On Fri, 16 Jan 2009 00:51:58 -0500, paulf@xxxxxxxxxxxxxxxxx (Paul M Foster) wrote: >On Fri, Jan 16, 2009 at 11:57:24AM +1100, Clancy wrote: ................................. >> The only explanation I can see is that someone has somehow managed to >> cache or mirror the >> version 1 logic, and is still dutifully stuffing pornography into it. As >> it is my >> understanding that the PHP code which handles the processing is inaccessible >> to the user, >> I cannot understand how this could have been done. Does anyone have >> any suggestions? >> > >If Google can spider and read your site, why can't someone else? I've >had similar things happen. Any program that uses the HTTP protocol to >fetch your site will only get the page as rendered by the server-- sans >PHP. But I can imagine someone else programming something to snag the >page a different way-- *with* PHP. > >But actually, they don't even have to be that sophisticated. All they >have to do is submit a message to your form the first time, note the >variables and their characteristics, and then resubmit that same type of >content later using the same variable names and characteristics. > >Here's something you might do: > >1) Rename the page in question. That way their submission won't >piggyback on your existing PHP code. > >2) Change all the variable names in the file. > >Chances are, they're just submitting an HTTP request with the proper >POST/GET variables so your page processes it as though it were being >accessed "live". But if they try to submit this same content to a form >that goes nowhere, Apache will just give them a 404 error. >Alternatively, if you change your variable names and they submit to your >existing form, your PHP can simply ignore it. > >Also, you might try CAPTCHA (look it up). It tries to weed out human >from non-human surfers. You've probably got a 'bot submitting to you, so >this might help. The page has text boxes for the name and e-mail address, a text area for the message, and a submit button. When the user hits the submit button the original code evaluates all the inputs, and either re-issued the page if it didn't like them, or transmits the message, with the title "Feedback from XXX website". If the message is transmitted successfully the user is then shown a "Thank you for your feedback" page. In version 1 of the modification if the message passed the initial test I then submitted it to a second test. If it failed this, I replaced the message with "[Censored]", and sent it to an alternative address, with the title "Rubbish from XXX website" but showed the same "Thank you" page. I did this just so that if I accidentally rejected something from someone I knew, I could email them and ask them to send the message again. After a few days I decided I didn't need to know anything about these bogus messages, so I developed version 2 of the modification. This is the same as version 1, except that it uses a different title and replacement message (even though they are no longer used), and simply discards the message, but again shows the normal "Thank you" page. With either modification there is nothing to tell the sender that their message has been rejected, and, as I never reply to such messages, no way for them to find out whether or not I actually received their message. Whenever I try to send myself a bad message nothing happens, so that version 2 appears to have been implemented. I do not get any uncensored messages of this type now, so the rejection algorithm is satisfactory, but I'm still getting one or two messages handled by version 1 each day. I cannot see how this could happen unless someone has somehow managed to trap the version 1 PHP code (or, just conceivably, my provider switches to a backup containing an old code at some stage in a maintenance cycle). I raised this matter out of interest, because I cannot explain what is happening, but my actual problem is very slight, and as I'm in the process of converting this website from an HTML design with hundreds of individual pages to a PHP-based design I will wait till I have completed the conversion before I do any more investigation. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
