email

[andy_b_1502]

Hi all,

 

I have some sort of bot or spam machine sending countless emails using the simple form on my site which is for reviews.

 

The form:

 

<form method="post" action="send-review.php"> 

Name<br />
<input type="text" name="name" id="name" />
<br />
Area<br />
<input name="area" type="text" id="area" />
<br />
Leave your review here:           
              
<p class="style3">
<textarea name="review" rows="10" cols="40" id="review"></textarea>
<br />
<br />
<input name="Send it!" type="submit" id="Send it!" value="Send it!" />
</form>
[\code]

the code 'send-review.php':

[code]
<?php
$to = "360transport@mail.com";
$subject = "A customer has left a review";
$message = "This is an alert to say a customer has left a review,\n\n Go to www.360transport.co.uk/reviews \n\n Thank you!!";
$from = "mail@360transport.co.uk";
$headers = "From:" . $from;
mail($to,$subject,$message,$headers);
?>
<?PHP

$user_name = "username";
$password = "password";
$database = "db";
$server = "host";
$db_handle = mysql_connect($server, $user_name, $password);
$db_found = mysql_select_db($database, $db_handle);

if ($db_found) {

$SQL = "INSERT INTO Reviews (name, area, review) 
VALUES ('" .$name. "', '" .$area. "', '" .$review. "' )";
$result = mysql_query($SQL);

mysql_close($db_handle);

header( 'Location: http://www.www.360transport.co.uk/thankyou.html' );  exit();
}
else {
print "Database NOT Found ";
mysql_close($db_handle);
}
?> 
[\code]

The emails are mostly adverts for business, with links to different websites, how do i stop this from coming up on my review section of my website?

[Pikachu2000]

Adding a captcha will kill a lot of it. You could also try requiring the user to be logged in; that may help.

[andy_b_1502]

Thank you, iv'e decided to go for the captcha as the site really doesnt ever require the user to be logged in. Is it easy/difficult, does the catpcha require software?

[.josh]

captcha does require extra coding, yes.  Usually captcha works by generating an image with words, letters and/or numbers in a randomized styling so that bots can't read it.  The visitor then has to enter in what is displayed.  If the visitor fails to enter in the text, your script assumes it is a bot and stops whatever process happens when you normally do a form submission.  Another form of captcha is to output a question that a bot can't easily answer.  For instance "What is two plus two?" or "What is the third letter of the fourth word in this sentence?" 

 

There are a lot of 3rd party captcha scripts out there that are relatively painless to install, just hit up google.  One popular one is reCAPTCHA because it has the added benefit of helping digitize books out there.  The idea is that there are a lot of printed items out there that people want to digitize, but the printing is too hard for scanners to read, so people have to manually look at it and enter it in.  Well the idea is that this makes for perfect anti-bot protection..well, you can visit the site and read the details yourself.  It's a neat concept. 

 

There are also other anti-bot things you can do, other than a captcha system.  One thing you can do is setup a honeypot.  Bots are kinda stupid and basically attempt to fill out all fields in a form.  The idea of a honeypot is to add a fake form field on your form that the a visitor will not fill out because they will not see it (hide it with css, etc...).  The bot won't see that it's not meant to be seen, and happily fills it out with info about viagra or whatever.  You would then basically tell your script to stop form processing if this dummy form field is filled out. 

 

Another method is to time the form output vs. form submission.  If you have a form that normally takes a few minutes to read and submit, and you see that it is being submitted less than a second after it was requested, then it is more than likely a bot.  Implementing this involves outputting a token as a hidden field for the form and keeping track with a session variable, db table or flatfile, the token value and the timestamp. Then upon form submission, you check the time submitted vs. time output, based on the token submitted.  If the token doesn't exist or if the time is too short, assume it is a bot and stop processing the form.

 

 

[andy_b_1502]

Thank you .josh for the reply

[luckyguys]

Hi,You can use Recaptcha .Thanks!

[andy_b_1502]

hi, i was just wondering how to put recaptcha on my site, i have two keys, one javascript and one server key?

[andy_b_1502]

Kind of found my way through, just another quick question in your verify.php code, is there a place where i can use the header () mines not re-directing user's to my desired page:

 

<?php
  require_once('recaptchalib.php');
  $privatekey = "my private key";
  $resp = recaptcha_check_answer ($privatekey,
                                $_SERVER["REMOTE_ADDR"],
                                $_POST["recaptcha_challenge_field"],
                                $_POST["recaptcha_response_field"]);

  if (!$resp->is_valid) {
    // What happens when the CAPTCHA was entered incorrectly
    die ("The reCAPTCHA wasn't entered correctly. Go back and try it again." .
         "(reCAPTCHA said: " . $resp->error . ")");
  } else {
    // Your code here to handle a successful verification
header('www.360transport.co.uk/thankyou.html');
  }
  

?>

 

Thank you!

[andy_b_1502]

solved