Jami Posted August 4, 2007 Share Posted August 4, 2007 Hello, I thought I had the spammers shut out, but their back and running right through my php like it wasn't there. I just don't know enough code to secure my forms, please help! Here is an example of the JUNK getting through: generic viagra online pharmacy for sexual health <a href="http://query.nytimes.com/search/query?&query=site:pharmacy-deal.com&srchst=g">generic viagra</a> http://query.nytimes.com/search/query?&query=site:pharmacy-deal.com&srchst=g generic viagra generic viagra generic viagra <Street> <Street> Ottawa <State> <ZIP> Germany rose@aol.com 370927411318 Here is what I'm using for testing field data $errors = array(); if($_SERVER['REQUEST_METHOD'] == "POST"){$form_input = $_POST;}elseif($_SERVER['REQUEST_METHOD'] == "GET"){$form_input = $_GET;}else{exit;} // Remove leading whitespace from all values. function recursive_array_check(&$element_value) { if(!is_array($element_value)){$element_value = ltrim($element_value);} else { foreach($element_value as $key => $value){$element_value[$key] = recursive_array_check($value);} } return $element_value; } recursive_array_check($form_input); // Check referrer is from same site. if(!(isset($_SERVER['HTTP_REFERER']) && !empty($_SERVER['HTTP_REFERER']) && stristr($_SERVER['HTTP_REFERER'],$_SERVER['HTTP_HOST']))){$errors[] = "You must enable referrer logging to use the form";} // Strip HTML tags from all fields. function recursive_array_check2(&$element_value) { if(!is_array($element_value)){$element_value = strip_tags($element_value);} else { foreach($element_value as $key => $value){$element_value[$key] = recursive_array_check2($value);} } return $element_value; } recursive_array_check2($form_input); // Validate FirstName field. if(isset($form_input['FirstName']) && !empty($form_input['FirstName'])) { if(preg_match("`[\r\n]`",$form_input['FirstName'])){$errors[] = "You have submitted an invalid new line character";} if(preg_match("/[^a-z' -]/i",stripslashes($form_input['FirstName']))){$errors[] = "You have submitted an invalid character in the frist name field";} } // Validate LastName field. if(isset($form_input['LastName']) && !empty($form_input['LastName'])) { if(preg_match("`[\r\n]`",$form_input['LastName'])){$errors[] = "You have submitted an invalid new line character";} if(preg_match("/[^a-z' -]/i",stripslashes($form_input['FirstName']))){$errors[] = "You have submitted an invalid character in the last name field";} } // Validate Phone field. if(isset($form_input['Phone']) && !empty($form_input['Phone'])) { if(preg_match("`[\r\n]`",$form_input['Phone'])){$errors[] = "You have submitted an invalid new line character";} // if(preg_match("/[^a-z' -]/i",stripslashes($form_input['FirstName']))){$errors[] = "You have submitted an invalid character in the phone field";} } // Validate Street1 field. if(isset($form_input['Street1']) && !empty($form_input['Street1'])) { if(preg_match("`[\r\n]`",$form_input['Street1'])){$errors[] = "You have submitted an invalid new line character";} } // Validate Street2 field. if(isset($form_input['Street2']) && !empty($form_input['Street2'])) { if(preg_match("`[\r\n]`",$form_input['Street2'])){$errors[] = "You have submitted an invalid new line character";} } // Validate City field. if(isset($form_input['City']) && !empty($form_input['City'])) { if(preg_match("`[\r\n]`",$form_input['City'])){$errors[] = "You have submitted an invalid new line character";} } // Validate email field. if(isset($form_input['Email']) && !empty($form_input['Email'])) { if(preg_match("`[\r\n]`",$form_input['Email'])){$errors[] = "You have submitted an invalid new line character";} if(!preg_match('/^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-z]{2,4}$/i',$form_input['Email'])){$errors[] = "Email address is invalid";} } // Display any errors and exit if errors exist. if(count($errors)){foreach($errors as $value){print "$value<br>";} exit;} As far as I can tell they are not adding new recipients or blind copying, but I could be very wrong - I hope not. So that means they are just spamming us, which is still no good. Why isn't this php striping those <>?/|{[ html tags? And how can I be sure they are not using our forms to send out their spam to others? And why is safe guarding form-data so hard and confusing? Doing a search only brings up conflicting information and websites of discussions where no one agrees and no solutions are given. Oy! I need straight, simple answers - can anyone help me? Thanks Quote Link to comment Share on other sites More sharing options...
Jami Posted August 4, 2007 Author Share Posted August 4, 2007 Oh, I am posting here, because the code I'm using is from a third party and I am not altogether sure how it works. But this might not be the proper place for this request - so please move it if it's placed wrong, and forgive me.... I'm new around here. The php version I am using is 4.3.10 but I can switch to 5. Quote Link to comment Share on other sites More sharing options...
tippy_102 Posted August 5, 2007 Share Posted August 5, 2007 I can't help you with preg_match - that's way over my head, but I have found the best way to get rid of the spambots is to add some form of captcha. Quote Link to comment Share on other sites More sharing options...
XeoWolf Posted August 6, 2007 Share Posted August 6, 2007 I just had to look it up, and for anyone else curious... http://en.wikipedia.org/wiki/Captcha I had to add something like this to my phpNews script and even though I still get some spam it cut out more than 90% of it. I guess some spammers get so desperate that they actually do it manually. By the way... Maybe this will help... http://tips-scripts.com/captcha Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.