[SOLVED] I don't need Cialis or Viagra... how can I trim that out?

[simcoweb]

Ok, I have a contact form I created for a client where people register to download an Ebook. Problem is in the comments field these spam monkeys are putting in crap like this:

 

 generic viagra cialis levitra soma propecia [url=http://intra.som.umass.edu/mannino/_disc1/000017e4.htm ] generic viagra [/url] [url=http://intra.som.umass.edu/mannino/_disc1/000017e5.htm ] cialis [/url] [url=http://intra.som.umass.edu/mannino/_[/code]

 

Where they're using typical bulletin board style coding for their html. So:

 

1. is there a way to reject certain words from being used in the form fields?

2. what syntax would I use to strip out this lame attempt of inserting links into the comments <textarea>?

3. how can I send 40,000 volts through their mouse when they hit the submit button?

 

Thanks!

[christofurr]

1. Use filters

2. Use filters

3. Use your imagination

[Caesar]

<?php

$filter = array('viagra', 'cialis', 'levitra');
$replace = array('','');

$str = 'generic viagra cialis levitra soma propecia';
$newstr = str_replace($filter,$replace, $str);

echo $newstr;

?>

[simcoweb]

Thanks for that snippet, Caeser. I think what I'd like to do instead of replacing it is just block it. So, if they enter those words outlined in the filter array it would block the submission of the form completely citing 'you have entered unauthorized words: echo the words in question'.

 

So, building off of your array for the unacceptable words, i'm assuming i'd have to do some sort of match of the input against the array then display the error message in the event there's one or more matches.

 

Any ideas on how to code that?

[simcoweb]

I'm already doing this:

 

// post our variables from the registration form
$name = mysql_real_escape($_POST['name']);
$phone = mysql_real_escape($_POST['phone']);
$email = mysql_real_escape($_POST['email']);
$facing_foreclosure = $_POST['name'];
$referred_by = mysql_real_escape($_POST['referred_by']);
$comments = mysql_real_escape($_POST['comments']);
$today = date("F j, Y, g:i a");

 

But need to know if perhaps there's a way to enhance that and also separately have some type of word filter working off a text list of taboo words.

[Caesar]

You can also kick them the hell off, if they use any of the forbidden words...

 

<?php

$wordfile = file_get_contents('words.txt');
$notallowed = explode("\n",$wordfile);

$str = 'generic viagra cialis levitra soma propecia';

  foreach ($notallowed  as $keyword) {
  
  $keyword = trim($keyword);
  
    if(preg_match('/'.$keyword.'/',$str)) {
      header("location: index.php?action=logout");exit; //Or whatever the logout url is
    }

  else {
  //Whatever you get the drift :-P
  }
  }

?>

[simcoweb]

NOW we're talkin! Kick 'em the hell outta there, baby.

 

I'm CERTAIN that no innocents will be extricated from the site since the site is about foreclosure and the words Cialis, Viagra, erection, etc. etc. etc. would NOT be used in the content of a legitimate inquiry.

 

Ok, let me tweak that a bit and i'll post back. Thanks!

[simcoweb]

Caeser, quick question. On the 'words.txt' file, i'm guessing the words should be entered one per line like so?

 

word

word

word

word

 

or could they be like so:

 

word, word, word, word

 

using the comma separator. I'm also thinking of just using a database table for them. Later on that, though.

[cx323]

word

word

word

word

 

it should be like that as it is currently exploding on a new line, you can change the explode to this: $notallowed = explode(",",$wordfile); if you want to use a comma separated list.

[simcoweb]

Ok, cool. Now, final question on the words.

 

Does Cialis = cialis ? Should I add all variations to the list?

 

Cialis

cialis

CIALIS

 

for example? Or can we write it where case doesn't matter?

[cx323]

add /i to the preg_match for case insenitivity

[Caesar]

Or can we write it where case doesn't matter?

 

You can do something like....

 

<?php

$wordfile = file_get_contents('words.txt');
$notallowed = explode(",",$wordfile);

$str = 'generic viagra cialis levitra soma propecia';

  foreach ($notallowed  as $keyword) {
  
  $keyword = trim($keyword);
  
    if(preg_match('/'.$keyword.'/i',$str)) {
      header("location: index.php?action=logout");exit; //Or whatever the logout url is
    }

  else {
  //Whatever you get the drift :-P
  }
  }

?>

 

The if(preg_match('/'.$keyword.'/i',$str)) { will look for case insensitive matches and the $notallowed = explode(",",$wordfile); should seperate the words by comma.

[cooldude832]

smarter idea is to not use flat file but make a mysql table with banned words/phrases/urls

[simcoweb]

cooldude832, I was pondering that as well and exchange the opening of the text file for a mysql query.

 

These are all great ideas and suggestions. Thanks to all!

[simcoweb]

Ok, I inserted these code ideas into my existing script but ran into errors, tweaked it a bit, ran into more errors, etc. Basically what I want it to do is to work as part of the 'validation' of the form results. So that's the way I approached it as part of the validation section.

 

Here's the code:

 

<?php


// ebook registration and database insertion
include 'db_config.inc';

if (isset($_POST['Submit'])) {
// our attempt to stop spammers
$wordfile = file_get_contents('words.txt');
$notallowed = explode(",",$wordfile);

$str = $_POST['comments'];

  foreach ($notallowed  as $keyword) {
  
  $keyword = trim($keyword);
  
    if(preg_match('/'.$keyword.'/i',$str)) {
      header("location: reject.htm");exit; //Or whatever the logout url is
    }

  else {
//Whatever you get the drift :-P

// post our variables from the registration form
$name = mysql_real_escape($_POST['name']);
$phone = mysql_real_escape($_POST['phone']);
$email = mysql_real_escape($_POST['email']);
$facing_foreclosure = $_POST['name'];
$referred_by = mysql_real_escape($_POST['referred_by']);
$comments = mysql_real_escape($_POST['comments']);
$today = date("F j, Y, g:i a");

// input error checking
    if ($name=="") {
        $err.= "Please enter your name.<br/>";
    }
    if (!$phone==""){
  $err.= "Please enter your phone number.<br/>";
}
if (!$email) {
        $err.= "Please provide your email address<br>";
    }
    if ($email) {
        if (!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)) {
            $err.= $email. " is not a valid email address.<br/>";
        }
    }

    if ($err=="") {
// make database connection      
db_conn();

// mail the results to admin
send_ebook_mail();

// run the query
ebook_insert();
}
  }
  }
}
?>

 

This code is a bit modified from the first attempt where I did not have the 'if (isset($_POST['Submit'])){' part included. Without it it was throwing this error as soon as you arrive at the page:

 

Fatal error: Call to undefined function: mysql_real_escape() in /home/content/C/o/r/website/html/ebook.php on line 12

 

This is that section of the code:

 

// our attempt to stop spammers
$wordfile = file_get_contents('words.txt');
$notallowed = explode(",",$wordfile);

$str = mysql_real_escape($_POST['comments']);

  foreach ($notallowed  as $keyword) {
  
  $keyword = trim($keyword);
  
    if(preg_match('/'.$keyword.'/i',$str)) {
      header("location: reject.htm");exit; //Or whatever the logout url is
    }

  else {

 

I don't understand why that's throwing that error. So, I added the 'if(isset)' line so the code wouldn't parse when arriving at it. Here's what I get at that point:

 

Warning: Invalid argument supplied for foreach() in /home/content/C/o/r/website/html/ebook.php on line 123

 

Which is a 'foreach' loop that displays the error messages from the validation. Not quite sure why this is happening.

 

Once again, i'm trying to add further 'filtering' and validation to the form. The original form parsing script worked fine but these bozos want to keep submitting it with cialis and viagra ads in it which is what we're trying to stop.

 

Ideas?

[per1os]

Replace mysql_real_escape with mysql_real_escape_string.

 

 

EDIT:

On another note you could also potentially do something like this:

 

<?php

$wordfile = strtolower(file_get_contents('words.txt')); // make it all lowercase
$notallowed = explode(",",$wordfile);

$str = 'generic viagra cialis levitra soma propecia';
$lower_str = explode(" ", strtolower($str)); // explode at the space

if (in_array($notallowed, $lower_str)) {
       header("location: index.php?action=logout");exit; //Or whatever the logout url is
}

?>

 

The preg_match solution is good because it doesn't necessarily depend on a space etc, at any rate I just saw a bunch of empty space so I decided to fill that space with something "useful".

[simcoweb]

frost, thanks for the post. I'm slugging through this and keep hitting errors that I don't quite get. But first, on this part of your code:

 

$str = 'generic viagra cialis levitra soma propecia';

 

I'm using this:

 

$str = mysql_real_escape_string($_POST['comments'];

 

since the way i'm interpreting this is these jerkwads are using the comments box of the form to enter url's and other spam words. By checking just this field I can determine if the form submission contains any of those key words. If so, then it would reject it immediately after 'Submit' and throw them to the reject.htm page.  So, the $str should be checking against the $_POST['comments'] field. Do I have this right?

