bcoffin Posted March 6, 2007 Share Posted March 6, 2007 Hi All, I've written a bunch of contact forms in the past, and one in particular has been getting a ton of abuse. The fields are: NAME EMAIL PHONE SUBJECT MESSAGE and a few other more specific questions.. The form is submitted via a javascript function (.submit()). Can any one recommend any tricks to limit this type of abuse? Thanks, Benny Link to comment https://forums.phpfreaks.com/topic/41388-contact-forms-and-abuse/ Share on other sites More sharing options...
bob_the _builder Posted March 6, 2007 Share Posted March 6, 2007 Hi, Validate fields, mostly email addresses, then also maybe incorperate captcha Link to comment https://forums.phpfreaks.com/topic/41388-contact-forms-and-abuse/#findComment-200505 Share on other sites More sharing options...
bcoffin Posted March 6, 2007 Author Share Posted March 6, 2007 All fields are validated, and succeed. Link to comment https://forums.phpfreaks.com/topic/41388-contact-forms-and-abuse/#findComment-200506 Share on other sites More sharing options...
kenrbnsn Posted March 6, 2007 Share Posted March 6, 2007 Read the following articles: Email Header Injection Exploit Spoofed Form Submissions Ken Link to comment https://forums.phpfreaks.com/topic/41388-contact-forms-and-abuse/#findComment-200512 Share on other sites More sharing options...
rcorlew Posted March 6, 2007 Share Posted March 6, 2007 Just a suggestion, try using different varaible names. You can also try using regex in any field(s) that someone could squeeze code into. If memory serves me correct, most spammers just insert their code inot the message field and then their code would take over the script. So rexex(ing) the form before anything else would help to eliminate that. Link to comment https://forums.phpfreaks.com/topic/41388-contact-forms-and-abuse/#findComment-200513 Share on other sites More sharing options...
kenrbnsn Posted March 6, 2007 Share Posted March 6, 2007 Also, don't trust Javascript for validation as most spammers aren't using your code. They did a "show source" to see the form variables the form is sending then wrote their own code to send those variables to your processing script. Ken Link to comment https://forums.phpfreaks.com/topic/41388-contact-forms-and-abuse/#findComment-200514 Share on other sites More sharing options...
bcoffin Posted March 7, 2007 Author Share Posted March 7, 2007 I'll try changing email to myemail, message to mymessage (or something like that) to see if that resolves the issue. Thanks for the links too, you guys. I really appreciate your brilliance. Benny Link to comment https://forums.phpfreaks.com/topic/41388-contact-forms-and-abuse/#findComment-201857 Share on other sites More sharing options...
rcorlew Posted March 11, 2007 Share Posted March 11, 2007 I dont't know why I did not share this earlier, I simply set a really wierd $var in the header of my page, since my page is made up of many parts, the only way that the form would work is to actually load the whole page. I know that may not be the most secure, but I have not thaught of anything better, so here goes my example: <?php //inside my page other than inside the mailpage itself i set variable $myfunkyvar = "nose"; //then before the actuall sendmail part of the script can be used I require that variable if($myfunkyvar == nose) { //script will execute here } else { //script will not function and user is redirected to another page or even site, the meaner the better header( 'Location: http://www.yoursite.com/index.php' ) ; } ?> Link to comment https://forums.phpfreaks.com/topic/41388-contact-forms-and-abuse/#findComment-204679 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.