SitePoint Sponsor

User Tag List

Results 1 to 13 of 13
  1. #1
    SitePoint Zealot Tikila's Avatar
    Join Date
    Jun 2007
    Location
    Toronto
    Posts
    173
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    filter bad words-need to modify it a little.

    hi again,

    back in less than two days

    I coded the following snippet to filter bad words on a form.It works fine.
    my problem is that I get an error message for each bad word detected.

    1-I only want one error for any bad word detected.


    $badwords = array("badword1", "badword2","badword3");
    foreach($badwords as $word=>$key)
    {
    if(strpos($message, $key) != false) {
    $_SESSION['error'][] = 'unacceptable content';
    }
    }

    2-how can I modify it to filter by phrase/sentence,too

    Thank you for your intervention !

  2. #2
    SitePoint Evangelist praetor's Avatar
    Join Date
    Aug 2005
    Posts
    479
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You might want to use regex and to replace the words with something else, instead of having one error for each word.

  3. #3
    We're from teh basements.
    Join Date
    Apr 2007
    Posts
    1,205
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Tikila View Post
    1-I only want one error for any bad word detected.
    To answer the first question: break out of the foreach loop as soon as the first bad word is detected instead of continuing to find additional bad words.

    PHP Code:
    $badwords = array("badword1""badword2","badword3");
    foreach(
    $badwords as $word=>$key)
    {
    if(
    strpos($message$key) !== false) {
    $_SESSION['error'][] = 'unacceptable content';
    break;  
    }

    To answer the second part: just add the bad phrases to your array.

  4. #4
    ✯✯✯ silver trophybronze trophy php_daemon's Avatar
    Join Date
    Mar 2006
    Posts
    5,284
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Code php:
    $badwords = array("badword1", "badword1","badword phrase");
    foreach($badwords as $word=>$key){
      if(strpos($message, $key) !== false && !isset($_SESSION['error'][$key])) {
        $_SESSION['error'][$key] = 'unacceptable content';
      }
    }

    Edit:

    Now that I see the WWW's post, besides being late, I think I misinterpret your message per word requirement. Anyways, if you'd want to alert user of which word is specifically bad and do that for each, it's one way to do.
    Saul

  5. #5
    SitePoint Evangelist catweasel's Avatar
    Join Date
    Apr 2007
    Location
    Goldfields, VIC, Australia
    Posts
    518
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Tikila View Post
    hi again,

    back in less than two days

    I coded the following snippet to filter bad words on a form.
    Is this for a contact form? Are you experiencing spam being sent through your own mail form?

  6. #6
    SitePoint Zealot Tikila's Avatar
    Join Date
    Jun 2007
    Location
    Toronto
    Posts
    173
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by catweasel View Post
    Is this for a contact form? Are you experiencing spam being sent through your own mail form?
    Thank you all
    Some users used my tell a friend form to send spam thru the optional message area so i had to filter.
    I'd prefer a radical way to block spam bots from even reading the form like some form of php encryption(mycrypt ? may be-i know it can be done on sentences,not sure on a whole form) ,but i dont know better than simple filtering now.
    I was thinking of dropping the message area itself but I like to challenge

    Update:yep
    Gurus are special
    my thank you wont kill it,but have no option for the time being till i can afford to offer something better

  7. #7
    SitePoint Evangelist catweasel's Avatar
    Join Date
    Apr 2007
    Location
    Goldfields, VIC, Australia
    Posts
    518
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Tikila View Post
    Thank you all
    Some users used my tell a friend form to send spam thru the optional message area so i had to filter.
    It sounds like you're form is being used by email injection attacks.. in which case you don't need a bad word filter at all.. can you post the code for processing the form?

  8. #8
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    This is just an observation if you are making a "profanity filter" ( in case you wanted to search this forum or others for the frequently used term ).

    If people are abusing an input box by swearing, its important not to let them know you are onto them, otherwise they just find new ways of spelling rude words.

    "Thanks for your message [highly abusive text here], it has been sent to our representatives".

    Then send the filtered text onwards to save the blushes of your representatives.

    Don't say, "Well you mealy-mouthed little ******-******, you cant swear on this site, y'know ...." - just goads the little beggars into action.

  9. #9
    SitePoint Zealot Tikila's Avatar
    Join Date
    Jun 2007
    Location
    Toronto
    Posts
    173
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    catweasel
    I doubt it is injection attack but not sure . in an hour,there were 8 spams(work from home,viagra,etc..)
    I have added lots of session checking all night yesterday
    I register sessions on my form page (the view) then check for it in the controller(processing script)

    if (!SESSION){
    $_SESSION['error'][] = "Invalid form submission";
    exit;
    }

    I also use strip tags around session vars.

    since then only 1 spam reported today(and that was a phrase,I didnt filter) so i think that's a good sign i assume. But i think i reacted too late as hotmail is already sending anything from my server-legit or not-to junk

    do you think this will not prevent an email injection attack ?

    Cups,you have a point there,I think I should filter silently,but am concerned that would be misleading to users.

  10. #10
    SitePoint Evangelist catweasel's Avatar
    Join Date
    Apr 2007
    Location
    Goldfields, VIC, Australia
    Posts
    518
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Tikila View Post
    catweasel
    I doubt it is injection attack but not sure . in an hour,there were 8 spams(work from home,viagra,etc..)
    I have added lots of session checking all night yesterday
    I register sessions on my form page (the view) then check for it in the controller(processing script)

    if (!SESSION){
    $_SESSION['error'][] = "Invalid form submission";
    exit;
    }

    I also use strip tags around session vars.

    since then only 1 spam reported today(and that was a phrase,I didnt filter) so i think that's a good sign i assume. But i think i reacted too late as hotmail is already sending anything from my server-legit or not-to junk

    do you think this will not prevent an email injection attack ?
    The key to preventing spamming through mail forms is properly validating any fields to be used as mail headers.. usually the 'from' field.