[simcoweb]

grrrrrrr... ok, this is not working. After testing the form and inserting the forbidden key words 'cialis viagra' into the comments section it did NOT reject me and forward me to the proper location. Instead it went ahead and submitted the form and inserted the data into the database:

 

if (isset($_POST['Submit'])) {
// our attempt to stop spammers
$wordfile = file_get_contents('words.txt');
$notallowed = explode(",",$wordfile);

$str = strip_tags(trim($_POST['comments']));

  foreach ($notallowed  as $keyword) {
  
  $keyword = trim($keyword);
  
    if(preg_match('/'.$keyword.'/i',$str)) {
      header("location: reject.htm");exit; //Or whatever the logout url is
    } else {

 

The logic appears sound, no errors and the word file is present with the forbidden words. Ideas? Help?

[per1os]

You may want to try invisible captcha

 

http://ploum.frimouvy.org/?150-the-invisible-captcha-mechanism-icm-against-form-spam

 

Great article for reading none the less.

 

As for the keyword check do some debugging printing out the words and expected data etc. That will show you why it is not working.

[simcoweb]

frost, i'll do some checking to see if it's reading the file. I would assume that if it wasn't then the script would just fail. Since it didn't, then I figured the next thing is the code is just not doing what it's supposed to... open the file, compare the words against the $_POST['comments'] content, declare any matches and do what's appropriate. Either it's clean or it's rejected.

 

Does that part of the code make sense to the point it should work?

[per1os]

<?php
if (isset($_POST['Submit'])) {
// our attempt to stop spammers
$wordfile = file_get_contents('words.txt');
$notallowed = explode(",",$wordfile);

$str = strip_tags(trim($_POST['comments']));
  echo "String to Test against: " . $str . "<br />";
  foreach ($notallowed  as $keyword) {
    echo "Keyword: " . $keyword . "<Br />
  $keyword = trim($keyword);
  
    if(preg_match('/'.$keyword.'/i',$str)) {
      header("location: reject.htm");exit; //Or whatever the logout url is
    } else {

 

Run that and see what comes from it.

 

Nothing beats a good debugging mechanism.

[simcoweb]

I get this:

 

String to Test against:

Keyword: generic viagra cialis levitra soma propecia phentermine adipex tramadol Cheap Order Adipex url http msg JADAVIS Soma fioricet pantyhose sex free gallery hooters teensinpantyhose girls teens mature sluts moms housewife teen voyeur upskirt privatevoyeur projectvoyeur Fioricet slut

 

Warning: Cannot modify header information - headers already sent by (output started at /home/content/C/o/r/Corbaley8076/html/ebook.php:15) in /home/content/C/o/r/website/html/ebook.php on line 95

 

First time i've seen the header error. Would that have an effect on the script parsing up to that point?

 

Line 95 is this:

 

header("Location: download.php?actionflag=registered");
exit;

 

Which is basically the last lines of the script which shouldn't even come into play IF the word filter did its job. That line is IF there's no errors and everything is a success. Apparently the word filter is getting pushed away, not working, etc. but it's in some way competing with the header() function.

[chigley]

You can't echo before you try to redirect, unless you're using output buffering.

[per1os]

Your string to test against is blank. The header error is because we are debugging by printing information to the screen.

 

<?php
if (isset($_POST['Submit'])) {
// our attempt to stop spammers
$wordfile = file_get_contents('words.txt');
$notallowed = explode(",",$wordfile); // is it comma or should it be "\n"

$str = strip_tags(trim($_POST['comments']));
  echo "Comments are: " . $_POST['comments'] . "<br />";
  echo "String to Test against: " . $str . "<br />";
  foreach ($notallowed  as $keyword) {
    echo "Keyword: " . $keyword . "<Br />";
  $keyword = trim($keyword);
  
    if(preg_match('/'.$keyword.'/i',$str)) {
      header("location: reject.htm");exit; //Or whatever the logout url is
    } else {

 

What seems to be happening is that you are not exploding the word file right. If each word is on a new line you need to explode it with "\n"  since that is the case nothing gets separated out, it is all just one string as the first item of the array.

 

Fix that and report back what comes up.

[simcoweb]

frost, the key words are on separate lines. I changed the "," in the explode to \n and ran it:

 

String to Test against:

Keyword: generic

 

Warning: Cannot modify header information - headers already sent by (output started at /home/content/C/o/r/Corbaley8076/html/ebook.php:12) in /home/content/C/o/r/website/html/ebook.php on line 93

 

'generic' is the first word/line in the words.txt file. It's still no exploding them all apparently.