[SOLVED] help with a php guestbook form

[nunu78]

I am just a hopeless newbie with php and I am wondering if it's even possible to do the following:

I have a guestbook that's written with php. It's a flat file based and now it's starting to flood with spam. I am just wondering if you can disable a message before it's posted if there's html in the message textarea? So that the first sight of <a> would not only disable the link but would not submit the whole comment?


[code]
<?php

$dateFormat = 'd.m.Y';
$timeFormat = 'H:i';


if (empty($_POST['message'])) {
  header('Location: '.$_POST['bookurl'].'?contents=blank');
}

else {
  $entryFile = 'entries.txt';
  $formatFile = 'format.php';

  $message = stripslashes($_POST['message']);

  $allowedTags = '<a><em><strong><b><i><img>';

  $stripAttrib = 'javascript:|onclick|ondblclick|onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress|onkeydown|onkeyup|style|class|id';

  function removeEvilTags($source)
  {
    global $allowedTags;
    $source = strip_tags($source, $allowedTags);
    return preg_replace('/<(.*?)>/ie', "'<'.removeEvilAttributes('\\1').'>'", $source);
  }
  function removeEvilAttributes($tagSource)
  {
    global $stripAttrib;
    return stripslashes(preg_replace("/$stripAttrib/i", 'forbidden', $tagSource));
  }

  function word_wrap($message)
  {
    $maxLength = 60;
    $cut = ' ';
    $result = '';
    $wordlength = 0;

    $length = strlen($message);

    $tag = FALSE;
    for ($i = 0; $i < $length; $i++)
    {
      $char = substr($message, $i, 1);
      if ($char == '<') { $tag = TRUE; }
      elseif ($char == '>') { $tag = FALSE; }
      elseif (!$tag && $char == ' ') { $wordlength = 0; }
      elseif (!$tag) { $wordlength++; }
      if (!$tag && !($wordlength%$maxLength)) { $char .= $cut; }
      $result .= $char;
    }
  return $result;
  }

  $message = word_wrap(removeEvilTags($message));
  $message = str_replace(array('&', "\r\n\r\n"), array('&amp;', '</p><p>'), $message);
  $message = str_replace(array('&amp;gt;', '&amp;lt;', "\r\n"), array('&gt;', '&lt;', '<br />'), $message);

  $signername = strip_tags(stripslashes($_POST['signername']));
  $email = urlencode(strip_tags(stripslashes($_POST['email'])));
  $url = urlencode(strip_tags(stripslashes($_POST['url'])));
  $url = str_replace(array('%2F', '%3A'), array('/', ':'), $url);

  $formatted = file_get_contents($formatFile);
  $variables = array("\n", '%%signername%%', '%%email%%', '%%url%%', '%%message%%', '%%date%%', '%%time%%');
  $inputs = array('', $signername, $email, $url, $message, date($dateFormat), date($timeFormat));

  $formatted = str_replace($variables, $inputs, $formatted);

  $oldEntries = fopen($entryFile, 'r');
  $content = fread($oldEntries, filesize($entryFile));
  fclose($oldEntries);

  $newContent = $formatted."\n".$content;

  $allEntries = fopen($entryFile, 'w');
  fwrite($allEntries, $newContent);
  fclose($allEntries);

  header('Location: '.$_POST['bookurl']);

}

?>[/code]

[ted_chou12]

What I dont understand is why you wish to disable html code, what I prefer myself is converting special html symbols to codes unrecognizable by html, so:

$message = str_replace("&","&amp;",$message);
$message = str_replace("<","&lt;",$message);
$message = str_replace(">","&gt;",$message);
$message = str_replace("\"","&quot;",$message);

Therefore, no matter how much html codes they use, the content will only be "content" but no interference with the html code of your page.

But if you still wish to completely disable html code, give me a second....

[genericnumber1]

If you want to remove HTML tags you could do...

[code=php:0]
$input = strip_tags($input);
[/code]

but since you said you wanted to stop the whole comment from going through? maybe something like this...

[code=php:0]
$strippedInput = strip_tags($input);
if($input != $strippedInput) {
    header('location:guestbook.php?error=1'); // something to redirect back, maybe with an error
    die();
}
[/code]

or to improve upon what ted_chou said you could just convert HTML tags into something that wont be displayed as such

[code=php:0]
$input = htmlspecialchars($input);
[/code]

[ted_chou12]

oh, generics got it... I am having some trouble with the strpos() function...
Ted

[nunu78]

Yes, I really want the whole message not to get through, since the only messages with html in the message itself are spam.

So I tried changing the code a bit, since I wanted it to work only on the message part input, not the others and changed it to this:
[code]
$strippedInput = strip_tags($message);
if($input != $strippedInput) {
    header('location:trap.php'); // something to redirect back, maybe with an error
    die();
}
[/code]

But now when I test it, it directs all messages to that other file, not just the ones containing links?
*see, a newbie!*

[genericnumber1]

a little late to report this but I went to bed last night so this is the first time I get the chance to...

change

[code=php:0]
$strippedInput = strip_tags($message);
if($input != $strippedInput) {
    header('location:trap.php'); // something to redirect back, maybe with an error
    die();
}
[/code]

to be

[code=php:0]
$strippedInput = strip_tags($message);
if($message != $strippedInput) {
    header('location:trap.php'); // something to redirect back, maybe with an error
    die();
}
[/code]

you just forgot to change the message variable on both of em, no biggie

[nunu78]

Yes, I noticed that too, right after you'd pointed it out!  :D

THANK YOU ever so much [color=blue]genericnumber1[/color], I was getting desperate already! Let's see how long it takes spam to find it's way to the guestbook now... would think that there's no use anymore now, since all links are blocked, but spam is spam, it's amount is definetly not getting smaller any time in the near future...

-nunu-

[nunu78]

Another question about the code that has been blocking spam almost 95% certain. (what a RELIEF that is, no more deleting spam every day...)

As it's used in a guestbook, I'd like to know if there's a chance of allowing [br] and [p] codes in the message so that they would separate the message parts?

Thanks in advance!

[nunu78]

actually, it doesn't matter how it's done, all I need is that when you leave an empty line in between paragraphs, that would show in the message field too.

thanks again...

[Balmung-San]

I believe you'd be looking for the [url=http://www.php.net/nl2br]nl2br()[/url] function.

[nunu78]

yes that seems to be what I am looking for, but since I have (I believe) this bit:
[code]$strippedInput = strip_tags($message);
if($message != $strippedInput) {
    header('location:trap.php'); // something to redirect back, maybe with an error
    die();
[/code]
it won't show the message even if there's the new function added. And I don't want to get rid of the die-part of the function, just want to allow linebreaks in the form textarea and show those linebreaks.

[Balmung-San]

Did you put the nl2br before or after that?

I would highly suggest placing it after that.

As well, this is more a personal irk, but I would suggest using strcmp or stricmp when comparing strings.

[nunu78]

I tried both but still not working. How would you write the code exactly?

[genericnumber1]

strcmp when comparing if two strings are equal to eachother  ??? just makes it harder to read imho, why would you need to do that?

also

[code=php:0]
$strippedInput = strip_tags($message);

if($message != $strippedInput) {
    header('location:trap.php');
    die();
}

$message = nl2br($message);
[/code]

[nunu78]

Thank you, got it to work after reloading the file a few times to the server!