Urgent I'm under attack

[manalnor]

Hello dear friends  :'(,

 

I'm under attack huge attack from spam bots and i need your help

 

1) i've a form with input text and input submit

2) no way to add html cause using js banned any < or > ..ect

3) the spam attack now post html code but it stored into database after automatically  < and > removed as i mention in (2) okay

 

add to your note i can't add captcha cuase my website for kids 

 

Now please allow me to explain this idea and let me know if it ture or there is another way else more simple

 

1) i will add hidden input with value shows "IP Number Of Poster"

 

2) by that way i will know the IP of the spammer

 

3) i will use php and mysql to create database table and store the IPs of spamming i collect so that when that spammer hit my website again , will not be able to view input form.

 

What do you think ! is it right or bad solution or is there any any way

 

the bad idea is that spam is not sure human cause it is stupid and post something meaningless and not ture and fake urls like this

 

theuzgfnpbmi, [url=http://gdtuaemvkpif.com/]gdtuaemvkpif[/url], [link=http://rsxtnszcpceq.com/]rsxtnszcpceq[/link], http://awpfgwtvqkdm.com/" theuzgfnpbmi, [url=http://gdtuaemvkpif.com/]gdtuaemvkpif[/url], [link=http://rsxtnszcpceq.com/]rsxtnszcpceq[/link], http://awpfgwtvqkdm.com/" 

 

please help if you have any suggestion or method how to stop such spammers

 

thank you so much 

[phil88]

Filter out HTML on the server-side using PHP, don't just do it with JS. It is VERY easy to get around a filter if you just use JS because anyone can just turn JS off in their browser, and thus, turn off your filtering.

 

Also, don't have their IP sent as a hidden form field. That can also be manipulated by a malicious user to contain anything they want very easily. Instead, just get the user's IP address in the page that handles the form submission. You can get the poster's IP address using $_SERVER['REMOTE_ADDR'] with having the modify your form at all.

 

 

[Pikachu2000]

no way to add html cause using js banned any < or > ..ect

 

I hope you don't mean you're relying on Javascript to remove the <> symbols. Javascript can not be relied on as the sole source of form validation or data manipulation. That MUST be done server-side. All that's usually necessary to bypass JS 'validation' is to disable JS in the browser.

 

Using IP address to limit it is going to be difficult, at best. These spammers use multiple proxy servers.

 

I think your best bet, for the moment at least, is to use ReCaptcha. That should stop a good part of it. It won't stop human spammers though.

[kenrbnsn]

Do you allow links of that form to be sent? If not just look for that pattern and drop the post. Using Javascript for validation is not going to work against spammers, since they screen scrape your form and send the data directly to the processing script, circumventing any Javascript.  Since your form is being screen scraped, you can also put in a hidden field with no value, if your form comes back with that value filled in, you know it's from a bot and drop it.

 

If you know the IP, send it to your host asking them to ban it for abuse.

 

Ken