Jump to content

Archived

This topic is now archived and is closed to further replies.

m2e

Guestbook is being attacked

Recommended Posts

Hi there,

I have a very simple guestbook on my website :
[a href=\"http://www.ment2excel.com/guestbook/guestbook-view.php\" target=\"_blank\"]http://www.ment2excel.com/guestbook/guestbook-view.php[/a]

Today it seems it has been attacked by some random messages. This is not the first time this has happend, but it has never been to this extent.

Is there anything that can be done to stop this? Is it a problem with my code, allowing this to happen?

Thanks,
Russell

Share this post


Link to post
Share on other sites
[!--quoteo(post=360353:date=Mar 31 2006, 02:39 PM:name=m2e)--][div class=\'quotetop\']QUOTE(m2e @ Mar 31 2006, 02:39 PM) [snapback]360353[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Hi there,

I have a very simple guestbook on my website :
[a href=\"http://www.ment2excel.com/guestbook/guestbook-view.php\" target=\"_blank\"]http://www.ment2excel.com/guestbook/guestbook-view.php[/a]

Today it seems it has been attacked by some random messages. This is not the first time this has happend, but it has never been to this extent.

Is there anything that can be done to stop this? Is it a problem with my code, allowing this to happen?

Thanks,
Russell
[/quote]

hi Russell
If your code's not too big, can you post it?
Cheers
Mark

you allow HTML tags, which is not necessarily wise.

unless that's the way you want it, use strip_tags to get rid of <A> links, etc (ie, any HTML)

[code]
$content = strip_tags($content);
[/code]

you can specify to leave certain tags and strip the rest. check [a href=\"http://www.php.net/strip_tags\" target=\"_blank\"]http://www.php.net/strip_tags[/a] for info.

Cheers
Mark

Share this post


Link to post
Share on other sites
If your questnook is being attacked then its down poor validation /coding when someone posts a message. Never trust what a user submits always validate user input. By not allowing them to post HTML/Javascript as this is why your guestbook is being attacked.

If you want HTML to be posted but only a certain HTML tags uses strup_tags with the secound flag like so:
strip_tags($_POST['message'], "<b><u><i><p>");

strip_tags will now strip all html tags accept <b>, <u>, <i> and <p>!

If you implement that it wont make your script bullet proof but it can help prevent spammers adding links/javascript etc.

Share this post


Link to post
Share on other sites
You could also try adding image verification to the script where the user has to put in a string of letters and numbers before being able to send the form.

[a href=\"http://www.devpapers.com/article/149\" target=\"_blank\"]http://www.devpapers.com/article/149[/a] is an easy to follow article

Share this post


Link to post
Share on other sites
[!--quoteo(post=360437:date=Mar 31 2006, 07:30 PM:name=sford999)--][div class=\'quotetop\']QUOTE(sford999 @ Mar 31 2006, 07:30 PM) [snapback]360437[/snapback][/div][div class=\'quotemain\'][!--quotec--]
You could also try adding image verification to the script where the user has to put in a string of letters and numbers before being able to send the form.

[a href=\"http://www.devpapers.com/article/149\" target=\"_blank\"]http://www.devpapers.com/article/149[/a] is an easy to follow article
[/quote]

that is a good idea, and very good for stopping bots, but it wouldnt stop me just bombarding the guestbook with several hundred/thousand (or as many as i could be bothered) spams. try some/all of these:

1, strip tags as i mentioned above.

2, create a function that checks for certain words (drug, penis, etc etc. you know the ones)

3, why publish them straight away? have some form of moderation first so that a post does not appear on your page immediately.

4, flood control. stop users/bots posting anything within a certain amount of time. in fact, as it's a guess book and not a forum, why would someone want to post more than once anyway? maybe even restrict it to one a day.

5, you say it was attacked earlier today. going by the time you posted this topic (2.39PM according to what i see) and the time it is now (19:42PM here), they're still there. all of them. even if you don't follow any of steps 1-4 above, isn't there something you can do MANUALLY at least, rather than leave it there to look bad and encourage others to test spamming out?

hope that helps
cheers

Share this post


Link to post
Share on other sites
Thanks - theres a lot there that I can do - I think the most poignant thing for me, was not allowing the posts to appear automatically.

I did actually clear them out - but no sooner had I cleared it.......

Thanks for all your help..

Regards,
Russell

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.