On Fri, Jan 16, 2009 at 11:57:24AM +1100, Clancy wrote: > For some time I have had feedback pages on several of my websites based > on the example > given by David Powers in chapter 6 of "PHP for Dreamweaver 8". These worked > fine for some > years, but some months ago someone started stuffing pornographic > advertisements into them. > > A few weeks ago I got fed up with these messages, and devised a very simple > filter to > reject them (I won't explain how this works, because if I did the > perpetrators could > immediately change their technique to defeat it). If the content was > acceptable I > handled the message in the normal way, but otherwise I deleted the contents, > and forwarded > the message to a different address with the title "rubbish from XXX website". > This worked > well, but then I decided I didn't need to know anything about this stuff > at all, so I > modified the logic so that if the message is unacceptable it is simply > dumped, but the > sender is still shown the normal "Thank you for your feedback" message. This > way the > sender cannot tell whether or not his message has actually been sent, > and so he cannot > experiment to try to break the filter. > > Now if I try to send myself bad messages they simply disappear without > trace, as expected, > but I am still getting one or two messages a day sent with the version 1 > (censored) > logic. I have changed the messages in my new version, and verified that > the old messages > do not appear anywhere on my hard disk, and that there is only the new > version of the > feedback procedure on my server. > > The only explanation I can see is that someone has somehow managed to > cache or mirror the > version 1 logic, and is still dutifully stuffing pornography into it. As > it is my > understanding that the PHP code which handles the processing is inaccessible > to the user, > I cannot understand how this could have been done. Does anyone have > any suggestions? > If Google can spider and read your site, why can't someone else? I've had similar things happen. Any program that uses the HTTP protocol to fetch your site will only get the page as rendered by the server-- sans PHP. But I can imagine someone else programming something to snag the page a different way-- *with* PHP. But actually, they don't even have to be that sophisticated. All they have to do is submit a message to your form the first time, note the variables and their characteristics, and then resubmit that same type of content later using the same variable names and characteristics. Here's something you might do: 1) Rename the page in question. That way their submission won't piggyback on your existing PHP code. 2) Change all the variable names in the file. Chances are, they're just submitting an HTTP request with the proper POST/GET variables so your page processes it as though it were being accessed "live". But if they try to submit this same content to a form that goes nowhere, Apache will just give them a 404 error. Alternatively, if you change your variable names and they submit to your existing form, your PHP can simply ignore it. Also, you might try CAPTCHA (look it up). It tries to weed out human from non-human surfers. You've probably got a 'bot submitting to you, so this might help. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
