Jump to content

[SOLVED] Spam-proof tell a friend form - not working

alex tj

By alex tj
in PHP Coding Help

 Share

Recommended Posts

alex tj Newbie

alex tj

Posted
Posted

Hi Guys,

I don't think I'm an absolute beginner but let's say I learn from trial and error, and after 2 ish hours of trial and all error I'd be grateful if someone could have a quick look at this and see where I've gone wrong - I think it needs a fresh pair of eyes.

It is based on a great tell a friend form that I've modded quite a lot with various bits and pieces I've picked up along the way. After adding a second email to thank the sender, then a third to track abuse I was astonished to find over 100 spam emails a day were being sent through this to goodness knows how many people.

I'm trying to add a couple of if functions to filter out the bots - something that has worked great on my contact us form, getting rid of injections and links in the body, but I just can't get it to work for the tell a friend form.

Any ideas what's up? The required fields error works ok, no errors given, but just not the bot blocking as you can still inject and add links to the body.

Thanks, Alex

 

        <?php
if (preg_match( "/bcc:|cc:|multipart|[url|Content-Type:/i", implode($_POST))) {
    $spam=true;
}
if (preg_match_all("/<a|http:/i", implode($_POST), $out) > 2) {
    $spam=true;
}
if ($spam) {
echo ("<br><p><strong>Your message appears to be spam and was not sent. Please remove all links, code, and other spam-like content from your message and resubmit the form.</strong></p><br>");
}
else {
$embordercolor = "#ff0000";
$siteaddress = "<a href=http://www.xxxx>www.xxxxxxx</a>";
if($email&&$name&&$sendname&&$sendemail) {
$home = "xxxxx";
$body = "<p>This e-mail is from $name to tell you etc";
$body2 = "<p>Dear $name</p><p>Thank you etc";
$body3 = "Details:<br>$name $email<br>$sendname $sendemail<br>Message: $message";
$thesubject = "$name invites you to visit etc";
$thesubject2 = "Thank you for inviting $sendname to visit etc";
$thesubject3 = "Friend invitation to etc";
$headersout  .= "MIME-Version: 1.0\r\n";
$headersout .= "Content-type: text/html; charset=iso-8859-1\r\n";
$headersout .= "From: " . trim($email);
$headersback  .= "MIME-Version: 1.0\r\n";
$headersback .= "Content-type: text/html; charset=iso-8859-1\r\n";
$headersback .= "From: " . trim($home);
if(mail($sendemail, $thesubject, $body, $headersout)) 
if(mail($email, $thesubject2, $body2, $headersback)) 
if(mail($home, $thesubject3, $body3, $headersback)) {
echo "<strong><BR><BR>Your e-mail was sent successfully. Thank you.</strong>";
}
else {
echo "Sorry, $name, your e-mail was not sent successfully please try again<br><br>";
echo "<form name=\"theform\" method=\"get\" action=\"recommend3.php\">";
echo "Your name:<br><input name=\"name\" type=\"text\" value=\"$name\"> *<br>";
echo "Your e-mail:<br><input name=\"email\" type=\"text\" value=\"$email\"> *<br>";
echo "Your friend's name:<br><input name=\"sendname\" type=\"text\" value=\"$sendname\"> *<br>";
echo "Your friend's e-mail:<br><input name=\"sendemail\" type=\"text\" value=\"$sendemail\"> *<br>";
echo "Your message:<br><textarea name=\"message\" rows=4 cols=50>$message</textarea>";
echo "<br><input type=\"submit\" value=\"Send\" class=\"submit\"></form>";
echo "<p class=\"small\">1* Obligatory fields</p><p class=\"small\">permission stuff</p>";
}
}
if ((!$email||!$name||!$sendname||!$sendemail)&&!(!$email&&!$subject&&!$name&&!$sendname&&!$sendemail)) {
echo "You have forgotten to fill in a detail.<br>";
echo "Please correct the error(s) and resubmit the form";

