I wonder if anybody can help me with a spam issue. I have a good few forms which in the last few hours are being hit with a lot of spam. What is puzzling me is that I have worked as hard as my knowledge of PHP will allow me to keep this at bay for quite a long time but recently I seem to be beaten. One method I have tried to use was to have a question that needed to be answered before the form will submit and I found once I started to get hit with spam I just had to change the question and it stopped…but not this time. I have even tried changing the names of the variables/fieldnames in the form/database this time but nothing works. In the database generally the fields are given a null value and I’m very confused as to how the validation in these forms is being by-passed. I capture IP’s but I know the limitations of these and recently they are all random. So looking at the code below can anyone see how this breech is being made and what could I do to change this.
Here is a sample of two sites that are being hit right now. http://www.garycarswell.com/guestbook.php
http://www.killiangalligan.com/guestbook.php
Any help would be much appreciated thanks
Brian
Code: Select all
<?php
// Test whether the POST array has been set and makes certain
// variables are initialzed with no content.
$pattern = '/^\w[-.\w]*@([-a-z0-9]+\.)+[a-z]{2,4}$/i';
if ($_POST && array_key_exists('sendCom',$_POST)) {
$nospam='';
$nomessage='';
$error=array();
$error_email=array();
$message='';
$GuestEmail= $_POST['GuestEmail'];
// Check each field and build errors array if problems found
if (isset($_POST['Guest_Details']) && !empty($_POST['Guest_Details'])) {
$message=strip_tags($_POST['Guest_Details']);
}
else {
$nomessage = 'Message Required';
}
if (isset($_POST['Guest_Name']) && !empty($_POST['Guest_Name'])) {
$Guest_Name=trim($_POST['Guest_Name']);
}
else {
$error['Guest_Name'] = 'Name Required';
}
// Stop Robots spaming form
// Conditional check for empty fields
$spammed = trim(strtolower($_POST['StopSpam']));
if ($spammed ==='thursday' && !empty($_POST['StopSpam'])) {
}else{
$nospam = 'Answer Required';
}
// Removes HTTP:// or http:// and strips white space
$url = trim($_POST['GuestWebsite']);
if (strpos(strtolower($url), 'http://') ===0) {
$url = substr($url, 7);
}
if (empty($_POST['GuestEmail'])) {// validation of email if inserted otherwise ignore
} else {
if (!preg_match($pattern,$GuestEmail)) $error_email['invalid'] = 'ERROR! Your email address seems to be invalid. It should be similar to the following: info@me.com';
}
}
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
$theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}
$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
$editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
if (!$nomessage && !$error) {
if (!$nomessage && !$error_email)
if (!$nomessage && !$nospam) {
// If no errors, send email and redirect to acknowledgment page
// User has entered an email address send mail
mail($to,$subject,$message,$headers);
$insertSQL = sprintf("INSERT INTO tblguestbook (Guest_Name, GuestLocation, Guest_Details, GuestWebsite, GuestEmail, ip, GuestDate) VALUES (%s, %s, %s, %s, %s, '".$_SERVER['REMOTE_ADDR']."', CURDATE())",
GetSQLValueString($_POST['Guest_Name'], "text"),
GetSQLValueString($_POST['GuestLocation'], "text"),
GetSQLValueString($_POST['Guest_Details'], "text"),
GetSQLValueString("$url", "text"),
GetSQLValueString($_POST['GuestEmail'], "text"));
mysql_select_db($database_carswell, $****);
$Result1 = mysql_query($insertSQL, $****) or die(mysql_error());
$insertGoTo = "guestbook.php";
if (isset($_SERVER['QUERY_STRING'])) {
$insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
$insertGoTo .= $_SERVER['QUERY_STRING'];
}
header(sprintf("Location: %s", $insertGoTo));
}}}?>