Re: Comment form spammer

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



My implementation of captcha eliminated chinese spam.

See http://www.lilyregister.com/page/?p=contact

Gerry

On 8/9/06, Micky Hulse <micky@xxxxxxxxxxxxx> wrote:
Hi,

Recently, a client of mine was getting a ton of spam email from a site
called hotbox.com. I updated her form to one with more spam security,
but she is still receiving junk email.

Anyone feel like sharing code snippets that will help beef-up spam
protection for a contact script?

Do you all enable a CAPTCHA system?

Here is what I am currently using in my contact form script to protect
from spam:



# Error text:
$no_go = 'Forbidden - You are not authorized to view this page!';

# First, make sure the form was posted from a browser.
# For basic web-forms, we don't care about anything other than requests
from a browser:
if(!isset($_SERVER['HTTP_USER_AGENT'])) { die($no_go); exit(); }
# Make sure the form was indeed POST'ed (requires your html form to use
action="post"):
if(!$_SERVER['REQUEST_METHOD'] == "POST") { die($no_go); exit(); }
# Host names from where the form is authorized to be posted from:
$auth_hosts = array("site1.com", "site2.com");
# Where have we been posted from?
$from_array = parse_url(strtolower($_SERVER['HTTP_REFERER']));
# Test to see if the $from_array used www to get here.
$www_used = strpos($from_array['host'], "www.");
# Make sure the form was posted from an approved host name:
if(!in_array(($www_used === false ? $from_array['host'] :
substr(stristr($from_array['host'], '.'), 1)), $auth_hosts)) {
        //log_bad_request();
        header("HTTP/1.0 403 Forbidden");
        exit();
}
# Attempt to defend against header injections:
$bad_strings = array("Content-Type:", "MIME-Version:",
"Content-Transfer-Encoding:", "bcc:", "cc:");
# Loop through each POST'ed value and test if it contains one of the
$bad_strings:
foreach($_POST as $k => $v) {
        foreach($bad_strings as $v2) {
                if(strpos($v, $v2) !== false) {
                        log_bad_request();
                        header("HTTP/1.0 403 Forbidden");
                        exit();
                }
        }
}
# Made it past spammer test, free up some memory and continue rest of
script:
unset($k, $v, $v2, $bad_strings, $auth_hosts, $from_array, $www_used);

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux