Spam getting past Conditional Statements

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Addos
Forum Contributor
Posts: 305
Joined: Mon Jan 17, 2005 4:13 pm

Spam getting past Conditional Statements

Post by Addos »

I wonder if anyone can help me understand why many of my forms are breached by spammers. I have run conditional statements (below) and for example in this specific page the ‘first_name’ and ‘last_ name’ seem to be over ridden by spam because when I look in the MySQL database the ‘null’ values are showing up and I can’t see how this is. When I test the form live I can’t get it to submit until there is something filled into the form fields but yet the spammer seems to be able to get past this. Can anyone give me an idea as to why this is?
Thanks very much for any advice.
Brian

Code: Select all

/* Test whether the POST array has been set and makes certain variables are initialzed with no content.          */
$pattern = '/^\w[-.\w]*@([-a-z0-9]+\.)+[a-z]{2,4}$/i';
if ($_POST && array_key_exists('sendCom',$_POST)) {
  $messagefname='';
  $trimedfirst_name = $_POST['first_name'];
  $messagelname='';
  $trimedlast_name = $_POST['last_name'];
  $messageaddress='';
  $trimedaddress = $_POST['address'];
  $messageemail='';
  $email= $_POST['email'];
  $nospam='';
/* trim checks to see if space bar has been used and if so send an error
   strip_tags strips out any unwanted HTML */
   
// First Name Conditional Statement
    if (!trim($trimedfirst_name) && !empty($_POST['first_name'])) {
    $messagefname = '<b>Required!</b>';
    }
    if (isset($_POST['first_name']) && !empty($_POST['first_name'])) {
    $f_name_message=trim(strip_tags($_POST['first_name']));
    }else{
    $messagefname = '<b>Required</b>';
    }
// LastName Conditional Statement
    if (!trim($trimedlast_name) && !empty($_POST['last_name'])) {
     $messagelname = '<b>Required</b>!';
    }
	if (isset($_POST['last_name']) && !empty($_POST['last_name'])) {
	 $l_name_message=trim(strip_tags($_POST['last_name']));
	} else {
	 $messagelname = '<b>Required</b>';
	}
// Address Conditional Statement
   if (!trim($trimedaddress) && !empty($_POST['address'])) {
    $messageaddress = '<b>Required!</b>';
   }
   if (isset($_POST['address']) && !empty($_POST['address'])) {
    $address_message=trim(strip_tags($_POST['address']));
   }else{
   $messageaddress = '<b>Required</b>';
   }
// EmailConditional Statement
   if (isset($_POST['email']) && !empty($_POST['email'])) {
    }else{
   $messageemail= '<b>Required</b>';
   }
   // Stop Robots spaming form
// Conditional check for empty fields
 $spammed = trim(strtolower($_POST['StopSpam']));
if ($spammed ==='monday' && !empty($_POST['StopSpam'])) {
}else{
   $nospam = '<b> Error: You must answer the question </b>';
 } 
 if (empty($_POST['email'])) {// validation of email if inserted otherwise ignore
	 } else {
	if (!preg_match($pattern,$email)) $error_email['invalid'] = 'ERROR! Your email address seems to be invalid. <br> It should be similar to the following: info@me.com';
    }
	}
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
	{ etc etc….
  }
  return $theValue;
  }

// If no errors, send email and redirect to acknowledgment page
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
if (!$messagefname && !$messagelname)
if (!$messagefname && !$messageaddress)
if (!$messagefname && !$messageemail)
if (!$messagefname && !$error_email)
if (!$nomessage && !$nospam) 
{

  $insertSQL = sprintf("INSERT INTO paypal_support (),
 Etc etc

 /*strip new lines and carriage returns from any PHP string
   to comabt recent attack on vunerable form headers */
  $original = $_POST['email'];
 function stripNewLines($original) {
   return preg_replace('/\r|\n/', ' ', $original);
   }
   
	Send mail etc
}}?>
User avatar
Cameri
Forum Commoner
Posts: 87
Joined: Tue Apr 12, 2005 4:12 pm
Location: Santo Domingo, Dominican Republic

Post by Cameri »

Phew... 8O such coding...
Can't help much but I'll try to fix whatever I can... rest is for your imagination!

