$headers .= "Reply-To: foo@bar.com \n"; $headers .= "Return-Path: foo@bar.com \n";
Thank you for giving the above code. Can we use SMTP in the contact form processor instead of normal mail to () function. If you could read the full mail processor code i mentioned above, you can easily help me insert SMTP. Please do the needful. Thank you.
-
I always set the Return-Path header aswell as Reply-To. Also, some spam filters will check if the senders email address exists and can accept incoming mail. So it helps if your From email address, actually does exist.
How to set Return-Path header in my above posted code? Can you just post the code here please? If using SMTP in the PHP will fix junk folder problem? If so, what SMTP Code must be inseted in the above form? Thank you.
-
This the PHP code that send mail:
$where_form_is="http://".$_SERVER['SERVER_NAME'].strrev(strstr(strrev($_SERVER['PHP_SELF']),"/")); session_start(); // FIELD VALIDATION . . . if( validEmail($e_mail) == true ) { // address ok } else { // address bad } if( ($_SESSION['security_code']==$_POST['security_code']) && (!empty($_POST['security_code'])) ) { $from_email = $_POST['field_3'];$headers = 'From: ' . $from_email . "\r\n". 'Reply-To:'.$from_email; if(isset($_POST['url']) && $_POST['url'] == '') if(isset($_POST['fax']) && $_POST['fax'] == '') // then send the form to your email mail("test@testmail.com","Form submission","Form data: Date: ".date('l dS \of F Y h:i:s A')." Form Submitted from User IP : " . $_POST['ip'] . " Name: " . $_POST['field_1'] . " Website URL: " . $_POST['field_2'] . " Email: " . $_POST['field_3'] . " Phone: " . $_POST['field_4'] . " Fax: " . $_POST['field_5'] . " Country: " . $_POST['field_6'] . " Place/City: " . $_POST['field_7'] . " Subject: " . $_POST['field_8'] . " Message: " . $_POST['field_9'] . " ","$headers"); header("Location:http://www.test.com/folder/thankyou"); exit(); } else { echo "Invalid Captcha String."; }Please Help. Thank you. How to incorporate SPF DNS in this form?
-
I have a contact form that is processed by PHP and send email. The email php processor has the following code:
$from_email = $_POST['field_2'];$headers = 'From: ' . $from_email . "\r\n". 'Reply-To:'.$from_email; mail("test@testmail.com", "Subject", "body of message");All mails land up mostly in junk folder only. How do we make it to land up in Inbox. Please help to fix it. Thank you.
-
The code I provided has nothing to do with captcha, it does validation only. I don't use a captcha on my contact form at all, and it hasn't been a problem for me. A spammer isn't likely to waste his time on a form that is properly validated and can't be used to send bulk spam to multiple recipients.
I understood that your code has nothing to do with Captcha. It would validate the form well and help processing securely. Your help is really great for me. I will be implementing your code soon. Shall I clarify my doubts with you if there is any difficulty in implementing the same? And there won't be any need to use Captacha also as you said. But I asked you about it because, when there is an acute necessity to implement Captcha we can do it only for those who send repeated mails. I also need to use another separate form that sends data to MYSQL database instead of Email. So I thought of taking addtional precautions. Could you please help me out to protect MYSQL Databse from hackers. I inserted mysql_real_escape_string in PHP. But not sure about it. Is there any other thing or code that I have to do protect remote injection or hijack attacks in MYSQL. Because earlier I had a form with Captcha(now removed due to attacks) that would send data to MYSQL . One day someone deleted all the data from the database. There is no log that gives any details. How to protect against such attacks? How to automatically create log in a text file about all the activites, information such as browser details, IP Address, Date, Time stamps etc...of clients who use the form? Please help. Thank you.
-
There is no code that can make it 100% impossible to use a mail form for spam. What this code will do, however, is make it so the form can't be used to send bulk spam by preventing the use of header injection in the form fields. Using a captcha will make it harder for spambots to utilize your form to send spam.
Now having said that, I have had these 2 scripts on my contact page for the last 4 years, and in that time I have received a total of 2 spam emails.
That's really good news that there is no spam in 4 years of using a form with your code. Now I feel confident and relieved. Thanks a lot. May I ask you one additional step about Captcha? Captcha is a burden to a genuine user and also for people with visual and hearing problems. That is, Captcha must not be on the form when the user sends mail only once. In case of succesive attempts to send mail by the same user, Captcha should appear on the form from the second attempt onwards. I think this can be done by storing a unique ID in a hidden field or something similar and check if the form was already submitted. We cannot rely on IP address as everyone knows, the user may have Dynamic IP address or switches through a web proxy. I don't how to implement it. Can I use the code I mentioned above (generating Unique Token ID, I dont know if the code is correct), but how to modify it. Any idea please? Since you have very good exposure to PHP you can help me. Thanks again.
