I have been using a home-brewed PHP contact form on 5 or 6 sites for several months now. None is very high traffic, but I’m starting to get concerned that the forms may be vulnerable to spammer hijacking, a subject about which I know very little. I took the basic step of using html_strip_tags() to clean the form fields before passing them to the email script, but I understand there are other ways spammers can use your contact form to send out their annoying payloads, possibly helping to get your web host blacklisted. Here are the options I am considering:
-
Take additional steps to secure the form I’m currently using. To do this, I need to know what I’m up against and what functions are available to help. Can anyone provide information, or recommend some good resources?
-
Switch to a premade, open-source contact form. There seem to be a lot of these available - can anyone recommend a good one that includes support for attachments (which one of my sites uses)?
Any and all input will be greatly appreciated.
You might want to take a look at MicroAkismet which uses the [url=http://akismet.com/]Akismet API. Even though its focus is on blog spam, I’ve had very good results with some of my regular contact forms that were getting spammed.
Thanks for the replies - I’ve done some Googling in the interim and come up with a couple useful articles on preventing header injections and [URL=“http://php4every1.com/tutorials/php-antispam-measures/”] referrer checks and similar techniques. I think I’m going to rework my home-brew form using some of these fixes - hopefully I can make life hard enough for the spammers that they’ll go looking for an easier target.
Just make a text file in notepad (or whatever you use), and on each new line the words/phrases/links you want to block.
Import that, but replace “\[rn]\[rn]” with “|” before adding it to the reg exp
A bit rusty on php I’m afraid, so can’t help you more than that.
On the script I created a while ago, I made a page that read the text file and allowed me to sort or edit it
Are there particular words I should be blocking, other than HTML tags? Where would I find a list?
Use a text file of words/links, and compare the message to it using regular expression
preg_match(/\b(word|link|two words)\b/i, $message)
or something like that
Just read the file as text and import the string into the reg exp
I set up a clean_and_block function, that allows me to add a word to the text file and remove all message that contain it