fighting against guestbook spam

[nunu78]

Another guestbook spam question. I've received great tips from this board to help fight spam on my guestbook. Now I would like to ask what might prevent part of this code from working, am trying to block messages with html (that part works PERFECTLY) but now would like to add either code to block a message that includes www,http, https etc word so that ALL messages with links of ANY kind (also with [ ] tags) would be blocked.

 

Kind thank you in advance! 

 

<?php

$dateFormat = 'd.m.Y';
$timeFormat = 'H:i';

if (empty($_POST['message'])) {
  header('Location: '.$_POST['bookurl'].'?contents=blank');
}

else {
  $entryFile = 'entries.txt';
  $formatFile = 'format.php';

  $message = stripslashes($_POST['message']);

  $allowedTags = '<a><em><strong><b><i><img>';

  $stripAttrib = 'javascript:|onclick|ondblclick|onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress|onkeydown|onkeyup|style|class|id';

  function removeEvilTags($source)
  {
     global $allowedTags;
     $source = strip_tags($source, $allowedTags);
     return preg_replace('/<(.*?)>/ie', "'<'.removeEvilAttributes('\\1').'>'", $source);
  }
  function removeEvilAttributes($tagSource)
  {
    global $stripAttrib;
    return stripslashes(preg_replace("/$stripAttrib/i", 'forbidden', $tagSource));
  }

  function word_wrap($message)
  {
    $maxLength = 60;
    $cut = ' ';
    $result = '';
    $wordlength = 0;

    $length = strlen($message);

    $tag = FALSE;
    for ($i = 0; $i < $length; $i++)
    {
      $char = substr($message, $i, 1);
      if ($char == '<') { $tag = TRUE; }
      elseif ($char == '>') { $tag = FALSE; }
      elseif (!$tag && $char == ' ') { $wordlength = 0; }
      elseif (!$tag) { $wordlength++; }
      if (!$tag && !($wordlength%$maxLength)) { $char .= $cut; }
      $result .= $char;
    }
  return $result;
  }

  $message = word_wrap(removeEvilTags($message));
  $message = str_replace(array('&', "\r\n\r\n"), array('&', '</p><p>'), $message);
  $message = str_replace(array('&gt;', '&lt;', "\r\n"), array('>', '<', '<br />'), $message);

$strippedInput = strip_tags($message);
if($message != $strippedInput) {
     header('location:trap.php'); 
     die();

}
$url_match = "^(((http|ftp|https)://)|(www\.))+(([a-zA-Z0-9\._-]+\.[a-zA-Z]{2,6})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}))(/[a-zA-Z0-9\&%_\./-~-]*)?^";

if (preg_match($url_match, $message))
{
echo "A url was found in your post, Not allowed - mission aborted.";
die ();
}

  $signername = strip_tags(stripslashes($_POST['signername']));
  $email = urlencode(strip_tags(stripslashes($_POST['email'])));
  $url = urlencode(strip_tags(stripslashes($_POST['url'])));
  $url = str_replace(array('%2F', '%3A'), array('/', ':'), $url);

  $formatted = file_get_contents($formatFile);
  $variables = array("\n", '%%signername%%', '%%email%%', '%%url%%', '%%message%%', '%%date%%', '%%time%%');
  $inputs = array('', $signername, $email, $url, $message, date($dateFormat), date($timeFormat));

  $formatted = str_replace($variables, $inputs, $formatted);

  $oldEntries = fopen($entryFile, 'r');
  $content = fread($oldEntries, filesize($entryFile));
  fclose($oldEntries);

  $newContent = $formatted."\n".$content;

  $allEntries = fopen($entryFile, 'w');
  fwrite($allEntries, $newContent);
  fclose($allEntries);

  header('Location: '.$_POST['bookurl']);

}

?>

[nunu78]

Anyone?

[nunu78]

Okay, since yesterday evening the blocking of html-code hasn't been working as well as it did for a month, there seems to be a way to bypass this strip_tag code...

 

ANY help is appreciated!

[nunu78]

I seem to be the only one writing to this topic but anyway...

 

I just found out why the strip_tags part is not working. The spammers are using < instead of < and the result is obvious. Any way to stop messages with < ?

[genericnumber1]

to keep people from using things like "<" use html_entity_decode() along with the strip_tags() function...

<?php
  function removeEvilTags($source)
  {
     global $allowedTags;
     $source = html_entity_decode($source);
     $source = strip_tags($source, $allowedTags);
     return preg_replace('/<(.*?)>/ie', "'<'.removeEvilAttributes('\\1').'>'", $source);
  }
?>

[nunu78]

THANK you for answering... and another question right away:

 

I assume that this decodes <br> and <p> as well. How would I go about if I would want to allow those two?

[genericnumber1]

all what I added does is turn things like "<" into <

which will be stripped by strip_tags on the next line...

 

another thing you could do is keep them from using entities all together and just run htmlentities()...

 

<?php
  function removeEvilTags($source)
  {
     global $allowedTags;
     $source = strip_tags($source, $allowedTags);
     $source = htmlentities($source);
     return preg_replace('/<(.*?)>/ie', "'<'.removeEvilAttributes('\\1').'>'", $source);
  }
?>

 

this will change things like < into &lt; and keep them from being decoded by the browser as html entities.

 

just try the two and see which result you like the best

[nunu78]

I will try that one as well. Thank you! This at least keeps the spam away for a while, I hope.

 

I am having issues with my textarea in the form, it refuses messages that have been paragarphed. I guess that's another topic if I can't do anything to it myself.

[genericnumber1]

feel free to post it here and I'll read it if I'm on, I cant speak much for other people though.

[nunu78]

I think it might be some kind of a bug... When I added the

 

$source = htmlentities($source);

part to the code (in the right place of course) it refused also messages where when testing I wrote

 

test

test

 

using ENTER-key to change the line between words. And before adding that piece of code it worked just fine. And I am sure it's not the code that does that, but a bug. But is the bug somewhere in my files or is it somewhere on the server or where, that I don't know as of now.

 

Thanks for helping with the spamfight though! Much appreciated!

 

[genericnumber1]

Woops... maybe

 

<?php
  function removeEvilTags($source)
  {
     global $allowedTags;
     $source = strip_tags($source, $allowedTags);
     $source = preg_replace('/<(.*?)>/ie', "'<'.removeEvilAttributes('\\1').'>'", $source);
     return htmlentities($source);
  }
?>

 

question... why are you keeping tags like br and p anyway?

[genericnumber1]

oh, nevermind.. I look at your source now and you dont want the message to change at all.. okay then what I've been posting wouldn't work, the first thing I posted SHOULD work though.

[nunu78]

nope, both solutions cause the message to disappear...

 

and I have to keep those as people who post to my guestbook keep hitting enter when they have longer messages and want to start new paragraphs and separate different matters in the message...

[genericnumber1]

Your code is pretty messy and hard to change without breaking... I'd opt for rewriting it completely

[nunu78]

Well, it's parts from here and there and so far my coding in php is so beginners level, that I can't do a thing about it. But if it keeps the spam away, I can always write a note next to the send button in the form, asking not to use line change/enter.

 

I just want to keep the spam away!

[nunu78]

function cleanForMarkup($string, $doLineBreaks = true) {
  $string = trim($string);
  $string = htmlentities($string, ENT_QUOTES);
  if ($doLineBreaks) $string = nl2br($string);
  return $string;
}

 

Might this be useful for me?

[nunu78]

Or would it just be easiest to look for specific words or phrases in the message and block it based on that?

 

For example block all messages that has the "http://www" in it? *goes to try to find how to do that*