SitePoint Sponsor

User Tag List

Results 1 to 15 of 15
  1. #1
    Word Painter silver trophy Shyflower's Avatar
    Join Date
    Oct 2003
    Location
    Winona, MN USA
    Posts
    10,053
    Mentioned
    142 Post(s)
    Tagged
    2 Thread(s)

    Which works best?

    I currently use this code to try to block spam:

    Code:
    if (preg_match(' /[\r\n,;\'"]/ ', $_POST['email'])) {
    but found this code at the W3C schools:

    Code:
    <?php
    function spamcheck($field)
      {
    //eregi() performs a case insensitive regular expression match
      if(eregi("to:",$field) || eregi("cc:",$field)) 
        {
        return TRUE;
        }
      else
        {
        return FALSE;
        }
      }
    
    //if "email" is filled out, send email
    if (isset($_REQUEST['email']))
      {
      //check if the email address is invalid
      $mailcheck = spamcheck($_REQUEST['email']);
      if ($mailcheck==TRUE)
        {
        echo "Invalid input";
        }
      else
        { 
        //send email
    which is better to prevent email injections? will one (or the other) do more to stop spam to my inbox as well?
    Linda Jenkinson
    "Say what you mean. Mean what you say. But don't say it mean." ~Unknown

  2. #2
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    your method is better, although both methods are looking for header injections, which arent neccesarily going to stop something just meant to reach you.

    its been discussed many times. try searching the php forum for spam email
    theres lots of good methods available both for stopping header injections as well as automated submissions.


    http://www.securephpwiki.com/index.php/Email_Injection

  3. #3
    ✯✯✯ silver trophybronze trophy php_daemon's Avatar
    Join Date
    Mar 2006
    Posts
    5,284
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    The first one. The second only filters out cc and to injections.

    Personally, I'd check if the email is valid instead of looking for malicious code as you can't always be sure you filter out everything:
    PHP Code:
    $pattern"/^([a-zA-Z0-9])+([.a-zA-Z0-9_-])*@([a-zA-Z0-9_-])+(.[a-zA-Z0-9_-]+)+$/";
    if(!
    preg_match($pattern$_POST['email'])){
      echo 
    "Invalid email!";

    Edit:


    too late
    Last edited by php_daemon; Nov 11, 2006 at 10:00.
    Saul

  4. #4
    SitePoint Guru
    Join Date
    Jun 2004
    Location
    Finland
    Posts
    703
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Uhhhhh.... what the. Now I've known for quite some time that the W3Schools' PHP department is somewhat lacking in things like best practices, security and error-free syntax, but seriously, I don't think I've ever seen a more useless spam prevention technique. Not only does it happily ignore the Bcc (Blind courtesy copy) header (which is what all except the most clueless spammers use), but it also ignores everything else. Someone could actually attach a file to the email. Of course this would require an older version of PHP as the newest ones do not allow multiple lines where they should not be, but it's still pretty bad.

  5. #5
    Word Painter silver trophy Shyflower's Avatar
    Join Date
    Oct 2003
    Location
    Winona, MN USA
    Posts
    10,053
    Mentioned
    142 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by clamcrusher
    your method is better, although both methods are looking for header injections, which arent neccesarily going to stop something just meant to reach you.

    its been discussed many times. try searching the php forum for spam email
    theres lots of good methods available both for stopping header injections as well as automated submissions.


    http://www.securephpwiki.com/index.php/Email_Injection
    I have looked through this forum clam crusher and found tons of info which made my head spin! I also read the link you posted. In fact I've read it several times. However, it put my poor brain on a real roller coaster ride.


    So until I become better at coding my own, I'm just a find it and copy and paste kind of girl.

    I also found this one via one of the threads here: http://www.dbmasters.net/index.php?id=19
    and downloaded the zip.

    Has anyone else used it? Is it worth the $20.00? (so far I've just downloaded the freebe and will do some testing before I pay for the paid version)

    In addition to my sites, I need a better php for cleint sites too.

    Quote Originally Posted by sorcuu
    Uhhhhh.... what the. Now I've known for quite some time that the W3Schools' PHP department is somewhat lacking in things like best practices, security and error-free syntax, but seriously, I don't think I've ever seen a more useless spam prevention technique. Not only does it happily ignore the Bcc (Blind courtesy copy) header (which is what all except the most clueless spammers use), but it also ignores everything else. Someone could actually attach a file to the email. Of course this would require an older version of PHP as the newest ones do not allow multiple lines where they should not be, but it's still pretty bad.
    Thanks for your input. It's nice to know the "why" as well as the what!
    Linda Jenkinson
    "Say what you mean. Mean what you say. But don't say it mean." ~Unknown

  6. #6
    ✯✯✯ silver trophybronze trophy php_daemon's Avatar
    Join Date
    Mar 2006
    Posts
    5,284
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Shyflower
    I have looked through this forum clam crusher and found tons of info which made my head spin! I also read the link you posted. In fact I've read it several times. However, it put my poor brain on a real roller coaster ride.


