Jump to content

[SOLVED] help with a php guestbook form


nunu78

Recommended Posts

I am just a hopeless newbie with php and I am wondering if it's even possible to do the following:

I have a guestbook that's written with php. It's a flat file based and now it's starting to flood with spam. I am just wondering if you can disable a message before it's posted if there's html in the message textarea? So that the first sight of <a> would not only disable the link but would not submit the whole comment?


[code]
<?php

$dateFormat = 'd.m.Y';
$timeFormat = 'H:i';


if (empty($_POST['message'])) {
  header('Location: '.$_POST['bookurl'].'?contents=blank');
}

else {
  $entryFile = 'entries.txt';
  $formatFile = 'format.php';

  $message = stripslashes($_POST['message']);

  $allowedTags = '<a><em><strong><b><i><img>';

  $stripAttrib = 'javascript:|onclick|ondblclick|onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress|onkeydown|onkeyup|style|class|id';

  function removeEvilTags($source)
  {
    global $allowedTags;
    $source = strip_tags($source, $allowedTags);
    return preg_replace('/<(.*?)>/ie', "'<'.removeEvilAttributes('\\1').'>'", $source);
  }
  function removeEvilAttributes($tagSource)
  {
    global $stripAttrib;
    return stripslashes(preg_replace("/$stripAttrib/i", 'forbidden', $tagSource));
  }

  function word_wrap($message)
  {
    $maxLength = 60;
    $cut = ' ';
    $result = '';
    $wordlength = 0;

    $length = strlen($message);

    $tag = FALSE;
    for ($i = 0; $i < $length; $i++)
    {
      $char = substr($message, $i, 1);
      if ($char == '<') { $tag = TRUE; }
      elseif ($char == '>') { $tag = FALSE; }
      elseif (!$tag && $char == ' ') { $wordlength = 0; }
      elseif (!$tag) { $wordlength++; }
      if (!$tag && !($wordlength%$maxLength)) { $char .= $cut; }
      $result .= $char;
    }
  return $result;
  }

  $message = word_wrap(removeEvilTags($message));
  $message = str_replace(array('&', "\r\n\r\n"), array('&amp;', '</p><p>'), $message);
  $message = str_replace(array('&amp;gt;', '&amp;lt;', "\r\n"), array('&gt;', '&lt;', '<br />'), $message);

  $signername = strip_tags(stripslashes($_POST['signername']));
  $email = urlencode(strip_tags(stripslashes($_POST['email'])));
  $url = urlencode(strip_tags(stripslashes($_POST['url'])));
  $url = str_replace(array('%2F', '%3A'), array('/', ':'), $url);

  $formatted = file_get_contents($formatFile);
  $variables = array("\n", '%%signername%%', '%%email%%', '%%url%%', '%%message%%', '%%date%%', '%%time%%');
  $inputs = array('', $signername, $email, $url, $message, date($dateFormat), date($timeFormat));

  $formatted = str_replace($variables, $inputs, $formatted);

  $oldEntries = fopen($entryFile, 'r');
  $content = fread($oldEntries, filesize($entryFile));
  fclose($oldEntries);

  $newContent = $formatted."\n".$content;

  $allEntries = fopen($entryFile, 'w');
  fwrite($allEntries, $newContent);
  fclose($allEntries);

  header('Location: '.$_POST['bookurl']);

}

?>[/code]
Link to comment
Share on other sites

What I dont understand is why you wish to disable html code, what I prefer myself is converting special html symbols to codes unrecognizable by html, so:

$message = str_replace("&","&amp;",$message);
$message = str_replace("<","&lt;",$message);
$message = str_replace(">","&gt;",$message);
$message = str_replace("\"","&quot;",$message);

Therefore, no matter how much html codes they use, the content will only be "content" but no interference with the html code of your page.

But if you still wish to completely disable html code, give me a second....
Link to comment
Share on other sites

If you want to remove HTML tags you could do...

[code=php:0]
$input = strip_tags($input);
[/code]

but since you said you wanted to stop the whole comment from going through? maybe something like this...

[code=php:0]
$strippedInput = strip_tags($input);
if($input != $strippedInput) {
    header('location:guestbook.php?error=1'); // something to redirect back, maybe with an error
    die();
}
[/code]

or to improve upon what ted_chou said you could just convert HTML tags into something that wont be displayed as such

[code=php:0]
$input = htmlspecialchars($input);
[/code]
Link to comment
Share on other sites

Yes, I really want the whole message not to get through, since the only messages with html in the message itself are spam.

So I tried changing the code a bit, since I wanted it to work only on the message part input, not the others and changed it to this:
[code]
$strippedInput = strip_tags($message);
if($input != $strippedInput) {
    header('location:trap.php'); // something to redirect back, maybe with an error
    die();
}
[/code]

But now when I test it, it directs all messages to that other file, not just the ones containing links?
*see, a newbie!*
Link to comment
Share on other sites

a little late to report this but I went to bed last night so this is the first time I get the chance to...

change

[code=php:0]
$strippedInput = strip_tags($message);
if($input != $strippedInput) {
    header('location:trap.php'); // something to redirect back, maybe with an error
    die();
}
[/code]

to be

[code=php:0]
$strippedInput = strip_tags($message);
if($message != $strippedInput) {
    header('location:trap.php'); // something to redirect back, maybe with an error
    die();
}
[/code]

you just forgot to change the message variable on both of em, no biggie
Link to comment
Share on other sites

Yes, I noticed that too, right after you'd pointed it out!  :D

THANK YOU ever so much [color=blue]genericnumber1[/color], I was getting desperate already! Let's see how long it takes spam to find it's way to the guestbook now... would think that there's no use anymore now, since all links are blocked, but spam is spam, it's amount is definetly not getting smaller any time in the near future...

-nunu-
Link to comment
Share on other sites

  • 1 month later...
Another question about the code that has been blocking spam almost 95% certain. (what a RELIEF that is, no more deleting spam every day...)

As it's used in a guestbook, I'd like to know if there's a chance of allowing [br] and [p] codes in the message so that they would separate the message parts?

Thanks in advance!
Link to comment
Share on other sites

yes that seems to be what I am looking for, but since I have (I believe) this bit:
[code]$strippedInput = strip_tags($message);
if($message != $strippedInput) {
    header('location:trap.php'); // something to redirect back, maybe with an error
    die();
[/code]
it won't show the message even if there's the new function added. And I don't want to get rid of the die-part of the function, just want to allow linebreaks in the form textarea and show those linebreaks.
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.