    If what I suspect is happening, you are not the target of the spam.. it's the 5,000,000 other people out there the spammer is appending to the mail by manipulating your mail headers.. it's just that you will always be the first one to receive each spam mail.

    These spammers are usually bot scripts which is why your session strategy is working on some of them.. once the script/spider detects a contact/mail form most of them won't actually fill out the fields on your site.. they just send the matching post data directly. Doing that means they don't have a valid session happening which could be why your checking of sessions is weeding out a few. Other scripts will touch your site first and get a valid session so it's not going to stop them all. And once a few of them have discovered your form more of them will come.

    If you can post some of your code, particularly the part where you validate form data, we might get a better idea if this is what's happening.

  11. #11
    SitePoint Zealot Tikila's Avatar
    Join Date
    Jun 2007
    Location
    Toronto
    Posts
    173
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sorry Catweasel for the delay in posting my code (connection was down)
    and thank you in advance for offering to look at my code:

    Here is the processing script(modified with adding :urldecode,spamcheck and @count)
    update:not relevant anymore.
    removed the mail altogether and subsituded it for swiftmailer.
    Last edited by Tikila; Nov 11, 2007 at 19:13.

  12. #12
    SitePoint Evangelist catweasel's Avatar
    Join Date
    Apr 2007
    Location
    Goldfields, VIC, Australia
    Posts
    518
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Tikila View Post
    Sorry Catweasel for the delay in posting my code (connection was down)
    and thank you in advance for offering to look at my code:
    Hi, well .. a few things to mention-
    1) when posting code please use the [ php][/ php] tags so it's a bit more readable (without the spaces)

    2) At the top you've got this kind of thing happening-

    foreach($_POST as $key => $val) $_SESSION[$key] = $val;

    I don't think that's very wise since it alllows anyone to set whatever key:value pair they want in your session array.

    3) Also at the top you've got this happening -
    Code:
    if (!SESSION) {
    	$_SESSION['errmsg'][] = "Invalid form submission";
    	exit;
    }
    this will never work since SESSION will always be true.. I'm guessing you meant to put $_SESSION in there instead.

    4) You've not properly validated any of the email addresses, use a proper email regexp to validate all email addresses, and even check for /r,/n,bcc,cc in every field likely to be used in a header.

  13. #13
    SitePoint Zealot Tikila's Avatar
    Join Date
    Jun 2007
    Location
    Toronto
    Posts
    173
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks a lot for your feedback

    3-I use this as regexp and another js that I missed to include:

    PHP Code:
    function isEmail($email)
    {
    return(
    preg_match("/^[-_.[:alnum:]]+@((([[:alnum:]]|[[:alnum:]][[:alnum:]-]*[[:alnum:]])\.)+(ad|ae|aero|af|ag|ai|al|am|an|ao|aq|ar|arpa|as|at|au|aw|az|ba|bb|bd|be|bf|bg|bh|bi|biz|bj|bm|bn|bo|br|bs|bt|bv|bw|by|bz|ca|cc|cd|cf|cg|ch|ci|ck|cl|cm|cn|co|com|coop|cr|cs|cu|cv|cx|cy|cz|de|dj|dk|dm|do|dz|ec|edu|ee|eg|eh|er|es|et|eu|fi|fj|fk|fm|fo|fr|ga|gb|gd|ge|gf|gh|gi|gl|gm|gn|gov|gp|gq|gr|gs|gt|gu|gw|gy|hk|hm|hn|hr|ht|hu|id|ie|il|in|info|int|io|iq|ir|is|it|jm|jo|jp|ke|kg|kh|ki|km|kn|kp|kr|kw|ky|kz|la|lb|lc|li|lk|lr|ls|lt|lu|lv|ly|ma|mc|md|mg|mh|mil|mk|ml|mm|mn|mo|mp|mq|mr|ms|mt|mu|museum|mv|mw|mx|my|mz|na|name|nc|ne|net|nf|ng|ni|nl|no|np|nr|nt|nu|nz|om|org|pa|pe|pf|pg|ph|pk|pl|pm|pn|pr|pro|ps|pt|pw|py|qa|re|ro|ru|rw|sa|sb|sc|sd|se|sg|sh|si|sj|sk|sl|sm|sn|so|sr|st|su|sv|sy|sz|tc|td|tf|tg|th|tj|tk|tm|tn|to|tp|tr|tt|tv|tw|tz|ua|ug|uk|um|us|uy|uz|va|vc|ve|vg|vi|vn|vu|wf|ws|ye|yt|yu|za|zm|zw)$|(([0-9][0-9]?|[0-1][0-9][0-9]|[2][0-4][0-9]|[2][5][0-5])\.){3}([0-9][0-9]?|[0-1][0-9][0-9]|[2][0-4][0-9]|[2][5][0-5]))$/i"
    ,$email));

    2-I actually did mean [!session].AT first I used
    PHP Code:
    <?php
       session_register
    ("SESSION");
    ?>
    in form page(tellafriend.php],and checked for it in processing script(tellafriend-process.php] the script above like this:
    PHP Code:
    <?php
    if (!session_is_registered("SESSION")){
       
    $_SESSION['errmsg'][] = "Invalid form submission";
    }
    ?>
    but since i have register globals off,I changed it to :
    PHP Code:
    <?php
    if (!session){
       
    $_SESSION['errmsg'][] = "Invalid form submission";
    }
    ?>
    so do you think I should get rid of :
    PHP Code:
    <?php
    foreach($_POST as $key => $val)
    $_SESSION[$key] = $val;
    ?>
    and just assign session vars manually ?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •