Jump to content

Archived

This topic is now archived and is closed to further replies.

nunu78

fighting against guestbook spam

Recommended Posts

Another guestbook spam question. I've received great tips from this board to help fight spam on my guestbook. Now I would like to ask what might prevent part of this code from working, am trying to block messages with html (that part works PERFECTLY) but now would like to add either code to block a message that includes www,http, https etc word so that ALL messages with links of ANY kind (also with [ ] tags) would be blocked.

 

Kind thank you in advance!  :)

 

<?php

$dateFormat = 'd.m.Y';
$timeFormat = 'H:i';

if (empty($_POST['message'])) {
  header('Location: '.$_POST['bookurl'].'?contents=blank');
}

else {
  $entryFile = 'entries.txt';
  $formatFile = 'format.php';

  $message = stripslashes($_POST['message']);

  $allowedTags = '<a><em><strong><b><i><img>';

  $stripAttrib = 'javascript:|onclick|ondblclick|onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress|onkeydown|onkeyup|style|class|id';

  function removeEvilTags($source)
  {
     global $allowedTags;
     $source = strip_tags($source, $allowedTags);
     return preg_replace('/<(.*?)>/ie', "'<'.removeEvilAttributes('\\1').'>'", $source);
  }
  function removeEvilAttributes($tagSource)
  {
    global $stripAttrib;
    return stripslashes(preg_replace("/$stripAttrib/i", 'forbidden', $tagSource));
  }

  function word_wrap($message)
  {
    $maxLength = 60;
    $cut = ' ';
    $result = '';
    $wordlength = 0;

    $length = strlen($message);

    $tag = FALSE;
    for ($i = 0; $i < $length; $i++)
    {
      $char = substr($message, $i, 1);
      if ($char == '<') { $tag = TRUE; }
      elseif ($char == '>') { $tag = FALSE; }
      elseif (!$tag && $char == ' ') { $wordlength = 0; }
      elseif (!$tag) { $wordlength++; }
      if (!$tag && !($wordlength%$maxLength)) { $char .= $cut; }
      $result .= $char;
    }
  return $result;
  }

  $message = word_wrap(removeEvilTags($message));
  $message = str_replace(array('&', "\r\n\r\n"), array('&', '</p><p>'), $message);
  $message = str_replace(array('&gt;', '&lt;', "\r\n"), array('>', '<', '<br />'), $message);

$strippedInput = strip_tags($message);
if($message != $strippedInput) {
     header('location:trap.php'); 
     die();

}
$url_match = "^(((http|ftp|https)://)|(www\.))+(([a-zA-Z0-9\._-]+\.[a-zA-Z]{2,6})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}))(/[a-zA-Z0-9\&%_\./-~-]*)?^";

if (preg_match($url_match, $message))
{
echo "A url was found in your post, Not allowed - mission aborted.";
die ();
}

  $signername = strip_tags(stripslashes($_POST['signername']));
  $email = urlencode(strip_tags(stripslashes($_POST['email'])));
  $url = urlencode(strip_tags(stripslashes($_POST['url'])));
  $url = str_replace(array('%2F', '%3A'), array('/', ':'), $url);

  $formatted = file_get_contents($formatFile);
  $variables = array("\n", '%%signername%%', '%%email%%', '%%url%%', '%%message%%', '%%date%%', '%%time%%');
  $inputs = array('', $signername, $email, $url, $message, date($dateFormat), date($timeFormat));

  $formatted = str_replace($variables, $inputs, $formatted);

  $oldEntries = fopen($entryFile, 'r');
  $content = fread($oldEntries, filesize($entryFile));
  fclose($oldEntries);

  $newContent = $formatted."\n".$content;

  $allEntries = fopen($entryFile, 'w');
  fwrite($allEntries, $newContent);
  fclose($allEntries);

  header('Location: '.$_POST['bookurl']);

}

?>

Share this post


Link to post
Share on other sites

Okay, since yesterday evening the blocking of html-code hasn't been working as well as it did for a month, there seems to be a way to bypass this strip_tag code...

 

ANY help is appreciated!

Share this post


Link to post
Share on other sites

I seem to be the only one writing to this topic but anyway...

 

I just found out why the strip_tags part is not working. The spammers are using < instead of < and the result is obvious. Any way to stop messages with < ?

Share this post


Link to post
Share on other sites

to keep people from using things like "<" use html_entity_decode() along with the strip_tags() function...

<?php
  function removeEvilTags($source)
  {
     global $allowedTags;
     $source = html_entity_decode($source);
     $source = strip_tags($source, $allowedTags);
     return preg_replace('/<(.*?)>/ie', "'<'.removeEvilAttributes('\\1').'>'", $source);
  }
?>

Share this post


Link to post
Share on other sites

THANK you for answering... and another question right away:

 

I assume that this decodes <br> and <p> as well. How would I go about if I would want to allow those two?

Share this post


Link to post
Share on other sites

all what I added does is turn things like "<" into <

which will be stripped by strip_tags on the next line...

 

another thing you could do is keep them from using entities all together and just run htmlentities()...

 

<?php
  function removeEvilTags($source)
  {
     global $allowedTags;
     $source = strip_tags($source, $allowedTags);
     $source = htmlentities($source);
     return preg_replace('/<(.*?)>/ie', "'<'.removeEvilAttributes('\\1').'>'", $source);
  }
?>

 

this will change things like < into &lt; and keep them from being decoded by the browser as html entities.

 

just try the two and see which result you like the best

Share this post


Link to post
Share on other sites

I will try that one as well. Thank you! This at least keeps the spam away for a while, I hope.

 

I am having issues with my textarea in the form, it refuses messages that have been paragarphed. I guess that's another topic if I can't do anything to it myself.

Share this post


Link to post
Share on other sites

I think it might be some kind of a bug... When I added the

 

$source = htmlentities($source);

part to the code (in the right place of course) it refused also messages where when testing I wrote

 

test

test

 

using ENTER-key to change the line between words. And before adding that piece of code it worked just fine. And I am sure it's not the code that does that, but a bug. But is the bug somewhere in my files or is it somewhere on the server or where, that I don't know as of now.

 

Thanks for helping with the spamfight though! Much appreciated!

 

Share this post


Link to post
Share on other sites

Woops... maybe

 

<?php
  function removeEvilTags($source)
  {
     global $allowedTags;
     $source = strip_tags($source, $allowedTags);
     $source = preg_replace('/<(.*?)>/ie', "'<'.removeEvilAttributes('\\1').'>'", $source);
     return htmlentities($source);
  }
?>

 

question... why are you keeping tags like br and p anyway?

Share this post


Link to post
Share on other sites

oh, nevermind.. I look at your source now and you dont want the message to change at all.. okay then what I've been posting wouldn't work, the first thing I posted SHOULD work though.

Share this post


Link to post
Share on other sites

nope, both solutions cause the message to disappear...

 

and I have to keep those as people who post to my guestbook keep hitting enter when they have longer messages and want to start new paragraphs and separate different matters in the message...

Share this post


Link to post
Share on other sites

Well, it's parts from here and there and so far my coding in php is so beginners level, that I can't do a thing about it. But if it keeps the spam away, I can always write a note next to the send button in the form, asking not to use line change/enter.

 

I just want to keep the spam away!

Share this post


Link to post
Share on other sites

function cleanForMarkup($string, $doLineBreaks = true) {
  $string = trim($string);
  $string = htmlentities($string, ENT_QUOTES);
  if ($doLineBreaks) $string = nl2br($string);
  return $string;
}

 

Might this be useful for me?

Share this post


Link to post
Share on other sites

Or would it just be easiest to look for specific words or phrases in the message and block it based on that?

 

For example block all messages that has the "http://www" in it? *goes to try to find how to do that*

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.