SitePoint Sponsor |
|
User Tag List
Results 1 to 15 of 15
Thread: contact form being spammed
-
Feb 19, 2006, 01:16 #1
- Join Date
- Feb 2004
- Location
- Albury, NSW, Australia
- Posts
- 215
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
contact form being spammed
My contact form is being spammed heavily. I have javascript to validate it but the spammer software can fill in all the fields and I'm getting email after email...whats the best way to circumvent this with php?
Help!
-
Feb 19, 2006, 01:26 #2
- Join Date
- Feb 2004
- Location
- Albury, NSW, Australia
- Posts
- 215
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
found this..very nice from http://www.alt-php-faq.org/index.html
PHP Code:<?php
// First, make sure the form was posted from a browser.
// For basic web-forms, we don't care about anything
// other than requests from a browser:
if(!isset($_SERVER['HTTP_USER_AGENT'])){
die("Forbidden - You are not authorized to view this page");
exit;
}
// Make sure the form was indeed POST'ed:
// (requires your html form to use: action="post")
if(!$_SERVER['REQUEST_METHOD'] == "POST"){
die("Forbidden - You are not authorized to view this page");
exit;
}
// Host names from where the form is authorized
// to be posted from:
$authHosts = array("domain.com", "domain2.com", "domain3.com");
// Where have we been posted from?
$fromArray = parse_url(strtolower($_SERVER['HTTP_REFERER']));
// Test to see if the $fromArray used www to get here.
$wwwUsed = strpos($fromArray['host'], "www.");
// Make sure the form was posted from an approved host name.
if(!in_array(($wwwUsed === false ? $fromArray['host'] : substr(stristr($fromArray['host'], '.'), 1)), $authHosts)){
logBadRequest();
header("HTTP/1.0 403 Forbidden");
exit;
}
// Attempt to defend against header injections:
$badStrings = array("Content-Type:",
"MIME-Version:",
"Content-Transfer-Encoding:",
"bcc:",
"cc:");
// Loop through each POST'ed value and test if it contains
// one of the $badStrings:
foreach($_POST as $k => $v){
foreach($badStrings as $v2){
if(strpos($v, $v2) !== false){
logBadRequest();
header("HTTP/1.0 403 Forbidden");
exit;
}
}
}
// Made it past spammer test, free up some memory
// and continue rest of script:
unset($k, $v, $v2, $badStrings, $authHosts, $fromArray, $wwwUsed);
?>Last edited by ozmart2004; Feb 19, 2006 at 02:26.
-
Feb 19, 2006, 22:36 #3
- Join Date
- Aug 1999
- Location
- Kuala Lumpur, Malaysia
- Posts
- 67
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
I'm having the same problem myself - spam messages or empty email form. Thanks for this solution, if it works.
DarkStation - No-nonsense Console Gaming Coverage.
-
Mar 10, 2006, 14:47 #4
Has anyone tried this?
Has anyone tried this solution? Does it work?
Thanks!
-
Mar 10, 2006, 14:55 #5
- Join Date
- Mar 2006
- Posts
- 6,132
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
the solution is to validate the data using php, before you send the email.
if things dont validate, dont send the email.
javascript validation should ONLY be used as a convenience to the user. because javascript is clientside, all they have to do is turn javascript off to bypass your validation.
that is why you must validate using php, because they cannot bypass that.
-
Mar 10, 2006, 14:55 #6
- Join Date
- Aug 2004
- Location
- Manchester UK
- Posts
- 13,807
- Mentioned
- 158 Post(s)
- Tagged
- 3 Thread(s)
Haven't tried it but it looks on the face of it pretty secure and covers most if not all of the methods I know about.
Run it and see!
SpikeMike Swiffin - Community Team Advisor
Only a woman can read between the lines of a one word answer.....
-
Mar 12, 2006, 18:14 #7
- Join Date
- Aug 1999
- Location
- Kuala Lumpur, Malaysia
- Posts
- 67
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
I can confirm that Ozmart2004's tip works perfectly.
DarkStation - No-nonsense Console Gaming Coverage.
-
Mar 12, 2006, 18:35 #8
- Join Date
- Aug 2004
- Location
- Earth
- Posts
- 739
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
so u run that code before the form displays?
-
Mar 12, 2006, 18:59 #9
I got some spam from the site that I forgot to add the new code to, but I didn't get any from the site I applied the code to. Looks like it works great! (crossing fingers...)
Thanks!Nature's Sunshine herbs and supplements
-
Mar 13, 2006, 04:17 #10
- Join Date
- Oct 2004
- Location
- Austin Texas
- Posts
- 591
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
If you use javascript to validate, then all a hacker needs to do is turn it off on their browser and they can sodomize your script.
Get some PHP validation going.
Originally Posted by ozmart2004
-
Mar 13, 2006, 04:54 #11
- Join Date
- May 2005
- Location
- London
- Posts
- 475
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Originally Posted by _matrix_
-
Mar 13, 2006, 05:01 #12
- Join Date
- Feb 2005
- Location
- Chester, Cheshire
- Posts
- 565
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
i have a similar problem over at PHP for Beginners i store user comments in a DB so its kinda not the same but, i found that adding an extra field to your comments table say is_valid_comment and setting it to true or false works... you then only have to modify your sql query to select where it is a valid comment...
there is a good tutorial for noisey form images on site point here's the url
http://www.sitepoint.com/article/tou...security-image
-
Apr 3, 2006, 16:32 #13
I used this code for several sites, and I haven't seen any more spam from all but one of them. I have a script running where it writes to a text file on the server. That text file used to get spammed, but there isn't any spam since I added this fix. However, they're getting spam email to bogus addresses by bogus addresses.
I don't really understand why the fix is working for the text file but not for email. I don't have any other form on this site, so I don't know why they're getting email. Grr...
Thanks for any insight,
MidoriNature's Sunshine herbs and supplements
-
Apr 24, 2006, 13:47 #14
Does anyone have any other fixes? I used the fix recommended in this thread, but it worked on all but one of my sites. One of my clients keeps getting spam in her box with gibberish. Someone's spoofing email addresses from her domain, and she's bugging me to fix it. Yikes!
Thanks for any help...
-MidoriNature's Sunshine herbs and supplements
-
Apr 24, 2006, 14:00 #15
- Join Date
- Aug 2000
- Location
- Philadephia, PA
- Posts
- 20,578
- Mentioned
- 1 Post(s)
- Tagged
- 0 Thread(s)
You could add one of those "security images"/"verification images" to prevent bots from targeting your forms automatically.
SitePoint has a tutorial on this:
http://www.sitepoint.com/article/tou...security-image
Be sure to read the comments at the end of the article, as I noted two fixes that need to be made to the provided code to make it bot-proof.Try Improvely, your online marketing dashboard.
→ Conversion tracking, click fraud detection, A/B testing and more
Bookmarks