Hi,
Recently, a client of mine was getting a ton of spam email from a site
called hotbox.com. I updated her form to one with more spam security,
but she is still receiving junk email.
Anyone feel like sharing code snippets that will help beef-up spam
protection for a contact script?
Do you all enable a CAPTCHA system?
Here is what I am currently using in my contact form script to protect
from spam:
# Error text:
$no_go = 'Forbidden - You are not authorized to view this page!';
# First, make sure the form was posted from a browser.
# For basic web-forms, we don't care about anything other than requests
from a browser:
if(!isset($_SERVER['HTTP_USER_AGENT'])) { die($no_go); exit(); }
# Make sure the form was indeed POST'ed (requires your html form to use
action="post"):
if(!$_SERVER['REQUEST_METHOD'] == "POST") { die($no_go); exit(); }
# Host names from where the form is authorized to be posted from:
$auth_hosts = array("site1.com", "site2.com");
# Where have we been posted from?
$from_array = parse_url(strtolower($_SERVER['HTTP_REFERER']));
# Test to see if the $from_array used www to get here.
$www_used = strpos($from_array['host'], "www.");
# Make sure the form was posted from an approved host name:
if(!in_array(($www_used === false ? $from_array['host'] :
substr(stristr($from_array['host'], '.'), 1)), $auth_hosts)) {
//log_bad_request();
header("HTTP/1.0 403 Forbidden");
exit();
}
# Attempt to defend against header injections:
$bad_strings = array("Content-Type:", "MIME-Version:",
"Content-Transfer-Encoding:", "bcc:", "cc:");
# Loop through each POST'ed value and test if it contains one of the
$bad_strings:
foreach($_POST as $k => $v) {
foreach($bad_strings as $v2) {
if(strpos($v, $v2) !== false) {
log_bad_request();
header("HTTP/1.0 403 Forbidden");
exit();
}
}
}
# Made it past spammer test, free up some memory and continue rest of
script:
unset($k, $v, $v2, $bad_strings, $auth_hosts, $from_array, $www_used);
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