    So until I become better at coding my own, I'm just a find it and copy and paste kind of girl.

    I also found this one via one of the threads here: http://www.dbmasters.net/index.php?id=19
    and downloaded the zip.

    Has anyone else used it? Is it worth the $20.00? (so far I've just downloaded the freebe and will do some testing before I pay for the paid version)

    In addition to my sites, I need a better php for cleint sites too.



    Thanks for your input. It's nice to know the "why" as well as the what!
    What fields do you take as user input? Is it just the message body and the from email? Do you also have the subject field?

    The basic validation can be as follows:
    PHP Code:
    $pattern"/^([a-zA-Z0-9])+([.a-zA-Z0-9_-])*@([a-zA-Z0-9_-])+(.[a-zA-Z0-9_-]+)+$/";
    if(!
    preg_match($pattern$_POST['email'])){
      echo 
    "Invalid email!";
    }else{
      
    $subject=preg_replace("/\W/"''$_POST['subject']); 
      
    mail("your@email.tld",$subject,$_POST['message'],"From: ".$_POST['email']);
      echo 
    "Email sent!";

    It's enough of security against the header injections. You might also want to implement a captcha system and/or flood timer.
    Saul

  7. #7
    Word Painter silver trophy Shyflower's Avatar
    Join Date
    Oct 2003
    Location
    Winona, MN USA
    Posts
    10,053
    Mentioned
    142 Post(s)
    Tagged
    2 Thread(s)
    Here is my php code:

    Code:
    <?
      $email = $_REQUEST['email'] ;
      $contactname = $_REQUEST['contactname'] ;
      $subject = $_REQUEST['subject'] ;
      $message = $_REQUEST['message'];
    
    if (!isset ($_REQUEST['email'])) header ("Location: http://mydomain.com//contact.php");
    
    elseif (empty($email) || empty($contactname) || empty ($subject) || empty ($message)) {
    ?>
    
    <html>
    <head>
    <title>Error- Blank Field</title>
    <meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
    <link rel="stylesheet" type="text/css" href="style1.css" />
    </head>
    <body>
    <div id="container">
    <div class="wrapper">
    <h2 class="txtlft">Oops!</h2>
    <p class="txtlft">You have left blank fields in our contact form</p>
    <p class="txtlft">Please complete <b>all fields</b> to send your message. Use the <b>back</b> button on your browser to return to the form</p>
    </div>
    </div>
    </html>
    <? }
    elseif (preg_match(' /[\r\n,;\'"]/ ', $_POST['email'])) {
      exit('Invalid email address');
      }
    else { mail ( "me@mydomain.com", $subject, $message, "From:$contactname <$email>" );
    header ( "Location: http://mydomain.com/thank-you.htm");}
    ?>
    and here is my form:

    Code:
    <form name="contact" method="post" action="myphpcode.php">
    <p><label>Your&nbsp;email</label><br /><input name="email" id="email" size="45" maxlength="60" type="text" /></p>
    <p><label>Your&nbsp;Name</label><br /><input name="contactname" id="contactname" size="45" maxlength="50" type="text" /></p>
    <p><label>Subject</label><br />
    <input name="subject" id="subject" size="45" maxlength="255" type="text" /></p>
    <p><label>Comments</label><br />
    <textarea name="message" cols="40" rows="5"></textarea></p>
    <input name="submit" value="Send" type="submit" />&nbsp; <input type="reset" value="Reset" />
    </form>
    thanks php_daemon for any help you can give me.
    Linda Jenkinson
    "Say what you mean. Mean what you say. But don't say it mean." ~Unknown

  8. #8
    ✯✯✯ silver trophybronze trophy php_daemon's Avatar
    Join Date
    Mar 2006
    Posts
    5,284
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Here it is:
    PHP Code:
    <?
      $email 
    $_REQUEST['email'] ;
      
    $contactname $_REQUEST['contactname'] ;
      
    $subject $_REQUEST['subject'] ;
      
