nunu78 Posted March 20, 2007 Share Posted March 20, 2007 Another guestbook spam question. I've received great tips from this board to help fight spam on my guestbook. Now I would like to ask what might prevent part of this code from working, am trying to block messages with html (that part works PERFECTLY) but now would like to add either code to block a message that includes www,http, https etc word so that ALL messages with links of ANY kind (also with [ ] tags) would be blocked. Kind thank you in advance! <?php $dateFormat = 'd.m.Y'; $timeFormat = 'H:i'; if (empty($_POST['message'])) { header('Location: '.$_POST['bookurl'].'?contents=blank'); } else { $entryFile = 'entries.txt'; $formatFile = 'format.php'; $message = stripslashes($_POST['message']); $allowedTags = '<a><em><strong><b><i><img>'; $stripAttrib = 'javascript:|onclick|ondblclick|onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress|onkeydown|onkeyup|style|class|id'; function removeEvilTags($source) { global $allowedTags; $source = strip_tags($source, $allowedTags); return preg_replace('/<(.*?)>/ie', "'<'.removeEvilAttributes('\\1').'>'", $source); } function removeEvilAttributes($tagSource) { global $stripAttrib; return stripslashes(preg_replace("/$stripAttrib/i", 'forbidden', $tagSource)); } function word_wrap($message) { $maxLength = 60; $cut = ' '; $result = ''; $wordlength = 0; $length = strlen($message); $tag = FALSE; for ($i = 0; $i < $length; $i++) { $char = substr($message, $i, 1); if ($char == '<') { $tag = TRUE; } elseif ($char == '>') { $tag = FALSE; } elseif (!$tag && $char == ' ') { $wordlength = 0; } elseif (!$tag) { $wordlength++; } if (!$tag && !($wordlength%$maxLength)) { $char .= $cut; } $result .= $char; } return $result; } $message = word_wrap(removeEvilTags($message)); $message = str_replace(array('&', "\r\n\r\n"), array('&', '</p><p>'), $message); $message = str_replace(array('>', '<', "\r\n"), array('>', '<', '<br />'), $message); $strippedInput = strip_tags($message); if($message != $strippedInput) { header('location:trap.php'); die(); } $url_match = "^(((http|ftp|https)://)|(www\.))+(([a-zA-Z0-9\._-]+\.[a-zA-Z]{2,6})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}))(/[a-zA-Z0-9\&%_\./-~-]*)?^"; if (preg_match($url_match, $message)) { echo "A url was found in your post, Not allowed - mission aborted."; die (); } $signername = strip_tags(stripslashes($_POST['signername'])); $email = urlencode(strip_tags(stripslashes($_POST['email']))); $url = urlencode(strip_tags(stripslashes($_POST['url']))); $url = str_replace(array('%2F', '%3A'), array('/', ':'), $url); $formatted = file_get_contents($formatFile); $variables = array("\n", '%%signername%%', '%%email%%', '%%url%%', '%%message%%', '%%date%%', '%%time%%'); $inputs = array('', $signername, $email, $url, $message, date($dateFormat), date($timeFormat)); $formatted = str_replace($variables, $inputs, $formatted); $oldEntries = fopen($entryFile, 'r'); $content = fread($oldEntries, filesize($entryFile)); fclose($oldEntries); $newContent = $formatted."\n".$content; $allEntries = fopen($entryFile, 'w'); fwrite($allEntries, $newContent); fclose($allEntries); header('Location: '.$_POST['bookurl']); } ?> Quote Link to comment Share on other sites More sharing options...
nunu78 Posted March 20, 2007 Author Share Posted March 20, 2007 Anyone? Quote Link to comment Share on other sites More sharing options...
nunu78 Posted March 20, 2007 Author Share Posted March 20, 2007 Okay, since yesterday evening the blocking of html-code hasn't been working as well as it did for a month, there seems to be a way to bypass this strip_tag code... ANY help is appreciated! Quote Link to comment Share on other sites More sharing options...
nunu78 Posted March 20, 2007 Author Share Posted March 20, 2007 I seem to be the only one writing to this topic but anyway... I just found out why the strip_tags part is not working. The spammers are using < instead of < and the result is obvious. Any way to stop messages with < ? Quote Link to comment Share on other sites More sharing options...