-
Captch is nice to keep spambots at bay, but it does nothing to prevent a live spammer from using the form to send spam. You need to take steps to make sure the user is unable to use certain words, and since it takes a line feed to be able to use it for spam, strip all user line feeds from the fields, and use wordwrap() instead. I see no need to reinvent the wheel, so I use a function I got from a book for that purpose, and I use another function that was passed on to me by a friend to verify that any email fields filled in by users contain a valid email address, and that there is an associated MX record in DNS lookup.
Thank you for an excellent code you mentioned to prevent Spam and validate Email address with MX records and DNS look up. Really worth and nice for sharing such a great code. It is really useful. Please tell me if those codes you mentioned must be inserted after the "session Start" function but before "Mail to" function tag in mail processor.php As we say Captcha box will also little bit help. But how to prevent someone from accessing the mail processor php with remote injection and manipulating techniques and defeat captcha itself and use the form from a remote location? After inserting your code will it be simply impossible for a spammer to use the form from remote location? Thanks again. Please help.
-
You could install a capctha box. They're one of those crazy things that force a user to write some scrambled words before allowing them to post. You can get some free ones and they're easy enough to install.
Thank you for your suggestion and link to captcha. But I have added captcha to the form already. But still worried about spoofing a form by a spammer. Will captcha prevent Spoofing? I feel it can be defeated by a spammer who manages to manipulate the saved form after viewing the source code. Am i missing anything here? please tell me.
-
The form sends Email just to me with user input data. The form has "Your Email field" the user has to input. There is no CC option in any of the forms. But I tried to strip out extra charaters in the email field to avoid remote injection of Bcc cc headers and relay email spam. I am not sure about this form about spoofing attack. The html form action tag goes to process.php. Since the user can notice this PHP file from the address bar he now knows the location of the action script, he can directly call this PHP from anywhere after manipulating the html form. Please help. Thank You.
-
I am very much concerned about preventing 'spoofed contact web form submissions'. I have a code that may prevent multiple form submissions. This is the code in form.php( actually it is form.html changed extension as php):
/*** begin the session ***/
session_start();
/*** create the form token ***/
$form_token = uniqid();
/*** add the form token to the session ***/
$_SESSION['form_token'] = $form_token;
Now we have to process it with mail processor.php as below:session_start();
/*** check all expected variables are set ***/
if(!isset($_POST['first_name'], $_POST['form_token'], $_SESSION
['form_token']))
{
$message = 'Invalid Submission';
}
/*** check the form tokens match ***/
elseif($_POST['form_token'] != $_SESSION['form_token'])
{
$message = 'Access denied';
}
My doubt is this kind of generating unique token or unique Session ID will also prevent fake or spoofed form submission? After reading about spoofed contact forms in google links that, hackers could save a copy of " html form page source" and manipulate it, even spoofing 'HTTP_Referer Header' also, I am very much worried. Since my knowledge in PHP is very limited, please help me. I don't know if the above code will protect my Contact Form. I searched this topic in the forum and could not find any solution. Please tell me how to exactly protect contact forms against such attacks. Thank you.
-
Thank you for helping me to get Host name and to block known proxies
-
That code you posted only works for proxies which display that header, such as SQUID or a business/govt/school proxy so they can differentiate the origin IP. A web proxy will do the HTTP requests theirselves, For anonymity I doubt they'd ever send a *_FOR HTTP header.
What do you mean in the future? It's impossible, Unproxied Java may be able to display their true IP (as the http proxy only proxies http requests, Not Java's engine's requests) but not many proxies will let you run plugins, so that's scrapped.
You're stuck unless you check the proxy's hostname, and block them /treat them as less if required.
Thanks a lot in making me into the right concept about this topic "Web Proxy" and now I am very much clear from your explanation. What I meant "Future" is, if there is any loop hole to track the Real IP behind a web proxy it would be nice. But now its clear that, it is impossible as explained by you. But please help me to check the proxy's host name to block them or treat them less if required as you said. What code has to be inserted to check the host name. Can you please post it here? Thanks again.
-
Thank you for your answer. But in future there we should find some solution to get the real IP.
-
I have a working Contact form in PHP that sends IP address of the visitor along with the user filled data via email. The "form.php" has this code:
$ip = ($_SERVER['X_FORWARDED_FOR']) ? $_SERVER
['X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];The "form.php" calls "processor.php" on submit. But the above code only shows the Proxy IP address. I myself tested it by using free proxy server (proxy4free dot com) and the form result showed only the Proxy IP address. How to get the real or source IP address. Since I don't know PHP etc... I am in need of help from this forum. I am receiving several mails that are suspicious. I have CAPTCHA also in my form. Please help me. Thank you.
Elite Proxy Server_Detect
in PHP Coding Help
Posted