    $message $_REQUEST['message'];

    if (!isset (
    $_REQUEST['email'])) header ("Location: http://mydomain.com//contact.php");

    elseif (empty(
    $email) || empty($contactname) || empty ($subject) || empty ($message)) {
    ?>

    <html>
    <head>
    <title>Error- Blank Field</title>
    <meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
    <link rel="stylesheet" type="text/css" href="style1.css" />
    </head>
    <body>
    <div id="container">
    <div class="wrapper">
    <h2 class="txtlft">Oops!</h2>
    <p class="txtlft">You have left blank fields in our contact form</p>
    <p class="txtlft">Please complete <b>all fields</b> to send your message. Use the <b>back</b> button on your browser to return to the form</p>
    </div>
    </div>
    </html>
    <? }
    elseif (!
    preg_match('/^([a-zA-Z0-9])+([.a-zA-Z0-9_-])*@([a-zA-Z0-9_-])+(.[a-zA-Z0-9_-]+)+$/'$email)) {
      exit(
    'Invalid email address');
    }
    else {
        
    $subject=preg_replace("/[^\w\.,\-!\?\(\) ]/"''$subject);
        
    $contactname=preg_replace("/[^\w\.,\-!\?\(\) ]/"''$contactname);
        
    mail "me@mydomain.com"$subject$message"From:$contactname <$email>" );
        
    header "Location: http://mydomain.com/thank-you.htm");
    }
    ?>
    It will accept only valid emails and will filter out all characters other than alphanumeric and the basic punctuation from the subject and contact name. That will be enough for header injection.

    Also do you have GD library installed? It would be possible to build a simple captcha script also, if you do.
    Saul

  9. #9
    Word Painter silver trophy Shyflower's Avatar
    Join Date
    Oct 2003
    Location
    Winona, MN USA
    Posts
    10,053
    Mentioned
    142 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by php_daemon
    Here it is:
    It will accept only valid emails and will filter out all characters other than alphanumeric and the basic punctuation from the subject and contact name. That will be enough for header injection.

    Also do you have GD library installed? It would be possible to build a simple captcha script also, if you do.
    Thank you so much!

    Nope don't have GD library. Never heard of it.
    Linda Jenkinson
    "Say what you mean. Mean what you say. But don't say it mean." ~Unknown

  10. #10
    ✯✯✯ silver trophybronze trophy php_daemon's Avatar
    Join Date
    Mar 2006
    Posts
    5,284
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Ah OK, never mind then.

    Hope they don't attack you too much.

    Cheers
    Saul

  11. #11
    Word Painter silver trophy Shyflower's Avatar
    Join Date
    Oct 2003
    Location
    Winona, MN USA
    Posts
    10,053
    Mentioned
    142 Post(s)
    Tagged
    2 Thread(s)
    I've put it on my site and will watch my inbox for the next couple of days. Thank you again! You're the best!

    Vote for PHP_daemon!


    What book or tutorial do you recommend as the best to learn php? Definitely W3 Schools isn't the place!
    Linda Jenkinson
    "Say what you mean. Mean what you say. But don't say it mean." ~Unknown

  12. #12
    ✯✯✯ silver trophybronze trophy php_daemon's Avatar
    Join Date
    Mar 2006
    Posts
    5,284
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Oh thanks

    To be honest, PHP manual and these forums is all I read. But I hear good things about SitePoint books and articles. You could check those.
    Saul

  13. #13
    SitePoint Guru
    Join Date
    Jun 2004
    Location
    Finland
    Posts
    703
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The PHP manual is great as long as you completely ignore the user comments. 98.7% of them have been written by beginners who upon success are, of course, more than happy to share their solutions. Needless to say they most often only apply to a certain situation, few manage to have a bugs per line ratio of less than 1 and their performance often leaves something to be desired

    I would also advice against trusting any article that claims to be a "PHP MySQL tutorial"

  14. #14
    ✯✯✯ silver trophybronze trophy php_daemon's Avatar
    Join Date
    Mar 2006
    Posts
    5,284
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Sorccu
    The PHP manual is great as long as you completely ignore the user comments. 98.7% of them have been written by beginners who upon success are, of course, more than happy to share their solutions. Needless to say they most often only apply to a certain situation, few manage to have a bugs per line ratio of less than 1 and their performance often leaves something to be desired
    Agreed. There are some good ideas though.
    Saul

  15. #15
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    id have to disagree with ignoring the user comments. yes, there is an large amount of bad info in them. however, there is also a lot of good info.

    i would say read them, but take what you read with a grain of salt.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •