Jump to content

fighting against guestbook spam


nunu78

Recommended Posts

Another guestbook spam question. I've received great tips from this board to help fight spam on my guestbook. Now I would like to ask what might prevent part of this code from working, am trying to block messages with html (that part works PERFECTLY) but now would like to add either code to block a message that includes www,http, https etc word so that ALL messages with links of ANY kind (also with [ ] tags) would be blocked.

 

Kind thank you in advance!  :)

 

<?php

$dateFormat = 'd.m.Y';
$timeFormat = 'H:i';

if (empty($_POST['message'])) {
  header('Location: '.$_POST['bookurl'].'?contents=blank');
}

else {
  $entryFile = 'entries.txt';
  $formatFile = 'format.php';

  $message = stripslashes($_POST['message']);

  $allowedTags = '<a><em><strong><b><i><img>';

  $stripAttrib = 'javascript:|onclick|ondblclick|onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress|onkeydown|onkeyup|style|class|id';

  function removeEvilTags($source)
  {
     global $allowedTags;
     $source = strip_tags($source, $allowedTags);
     return preg_replace('/<(.*?)>/ie', "'<'.removeEvilAttributes('\\1').'>'", $source);
  }
  function removeEvilAttributes($tagSource)
  {
    global $stripAttrib;
    return stripslashes(preg_replace("/$stripAttrib/i", 'forbidden', $tagSource));
  }

  function word_wrap($message)
  {
    $maxLength = 60;
    $cut = ' ';
    $result = '';
    $wordlength = 0;

    $length = strlen($message);

    $tag = FALSE;
    for ($i = 0; $i < $length; $i++)
    {
      $char = substr($message, $i, 1);
      if ($char == '<') { $tag = TRUE; }
      elseif ($char == '>') { $tag = FALSE; }
      elseif (!$tag && $char == ' ') { $wordlength = 0; }
      elseif (!$tag) { $wordlength++; }
      if (!$tag && !($wordlength%$maxLength)) { $char .= $cut; }
      $result .= $char;
    }
  return $result;
  }

  $message = word_wrap(removeEvilTags($message));
  $message = str_replace(array('&', "\r\n\r\n"), array('&', '</p><p>'), $message);
  $message = str_replace(array('&gt;', '&lt;', "\r\n"), array('>', '<', '<br />'), $message);

$strippedInput = strip_tags($message);
if($message != $strippedInput) {
     header('location:trap.php'); 
     die();

}
$url_match = "^(((http|ftp|https)://)|(www\.))+(([a-zA-Z0-9\._-]+\.[a-zA-Z]{2,6})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}))(/[a-zA-Z0-9\&%_\./-~-]*)?^";

if (preg_match($url_match, $message))
{
echo "A url was found in your post, Not allowed - mission aborted.";
die ();
}

  $signername = strip_tags(stripslashes($_POST['signername']));
  $email = urlencode(strip_tags(stripslashes($_POST['email'])));
  $url = urlencode(strip_tags(stripslashes($_POST['url'])));
  $url = str_replace(array('%2F', '%3A'), array('/', ':'), $url);

  $formatted = file_get_contents($formatFile);
  $variables = array("\n", '%%signername%%', '%%email%%', '%%url%%', '%%message%%', '%%date%%', '%%time%%');
  $inputs = array('', $signername, $email, $url, $message, date($dateFormat), date($timeFormat));

  $formatted = str_replace($variables, $inputs, $formatted);

  $oldEntries = fopen($entryFile, 'r');
  $content = fread($oldEntries, filesize($entryFile));
  fclose($oldEntries);

  $newContent = $formatted."\n".$content;

  $allEntries = fopen($entryFile, 'w');
  fwrite($allEntries, $newContent);
  fclose($allEntries);

  header('Location: '.$_POST['bookurl']);

}

?>

Link to comment
Share on other sites

Okay, since yesterday evening the blocking of html-code hasn't been working as well as it did for a month, there seems to be a way to bypass this strip_tag code...

 

ANY help is appreciated!

Link to comment
Share on other sites

I seem to be the only one writing to this topic but anyway...

 

I just found out why the strip_tags part is not working. The spammers are using < instead of < and the result is obvious. Any way to stop messages with < ?

Link to comment
Share on other sites

to keep people from using things like "<" use html_entity_decode() along with the strip_tags() function...

<?php
  function removeEvilTags($source)
  {
     global $allowedTags;
     $source = html_entity_decode($source);
     $source = strip_tags($source, $allowedTags);
     return preg_replace('/<(.*?)>/ie', "'<'.removeEvilAttributes('\\1').'>'", $source);
  }
?>

Link to comment
Share on other sites

all what I added does is turn things like "<" into <

which will be stripped by strip_tags on the next line...

 

another thing you could do is keep them from using entities all together and just run htmlentities()...

 

<?php
  function removeEvilTags($source)
  {
     global $allowedTags;
     $source = strip_tags($source, $allowedTags);
     $source = htmlentities($source);
     return preg_replace('/<(.*?)>/ie', "'<'.removeEvilAttributes('\\1').'>'", $source);
  }
?>

 

this will change things like < into &lt; and keep them from being decoded by the browser as html entities.

 

just try the two and see which result you like the best

Link to comment
Share on other sites

I will try that one as well. Thank you! This at least keeps the spam away for a while, I hope.

 

I am having issues with my textarea in the form, it refuses messages that have been paragarphed. I guess that's another topic if I can't do anything to it myself.

Link to comment
Share on other sites

I think it might be some kind of a bug... When I added the

 

$source = htmlentities($source);

part to the code (in the right place of course) it refused also messages where when testing I wrote

 

test

test

 

using ENTER-key to change the line between words. And before adding that piece of code it worked just fine. And I am sure it's not the code that does that, but a bug. But is the bug somewhere in my files or is it somewhere on the server or where, that I don't know as of now.

 

Thanks for helping with the spamfight though! Much appreciated!

 

Link to comment
Share on other sites

Woops... maybe

 

<?php
  function removeEvilTags($source)
  {
     global $allowedTags;
     $source = strip_tags($source, $allowedTags);
     $source = preg_replace('/<(.*?)>/ie', "'<'.removeEvilAttributes('\\1').'>'", $source);
     return htmlentities($source);
  }
?>

 

question... why are you keeping tags like br and p anyway?

Link to comment
Share on other sites

nope, both solutions cause the message to disappear...

 

and I have to keep those as people who post to my guestbook keep hitting enter when they have longer messages and want to start new paragraphs and separate different matters in the message...

Link to comment
Share on other sites

Well, it's parts from here and there and so far my coding in php is so beginners level, that I can't do a thing about it. But if it keeps the spam away, I can always write a note next to the send button in the form, asking not to use line change/enter.

 

I just want to keep the spam away!

Link to comment
Share on other sites

function cleanForMarkup($string, $doLineBreaks = true) {
  $string = trim($string);
  $string = htmlentities($string, ENT_QUOTES);
  if ($doLineBreaks) $string = nl2br($string);
  return $string;
}

 

Might this be useful for me?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.