Jump to content

Archived

This topic is now archived and is closed to further replies.

nunu78

[SOLVED] help with a php guestbook form

Recommended Posts

I am just a hopeless newbie with php and I am wondering if it's even possible to do the following:

I have a guestbook that's written with php. It's a flat file based and now it's starting to flood with spam. I am just wondering if you can disable a message before it's posted if there's html in the message textarea? So that the first sight of <a> would not only disable the link but would not submit the whole comment?


[code]
<?php

$dateFormat = 'd.m.Y';
$timeFormat = 'H:i';


if (empty($_POST['message'])) {
  header('Location: '.$_POST['bookurl'].'?contents=blank');
}

else {
  $entryFile = 'entries.txt';
  $formatFile = 'format.php';

  $message = stripslashes($_POST['message']);

  $allowedTags = '<a><em><strong><b><i><img>';

  $stripAttrib = 'javascript:|onclick|ondblclick|onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress|onkeydown|onkeyup|style|class|id';

  function removeEvilTags($source)
  {
    global $allowedTags;
    $source = strip_tags($source, $allowedTags);
    return preg_replace('/<(.*?)>/ie', "'<'.removeEvilAttributes('\\1').'>'", $source);
  }
  function removeEvilAttributes($tagSource)
  {
    global $stripAttrib;
    return stripslashes(preg_replace("/$stripAttrib/i", 'forbidden', $tagSource));
  }

  function word_wrap($message)
  {
    $maxLength = 60;
    $cut = ' ';
    $result = '';
    $wordlength = 0;

    $length = strlen($message);

    $tag = FALSE;
    for ($i = 0; $i < $length; $i++)
    {
      $char = substr($message, $i, 1);
      if ($char == '<') { $tag = TRUE; }
      elseif ($char == '>') { $tag = FALSE; }
      elseif (!$tag && $char == ' ') { $wordlength = 0; }
      elseif (!$tag) { $wordlength++; }
      if (!$tag && !($wordlength%$maxLength)) { $char .= $cut; }
      $result .= $char;
    }
  return $result;
  }

  $message = word_wrap(removeEvilTags($message));
  $message = str_replace(array('&', "\r\n\r\n"), array('&amp;', '</p><p>'), $message);
  $message = str_replace(array('&amp;gt;', '&amp;lt;', "\r\n"), array('&gt;', '&lt;', '<br />'), $message);

  $signername = strip_tags(stripslashes($_POST['signername']));
  $email = urlencode(strip_tags(stripslashes($_POST['email'])));
  $url = urlencode(strip_tags(stripslashes($_POST['url'])));
  $url = str_replace(array('%2F', '%3A'), array('/', ':'), $url);

  $formatted = file_get_contents($formatFile);
  $variables = array("\n", '%%signername%%', '%%email%%', '%%url%%', '%%message%%', '%%date%%', '%%time%%');
  $inputs = array('', $signername, $email, $url, $message, date($dateFormat), date($timeFormat));

  $formatted = str_replace($variables, $inputs, $formatted);

  $oldEntries = fopen($entryFile, 'r');
  $content = fread($oldEntries, filesize($entryFile));
  fclose($oldEntries);

  $newContent = $formatted."\n".$content;

  $allEntries = fopen($entryFile, 'w');
  fwrite($allEntries, $newContent);
  fclose($allEntries);

  header('Location: '.$_POST['bookurl']);

}

?>[/code]

Share this post


Link to post
Share on other sites
What I dont understand is why you wish to disable html code, what I prefer myself is converting special html symbols to codes unrecognizable by html, so:

$message = str_replace("&","&amp;",$message);
$message = str_replace("<","&lt;",$message);
$message = str_replace(">","&gt;",$message);
$message = str_replace("\"","&quot;",$message);

Therefore, no matter how much html codes they use, the content will only be "content" but no interference with the html code of your page.

But if you still wish to completely disable html code, give me a second....

Share this post


Link to post
Share on other sites
If you want to remove HTML tags you could do...

[code=php:0]
$input = strip_tags($input);
[/code]

but since you said you wanted to stop the whole comment from going through? maybe something like this...

[code=php:0]
$strippedInput = strip_tags($input);
if($input != $strippedInput) {
    header('location:guestbook.php?error=1'); // something to redirect back, maybe with an error
    die();
}
[/code]

or to improve upon what ted_chou said you could just convert HTML tags into something that wont be displayed as such

[code=php:0]
$input = htmlspecialchars($input);
[/code]

Share this post


Link to post
Share on other sites
Yes, I really want the whole message not to get through, since the only messages with html in the message itself are spam.

So I tried changing the code a bit, since I wanted it to work only on the message part input, not the others and changed it to this:
[code]
$strippedInput = strip_tags($message);
if($input != $strippedInput) {
    header('location:trap.php'); // something to redirect back, maybe with an error
    die();
}
[/code]

But now when I test it, it directs all messages to that other file, not just the ones containing links?
*see, a newbie!*

Share this post


Link to post
Share on other sites
a little late to report this but I went to bed last night so this is the first time I get the chance to...

change

[code=php:0]
$strippedInput = strip_tags($message);
if($input != $strippedInput) {
    header('location:trap.php'); // something to redirect back, maybe with an error
    die();
}
[/code]

to be

[code=php:0]
$strippedInput = strip_tags($message);
if($message != $strippedInput) {
    header('location:trap.php'); // something to redirect back, maybe with an error
    die();
}
[/code]

you just forgot to change the message variable on both of em, no biggie

Share this post


Link to post
Share on other sites
Yes, I noticed that too, right after you'd pointed it out!  :D

THANK YOU ever so much [color=blue]genericnumber1[/color], I was getting desperate already! Let's see how long it takes spam to find it's way to the guestbook now... would think that there's no use anymore now, since all links are blocked, but spam is spam, it's amount is definetly not getting smaller any time in the near future...

-nunu-

Share this post


Link to post
Share on other sites
Another question about the code that has been blocking spam almost 95% certain. (what a RELIEF that is, no more deleting spam every day...)

As it's used in a guestbook, I'd like to know if there's a chance of allowing [br] and [p] codes in the message so that they would separate the message parts?

Thanks in advance!

Share this post


Link to post
Share on other sites
actually, it doesn't matter how it's done, all I need is that when you leave an empty line in between paragraphs, that would show in the message field too.

thanks again...

Share this post


Link to post
Share on other sites
yes that seems to be what I am looking for, but since I have (I believe) this bit:
[code]$strippedInput = strip_tags($message);
if($message != $strippedInput) {
    header('location:trap.php'); // something to redirect back, maybe with an error
    die();
[/code]
it won't show the message even if there's the new function added. And I don't want to get rid of the die-part of the function, just want to allow linebreaks in the form textarea and show those linebreaks.

Share this post


Link to post
Share on other sites
Did you put the nl2br before or after that?

I would highly suggest placing it after that.

As well, this is more a personal irk, but I would suggest using strcmp or stricmp when comparing strings.

Share this post


Link to post
Share on other sites
I tried both but still not working. How would you write the code exactly?

Share this post


Link to post
Share on other sites
strcmp when comparing if two strings are equal to eachother  ??? just makes it harder to read imho, why would you need to do that?

also

[code=php:0]
$strippedInput = strip_tags($message);

if($message != $strippedInput) {
    header('location:trap.php');
    die();
}

$message = nl2br($message);
[/code]

Share this post


Link to post
Share on other sites
Thank you, got it to work after reloading the file a few times to the server!

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.