Jump to content


Photo

Guestbook is being attacked


  • Please log in to reply
5 replies to this topic

#1 m2e

m2e
  • Members
  • Pip
  • Newbie
  • 9 posts

Posted 31 March 2006 - 01:39 PM

Hi there,

I have a very simple guestbook on my website :
[a href=\"http://www.ment2excel.com/guestbook/guestbook-view.php\" target=\"_blank\"]http://www.ment2excel.com/guestbook/guestbook-view.php[/a]

Today it seems it has been attacked by some random messages. This is not the first time this has happend, but it has never been to this extent.

Is there anything that can be done to stop this? Is it a problem with my code, allowing this to happen?

Thanks,
Russell


#2 redbullmarky

redbullmarky
  • Staff Alumni
  • Advanced Member
  • 2,863 posts
  • LocationBedfordshire, England

Posted 31 March 2006 - 01:56 PM

[!--quoteo(post=360353:date=Mar 31 2006, 02:39 PM:name=m2e)--][div class=\'quotetop\']QUOTE(m2e @ Mar 31 2006, 02:39 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Hi there,

I have a very simple guestbook on my website :
[a href=\"http://www.ment2excel.com/guestbook/guestbook-view.php\" target=\"_blank\"]http://www.ment2excel.com/guestbook/guestbook-view.php[/a]

Today it seems it has been attacked by some random messages. This is not the first time this has happend, but it has never been to this extent.

Is there anything that can be done to stop this? Is it a problem with my code, allowing this to happen?

Thanks,
Russell
[/quote]

hi Russell
If your code's not too big, can you post it?
Cheers
Mark

you allow HTML tags, which is not necessarily wise.

unless that's the way you want it, use strip_tags to get rid of <A> links, etc (ie, any HTML)

$content = strip_tags($content);

you can specify to leave certain tags and strip the rest. check [a href=\"http://www.php.net/strip_tags\" target=\"_blank\"]http://www.php.net/strip_tags[/a] for info.

Cheers
Mark
"you have to keep pissing in the wind to learn how to keep your shoes dry..."

I say old chap, that is rather amusing!

#3 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 31 March 2006 - 02:18 PM

If your questnook is being attacked then its down poor validation /coding when someone posts a message. Never trust what a user submits always validate user input. By not allowing them to post HTML/Javascript as this is why your guestbook is being attacked.

If you want HTML to be posted but only a certain HTML tags uses strup_tags with the secound flag like so:
strip_tags($_POST['message'], "<b><u><i><p>");

strip_tags will now strip all html tags accept <b>, <u>, <i> and <p>!

If you implement that it wont make your script bullet proof but it can help prevent spammers adding links/javascript etc.

#4 sford999

sford999
  • Members
  • PipPipPip
  • Advanced Member
  • 119 posts

Posted 31 March 2006 - 06:30 PM

You could also try adding image verification to the script where the user has to put in a string of letters and numbers before being able to send the form.

[a href=\"http://www.devpapers.com/article/149\" target=\"_blank\"]http://www.devpapers.com/article/149[/a] is an easy to follow article

#5 redbullmarky

redbullmarky
  • Staff Alumni
  • Advanced Member
  • 2,863 posts
  • LocationBedfordshire, England

Posted 31 March 2006 - 06:44 PM

[!--quoteo(post=360437:date=Mar 31 2006, 07:30 PM:name=sford999)--][div class=\'quotetop\']QUOTE(sford999 @ Mar 31 2006, 07:30 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
You could also try adding image verification to the script where the user has to put in a string of letters and numbers before being able to send the form.

[a href=\"http://www.devpapers.com/article/149\" target=\"_blank\"]http://www.devpapers.com/article/149[/a] is an easy to follow article
[/quote]

that is a good idea, and very good for stopping bots, but it wouldnt stop me just bombarding the guestbook with several hundred/thousand (or as many as i could be bothered) spams. try some/all of these:

1, strip tags as i mentioned above.

2, create a function that checks for certain words (drug, penis, etc etc. you know the ones)

3, why publish them straight away? have some form of moderation first so that a post does not appear on your page immediately.

4, flood control. stop users/bots posting anything within a certain amount of time. in fact, as it's a guess book and not a forum, why would someone want to post more than once anyway? maybe even restrict it to one a day.

5, you say it was attacked earlier today. going by the time you posted this topic (2.39PM according to what i see) and the time it is now (19:42PM here), they're still there. all of them. even if you don't follow any of steps 1-4 above, isn't there something you can do MANUALLY at least, rather than leave it there to look bad and encourage others to test spamming out?

hope that helps
cheers
"you have to keep pissing in the wind to learn how to keep your shoes dry..."

I say old chap, that is rather amusing!

#6 m2e

m2e
  • Members
  • Pip
  • Newbie
  • 9 posts

Posted 03 April 2006 - 11:43 AM

Thanks - theres a lot there that I can do - I think the most poignant thing for me, was not allowing the posts to appear automatically.

I did actually clear them out - but no sooner had I cleared it.......

Thanks for all your help..

Regards,
Russell





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users