echo "<style>";
if (!$email) {
echo ".email {border-color:" . $embordercolor . ";}";
}
if (!$name) {
echo ".name {border-color:" . $embordercolor . ";}";
}
if (!$sendemail) {
echo ".sendemail {border-color:" . $embordercolor . ";}";
}
if (!$sendname) {
echo ".sendname {border-color:" . $embordercolor . ";}";
}
echo "</style>";
echo "<form name=\"theform\" method=\"get\" action=\"recommend3.php\">";
echo "Your name:<br><input name=\"name\" type=\"text\" value=\"$name\" class=\"name\"> *<br>";
echo "Your e-mail:<br><input name=\"email\" type=\"text\" value=\"$email\" class=\"email\"> *<br>";
echo "Your friend's name:<br><input name=\"sendname\" type=\"text\" value=\"$sendname\" class=\"sendname\"> *<br>";
echo "Your friend's e-mail:<br><input name=\"sendemail\" type=\"text\" value=\"$sendemail\" class=\"sendemail\"> *<br>";
echo "Your message:<br><textarea name=\"message\" rows=4 cols=50 class=\"message\">$message</textarea>";
echo "<br><input type=\"submit\" value=\"Send\" class=\"submit\"></form>";
echo "<p class=\"small\">2* Obligatory fields</p><p class=\"small\">permission stuff</p>";
}
if(!$email&&!$name&&!$sendname&&!$sendemail) {
echo "<form name=\"theform\" method=\"get\" action=\"recommend3.php\">";
echo "Your name:</b><br><input name=\"name\" type=\"text\" value=\"$name\"> *<br>";
echo "Your e-mail:</b><br><input name=\"email\" type=\"text\" value=\"$email\"> *<br>";
echo "Your friend's name:</b><br><input name=\"sendname\" type=\"text\" value=\"$sendname\"> *<br>";
echo "Your friend's e-mail:</b><br><input name=\"sendemail\" type=\"text\" value=\"$sendemail\"> *<br>";
echo "Your message:</b><br><textarea name=\"message\" rows=4 cols=50>$message</textarea>";
echo "<br><input type=\"submit\" value=\"Send\" class=\"submit\"></form>";
echo "<p class=\"small\">3* Obligatory fields</p><p class=\"small\">permission stuff</p>";
}
} 
?>

Link to comment
Share on other sites
MadTechie Regular Member

MadTechie

Posted
Posted

maybe replace

 

if (preg_match_all("/<a|http:/i", implode($_POST), $out) > 2) {
    $spam=true;
}

 

with this

if (preg_match_all("/\b(https?):\/\/[-A-Z0-9+&@#\/%?=~_|!:,.;]*[-A-Z0-9+&@#\/%=~_|]/i", implode($_POST), $out) > 2) {
    $spam=true;
}

 

it will not stop "www.hello.com" but will stop the hyperlinks, unless the email repairs the link!

 

 

or a simple one

if (preg_match_all("/http:/i", implode($_POST), $out) > 2) {
    $spam=true;
}

 

my own one (i think this is best)

if (preg_match_all('/\b(?:(https?):\/\/)?(?:[a-z0-9]{3,3}\.)+[-A-Z0-9+&@#\/%?=~_|!:,.;]*[-A-Z0-9+&@#\/%=~_|]/i', implode($_POST), $out) > 2)
{
    $spam=true;
}

Link to comment
Share on other sites
alex tj Newbie

alex tj

Posted
  • Author
Posted

Hi Mad the Mod,

I tried replacing the preg_match and still the same problem - blank required fields are returned but you can still put as many links in the body as you want and it'll send the email.

I don't think it's a problem with the preg_match but perhaps the order of if spam then else - it's vice versa in the contact form code but I wasn't able to get this order to work at the start with the tell a friend form.

Any other ideas....even stupid little things that I've overlooked?

Thanks again guys,

Alex

Link to comment
Share on other sites
  • 2 months later...
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.