genericnumber1 Posted March 20, 2007 Share Posted March 20, 2007 to keep people from using things like "<" use html_entity_decode() along with the strip_tags() function... <?php function removeEvilTags($source) { global $allowedTags; $source = html_entity_decode($source); $source = strip_tags($source, $allowedTags); return preg_replace('/<(.*?)>/ie', "'<'.removeEvilAttributes('\\1').'>'", $source); } ?> Quote Link to comment Share on other sites More sharing options...
nunu78 Posted March 20, 2007 Author Share Posted March 20, 2007 THANK you for answering... and another question right away: I assume that this decodes <br> and <p> as well. How would I go about if I would want to allow those two? Quote Link to comment Share on other sites More sharing options...
genericnumber1 Posted March 20, 2007 Share Posted March 20, 2007 all what I added does is turn things like "<" into < which will be stripped by strip_tags on the next line... another thing you could do is keep them from using entities all together and just run htmlentities()... <?php function removeEvilTags($source) { global $allowedTags; $source = strip_tags($source, $allowedTags); $source = htmlentities($source); return preg_replace('/<(.*?)>/ie', "'<'.removeEvilAttributes('\\1').'>'", $source); } ?> this will change things like < into < and keep them from being decoded by the browser as html entities. just try the two and see which result you like the best Quote Link to comment Share on other sites More sharing options...
nunu78 Posted March 20, 2007 Author Share Posted March 20, 2007 I will try that one as well. Thank you! This at least keeps the spam away for a while, I hope. I am having issues with my textarea in the form, it refuses messages that have been paragarphed. I guess that's another topic if I can't do anything to it myself. Quote Link to comment Share on other sites More sharing options...
genericnumber1 Posted March 20, 2007 Share Posted March 20, 2007 feel free to post it here and I'll read it if I'm on, I cant speak much for other people though. Quote Link to comment Share on other sites More sharing options...
nunu78 Posted March 20, 2007 Author Share Posted March 20, 2007 I think it might be some kind of a bug... When I added the $source = htmlentities($source); part to the code (in the right place of course) it refused also messages where when testing I wrote test test using ENTER-key to change the line between words. And before adding that piece of code it worked just fine. And I am sure it's not the code that does that, but a bug. But is the bug somewhere in my files or is it somewhere on the server or where, that I don't know as of now. Thanks for helping with the spamfight though! Much appreciated! Quote Link to comment Share on other sites More sharing options...
genericnumber1 Posted March 20, 2007 Share Posted March 20, 2007 Woops... maybe <?php function removeEvilTags($source) { global $allowedTags; $source = strip_tags($source, $allowedTags); $source = preg_replace('/<(.*?)>/ie', "'<'.removeEvilAttributes('\\1').'>'", $source); return htmlentities($source); } ?> question... why are you keeping tags like br and p anyway? Quote Link to comment Share on other sites More sharing options...
genericnumber1 Posted March 20, 2007 Share Posted March 20, 2007 oh, nevermind.. I look at your source now and you dont want the message to change at all.. okay then what I've been posting wouldn't work, the first thing I posted SHOULD work though. Quote Link to comment Share on other sites More sharing options...
nunu78 Posted March 20, 2007 Author Share Posted March 20, 2007 nope, both solutions cause the message to disappear... and I have to keep those as people who post to my guestbook keep hitting enter when they have longer messages and want to start new paragraphs and separate different matters in the message... Quote Link to comment Share on other sites More sharing options...
genericnumber1 Posted March 20, 2007 Share Posted March 20, 2007 Your code is pretty messy and hard to change without breaking... I'd opt for rewriting it completely Quote Link to comment Share on other sites More sharing options...
nunu78 Posted March 20, 2007 Author Share Posted March 20, 2007 Well, it's parts from here and there and so far my coding in php is so beginners level, that I can't do a thing about it. But if it keeps the spam away, I can always write a note next to the send button in the form, asking not to use line change/enter. I just want to keep the spam away! Quote Link to comment Share on other sites More sharing options...
nunu78 Posted March 20, 2007 Author Share Posted March 20, 2007 function cleanForMarkup($string, $doLineBreaks = true) { $string = trim($string); $string = htmlentities($string, ENT_QUOTES); if ($doLineBreaks) $string = nl2br($string); return $string; } Might this be useful for me? Quote Link to comment Share on other sites More sharing options...
nunu78 Posted March 20, 2007 Author Share Posted March 20, 2007 Or would it just be easiest to look for specific words or phrases in the message and block it based on that? For example block all messages that has the "http://www" in it? *goes to try to find how to do that* Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.