best option for securing forms

jcombs_31 · January 28, 2006

I don't want to have a user input from an image file to send a simple email or sign a guestbook, but I have a couple sites that are getting hammered by spam throught these two forms. I don't think a timestamp will stop it, and the ip range is always different, so what's the best way to block it without creating images with text?

AndyB · January 28, 2006

Depends on the set up ... maybe setting a session variable to ensure that the form is being accessed from your site.

ShaunW · January 29, 2006

[!--quoteo(post=340644:date=Jan 28 2006, 10:33 AM:name=jcombs_31)--][div class=\'quotetop\']QUOTE(jcombs_31 @ Jan 28 2006, 10:33 AM) [snapback]340644[/snapback][/div][div class=\'quotemain\'][!--quotec--]
I don't want to have a user input from an image file to send a simple email or sign a guestbook, but I have a couple sites that are getting hammered by spam throught these two forms. I don't think a timestamp will stop it, and the ip range is always different, so what's the best way to block it without creating images with text?
[/quote]

Are you using forms that contain an email address. If so then you are going to need a rewrite.
Checking that the form is being run from your server is no good because hackers are skilled at
hacking round these checks. Any form that contains an email address to send the email to are
an open invitation to spammers.

jcombs_31 · January 30, 2006

[!--quoteo(post=340777:date=Jan 28 2006, 11:36 PM:name=ShaunW)--][div class=\'quotetop\']QUOTE(ShaunW @ Jan 28 2006, 11:36 PM) [snapback]340777[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Are you using forms that contain an email address. If so then you are going to need a rewrite.
Checking that the form is being run from your server is no good because hackers are skilled at
hacking round these checks. Any form that contains an email address to send the email to are
an open invitation to spammers.
[/quote]

This answer didn't exactly help in any way other than telling me to protect my forms, which is what my topic was about.

daiwa · January 30, 2006

[!--quoteo(post=341134:date=Jan 30 2006, 07:53 AM:name=jcombs_31)--][div class=\'quotetop\']QUOTE(jcombs_31 @ Jan 30 2006, 07:53 AM) [snapback]341134[/snapback][/div][div class=\'quotemain\'][!--quotec--]
This answer didn't exactly help in any way other than telling me to protect my forms, which is what my topic was about.
[/quote]

make them confirm what they are sending out. then you can add constraints like form tokens and time validations and the like. ie if they confirm too quickly etc,

jcombs_31 · February 25, 2006

I don't want a user to have to confirm adding a simple guestbook or feedback entry. I never see any email forms on sites that require any extra user interaction. I can see maybe for a site that you are purchasing something that you validate with an image. I'm looking for a solution that is not obtrusive to the user who is actually using the form.

I'm not sure what type of session variable actually could check if this is a real user on my site. I really don't know how these spam bots work. Do they actually open up a browswer?

AndyB · February 25, 2006

Just a quick question. Are we talking about a form with action='self' or is the form processing handled by a separate script?

jcombs_31 · February 25, 2006

[!--quoteo(post=349327:date=Feb 25 2006, 11:29 AM:name=AndyB)--][div class=\'quotetop\']QUOTE(AndyB @ Feb 25 2006, 11:29 AM) [snapback]349327[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Just a quick question. Are we talking about a form with action='self' or is the form processing handled by a separate script?
[/quote]

script on the same page, so the form would be submitting to PHP_SELF

AndyB · February 25, 2006

Maybe something like this would work:
[code]<?php
session_start();
$now = time();
$delta_t = 60; // seconds delay required between uses
if (isset($_SESSION['time_sent'])) {
    $previous = $_SESSION['time_sent'];
    if (($now - $previous) < $delta_t) {
        // your form code here
    } else {
        // be patient!!
    }
}
$_SESSION['time_sent'] = $now;
?>[/code]

jcombs_31 · February 25, 2006

[!--quoteo(post=349363:date=Feb 25 2006, 03:05 PM:name=AndyB)--][div class=\'quotetop\']QUOTE(AndyB @ Feb 25 2006, 03:05 PM) [snapback]349363[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Maybe something like this would work:
[code]<?php
session_start();
$now = time();
$delta_t = 60; // seconds delay required between uses
if (isset($_SESSION['time_sent'])) {
    $previous = $_SESSION['time_sent'];
    if (($now - $previous) < $delta_t) {
        // your form code here
    } else {
        // be patient!!
    }
}
$_SESSION['time_sent'] = $now;
?>[/code]
[/quote]

yea, but that only helps with a time interval. If they only submit one per day, or one every 10 minutes, it wouldn't prevent anything. I'm sure this has to be a very common problem people solve.

AndyB · February 25, 2006

I've had my share of episodes of a zillion emails showing up, and the only thing I've found that actually worked - because the morons who spam have all sorts of sleazy tricks - was making it a manual process to use a form, i.e. a captcha. It also stopped 100% of those "Wow I really liked your site. Visit mine at www.bodypartsenhancementwillsaveyourlovelife.com"

At the moment I have one client site where the webhost, the client, and I have agreed to simply shut off the email server for a week in the hope that it'll make the spammers find another target. Getting a 1000 bounced emails from AOL addresses in a day is tough to take!

If it will lessen the pain, you're welcome to use my [a href=\"http://www.digitalmidget.com/php_noob/captcha.php\" target=\"_blank\"]captcha script package[/a].

jcombs_31 · February 26, 2006

[!--quoteo(post=349427:date=Feb 25 2006, 06:15 PM:name=AndyB)--][div class=\'quotetop\']QUOTE(AndyB @ Feb 25 2006, 06:15 PM) [snapback]349427[/snapback][/div][div class=\'quotemain\'][!--quotec--]
I've had my share of episodes of a zillion emails showing up, and the only thing I've found that actually worked - because the morons who spam have all sorts of sleazy tricks - was making it a manual process to use a form, i.e. a captcha. It also stopped 100% of those "Wow I really liked your site. Visit mine at www.bodypartsenhancementwillsaveyourlovelife.com"

At the moment I have one client site where the webhost, the client, and I have agreed to simply shut off the email server for a week in the hope that it'll make the spammers find another target. Getting a 1000 bounced emails from AOL addresses in a day is tough to take!

If it will lessen the pain, you're welcome to use my [a href=\"http://www.digitalmidget.com/php_noob/captcha.php\" target=\"_blank\"]captcha script package[/a].
[/quote]

I guess it's the way I have to go, just didn't think it would have to go that far. I read a great article from sitepoint on setting up the class, just was looking for another solution.

steviewdr · May 6, 2006

I know this is an old topic but here's my tupence:

To prevent spam from contact froms etc. I limit the number of posts/ messages/ contacts per IP in an hour/day.
The captcha way is foolproof however.

-steve

Sign In

best option for securing forms

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information