One more time around form-data validation - please help

[Jami]

Hello,

 

I thought I had the spammers shut out, but their back and running right through my php like it wasn't there.  I just don't know enough code to secure my forms, please help!

 

Here is an example of the JUNK getting through:

generic viagra online pharmacy for sexual health    <a href="http://query.nytimes.com/search/query?&query=site:pharmacy-deal.com&srchst=g">generic viagra</a>    http://query.nytimes.com/search/query?&query=site:pharmacy-deal.com&srchst=g    generic viagra generic viagra generic viagra <Street> <Street> Ottawa <State> <ZIP> Germany [email protected] 370927411318

 

Here is what I'm using for testing field data

$errors = array();
if($_SERVER['REQUEST_METHOD'] == "POST"){$form_input = $_POST;}elseif($_SERVER['REQUEST_METHOD'] == "GET"){$form_input = $_GET;}else{exit;}

// Remove leading whitespace from all values.
function recursive_array_check(&$element_value)
{
if(!is_array($element_value)){$element_value = ltrim($element_value);}
else
{
foreach($element_value as $key => $value){$element_value[$key] = recursive_array_check($value);}
}
return $element_value;
}
recursive_array_check($form_input);

// Check referrer is from same site.
if(!(isset($_SERVER['HTTP_REFERER']) && !empty($_SERVER['HTTP_REFERER']) && stristr($_SERVER['HTTP_REFERER'],$_SERVER['HTTP_HOST']))){$errors[] = "You must enable referrer logging to use the form";}

// Strip HTML tags from all fields.
function recursive_array_check2(&$element_value)
{
if(!is_array($element_value)){$element_value = strip_tags($element_value);}
else {
foreach($element_value as $key => $value){$element_value[$key] = recursive_array_check2($value);}
}
return $element_value;
}
recursive_array_check2($form_input);


// Validate FirstName field.
if(isset($form_input['FirstName']) && !empty($form_input['FirstName']))
{
if(preg_match("`[\r\n]`",$form_input['FirstName'])){$errors[] = "You have submitted an invalid new line character";}
if(preg_match("/[^a-z' -]/i",stripslashes($form_input['FirstName']))){$errors[] = "You have submitted an invalid character in the frist name field";}
}

// Validate LastName field.
if(isset($form_input['LastName']) && !empty($form_input['LastName']))
{
if(preg_match("`[\r\n]`",$form_input['LastName'])){$errors[] = "You have submitted an invalid new line character";}
if(preg_match("/[^a-z' -]/i",stripslashes($form_input['FirstName']))){$errors[] = "You have submitted an invalid character in the last name field";}
}

// Validate Phone field.
if(isset($form_input['Phone']) && !empty($form_input['Phone']))
{
if(preg_match("`[\r\n]`",$form_input['Phone'])){$errors[] = "You have submitted an invalid new line character";}
//	if(preg_match("/[^a-z' -]/i",stripslashes($form_input['FirstName']))){$errors[] = "You have submitted an invalid character in the phone field";}
}

// Validate Street1 field.
if(isset($form_input['Street1']) && !empty($form_input['Street1']))
{
if(preg_match("`[\r\n]`",$form_input['Street1'])){$errors[] = "You have submitted an invalid new line character";}
}

// Validate Street2 field.
if(isset($form_input['Street2']) && !empty($form_input['Street2']))
{
if(preg_match("`[\r\n]`",$form_input['Street2'])){$errors[] = "You have submitted an invalid new line character";}
}

// Validate City field.
if(isset($form_input['City']) && !empty($form_input['City']))
{
if(preg_match("`[\r\n]`",$form_input['City'])){$errors[] = "You have submitted an invalid new line character";}
}


// Validate email field.
if(isset($form_input['Email']) && !empty($form_input['Email']))
{
if(preg_match("`[\r\n]`",$form_input['Email'])){$errors[] = "You have submitted an invalid new line character";}
if(!preg_match('/^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-z]{2,4}$/i',$form_input['Email'])){$errors[] = "Email address is invalid";}
}

// Display any errors and exit if errors exist.
if(count($errors)){foreach($errors as $value){print "$value<br>";} 
exit;}

 

As far as I can tell they are not adding new recipients or blind copying, but I could be very wrong - I hope not.  So that means they are just spamming us, which is still no good.

 

Why isn't this php striping those <>?/|{[ html tags?

And how can I be sure they are not using our forms to send out their spam to others?

And why is safe guarding form-data so hard and confusing?  Doing a search only brings up conflicting information and websites of discussions where no one agrees and no solutions are given.

 

Oy!  I need straight, simple answers - can anyone help me?

 

Thanks

[Jami]

Oh, I am posting here, because the code I'm using is from a third party and I am not altogether sure how it works.  But this might not be the proper place for this request - so please move it if it's placed wrong, and forgive me.... I'm new around here.

 

The php version I am using is 4.3.10 but I can switch to 5.

[tippy_102]

I can't help you with preg_match - that's way over my head, but I have found the best way to get rid of the spambots is to add some form of captcha.

[XeoWolf]

I just had to look it up, and for anyone else curious...

 

http://en.wikipedia.org/wiki/Captcha

 

I had to add something like this to my phpNews script and even though I still get some spam it cut out more than 90% of it. I guess some spammers get so desperate that they actually do it manually.

 

By the way... Maybe this will help...

 

http://tips-scripts.com/captcha