My contact form is being spammed heavily. I have javascript to validate it but the spammer software can fill in all the fields and I'm getting email after email...whats the best way to circumvent this with php?
Help!
| SitePoint Sponsor |
My contact form is being spammed heavily. I have javascript to validate it but the spammer software can fill in all the fields and I'm getting email after email...whats the best way to circumvent this with php?
Help!
found this..very nice from http://www.alt-php-faq.org/index.html
PHP Code:<?php
// First, make sure the form was posted from a browser.
// For basic web-forms, we don't care about anything
// other than requests from a browser:
if(!isset($_SERVER['HTTP_USER_AGENT'])){
die("Forbidden - You are not authorized to view this page");
exit;
}
// Make sure the form was indeed POST'ed:
// (requires your html form to use: action="post")
if(!$_SERVER['REQUEST_METHOD'] == "POST"){
die("Forbidden - You are not authorized to view this page");
exit;
}
// Host names from where the form is authorized
// to be posted from:
$authHosts = array("domain.com", "domain2.com", "domain3.com");
// Where have we been posted from?
$fromArray = parse_url(strtolower($_SERVER['HTTP_REFERER']));
// Test to see if the $fromArray used www to get here.
$wwwUsed = strpos($fromArray['host'], "www.");
// Make sure the form was posted from an approved host name.
if(!in_array(($wwwUsed === false ? $fromArray['host'] : substr(stristr($fromArray['host'], '.'), 1)), $authHosts)){
logBadRequest();
header("HTTP/1.0 403 Forbidden");
exit;
}
// Attempt to defend against header injections:
$badStrings = array("Content-Type:",
"MIME-Version:",
"Content-Transfer-Encoding:",
"bcc:",
"cc:");
// Loop through each POST'ed value and test if it contains
// one of the $badStrings:
foreach($_POST as $k => $v){
foreach($badStrings as $v2){
if(strpos($v, $v2) !== false){
logBadRequest();
header("HTTP/1.0 403 Forbidden");
exit;
}
}
}
// Made it past spammer test, free up some memory
// and continue rest of script:
unset($k, $v, $v2, $badStrings, $authHosts, $fromArray, $wwwUsed);
?>
Last edited by ozmart2004; Feb 19, 2006 at 02:26.
I'm having the same problem myself - spam messages or empty email form. Thanks for this solution, if it works.
DarkStation - No-nonsense Console Gaming Coverage.
Has anyone tried this solution? Does it work?
Thanks!
the solution is to validate the data using php, before you send the email.
if things dont validate, dont send the email.
javascript validation should ONLY be used as a convenience to the user. because javascript is clientside, all they have to do is turn javascript off to bypass your validation.
that is why you must validate using php, because they cannot bypass that.
Haven't tried it but it looks on the face of it pretty secure and covers most if not all of the methods I know about.
Run it and see!
Spike
Mike Swiffin - Community Team Leader
Only a woman can read between the lines of a one word answer.....
I started out with nothing... and still got most of it left!
I can confirm that Ozmart2004's tip works perfectly.
DarkStation - No-nonsense Console Gaming Coverage.
so u run that code before the form displays?
I got some spam from the site that I forgot to add the new code to, but I didn't get any from the site I applied the code to. Looks like it works great! (crossing fingers...)
Thanks!
Nature's Sunshine herbs and supplements
If you use javascript to validate, then all a hacker needs to do is turn it off on their browser and they can sodomize your script.
Get some PHP validation going.
Originally Posted by ozmart2004
no when the form is submitted.
i have a similar problem over at PHP for Beginners i store user comments in a DB so its kinda not the same but, i found that adding an extra field to your comments table say is_valid_comment and setting it to true or false works... you then only have to modify your sql query to select where it is a valid comment...
there is a good tutorial for noisey form images on site point here's the url
http://www.sitepoint.com/article/tou...security-image
I used this code for several sites, and I haven't seen any more spam from all but one of them. I have a script running where it writes to a text file on the server. That text file used to get spammed, but there isn't any spam since I added this fix. However, they're getting spam email to bogus addresses by bogus addresses.
I don't really understand why the fix is working for the text file but not for email. I don't have any other form on this site, so I don't know why they're getting email. Grr...
Thanks for any insight,
Midori
Nature's Sunshine herbs and supplements
Does anyone have any other fixes? I used the fix recommended in this thread, but it worked on all but one of my sites. One of my clients keeps getting spam in her box with gibberish. Someone's spoofing email addresses from her domain, and she's bugging me to fix it. Yikes!
Thanks for any help...
-Midori
Nature's Sunshine herbs and supplements
You could add one of those "security images"/"verification images" to prevent bots from targeting your forms automatically.
SitePoint has a tutorial on this:
http://www.sitepoint.com/article/tou...security-image
Be sure to read the comments at the end of the article, as I noted two fixes that need to be made to the provided code to make it bot-proof.
17-29% of paid ad clicks are fraudulent. Get protected with Improvely, your online marketing dashboard.
→ Conversion tracking, click fraud detection, A/B testing and more.
Posting Permissions
Bookmarks