Btw, I suggest you try harder e-mail validation techniques... google about it..

Note: I did not test any of this, use at your own risk xD!

Code: Select all

/* Test whether the POST array has been set and makes certain variables are initialzed with no content.          */
$pattern = '/^\w[-.\w]*@([-a-z0-9]+\.)+[a-z]{2,4}$/i';
if (isset($_POST['sendCom'])) {
    $skip = false;
 
    if (!isset($_POST['first_name']) || empty($_POST['first_name'])) {
        $messagefname = '<b>Required!</b>';
        $skip = true;
    } else {
        $f_name_message = trim(strip_tags($_POST['first_name']));
    }

    if (!isset($_POST['last_name']) || empty($_POST['last_name'])) {
        $messagelname = '<b>Required</b>!';
        $skip = true;
    } else {
        $l_name_message = trim(strip_tags($_POST['last_name']));
    }

   if (!isset($_POST['address']) || empty($_POST['address'])) {
        $messageaddress = '<b>Required!</b>';
        $skip = true;
   } else {
        $address_message= trim(strip_tags($_POST['address']));
   }

  if (!isset($_POST['email']) || !empty($_POST['email']) || !preg_match($pattern,$_POST['email'])) {
        $messageemail= '<b>Required or Invalid</b>';
        $skip = true;
   }else{
        $email_message = $_POST['email']); 
   }

   // Stop Robots spaming form <--- this anti-robot thing is useless, I suggest you read up on CAPTCHA, like on Wikipedia and then google on how to make your own CAPTCHA using PHP

// If no errors, send email and redirect to acknowledgment page
if (isset($_POST["MM_insert"]) && strcmp($_POST['MM_insert'],"form1")==0 && !$skip) {
  $insertSQL = sprintf("INSERT INTO ...");
  //etc etc
}
User avatar
neophyte
DevNet Resident
Posts: 1537
Joined: Tue Jan 20, 2004 4:58 pm
Location: Minnesota

Post by neophyte »

One of the simplest ways to beef up security is to give your form a string token. This same string token is also stored in a session variable. When the form is submitted, the token stored in the session is compared to that found in the post. If the tokens match you process the form. If they do not match you send them back to an empty form or spit out an error message. Using similar techniques you can do things to prevent flooding. You'll probably want to read up on header injection with mail() too as this is a common problem with email forms.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

neophyte wrote:One of the simplest ways to beef up security is to give your form a string token. This same string token is also stored in a session variable. When the form is submitted, the token stored in the session is compared to that found in the post. If the tokens match you process the form. If they do not match you send them back to an empty form or spit out an error message. Using similar techniques you can do things to prevent flooding. You'll probably want to read up on header injection with mail() too as this is a common problem with email forms.
Isn't exactly the best option for preventing bots. For instance, a quick call with cURL can determine the form token with the help of regex, and using the same curl handler proceed to make the neccesary form submittions. All this forces the bot to do is use your actual form.

Even still, I would use a captcha if you are instanstant on preventing bots -- although you should consider alternatives for visually impaired users (such as audio captcha).
Addos
Forum Contributor
Posts: 305
Joined: Mon Jan 17, 2005 4:13 pm

Post by Addos »

Thanks for all this great help.
I’ve been playing with a tutorial setting up Catcha and although I’m getting on relatively well the code below seems to stop at header("Content-type: image/png"); imagepng($captcha); and not display the content between the<body></body> tags As I’m new to PHP it’s very puzzling. If I try to move anything from the head of the page I get the usual cannot modify headers message so if you can point me in the right direction I’d be most grateful.
Thanks

Code: Select all

<?php
//Start the session so we can store what the code actually is.
session_start();

//Now lets use md5 to generate a totally random string eg f918f 4b8ead7cbbe96fa003abc32dec1

$md5 = md5(microtime() * mktime());
/*
We dont need a 32 character long string so we trim it down to 5 eg f918f of above
*/
$string = substr($md5,0,5);
/*
Now for the GD stuff, for ease of use lets create
 the image from a background image.
*/

$captcha = imagecreatefrompng("captcha.png");

/*
Lets set the colours, the colour $line is used to generate lines.
 Using a blue misty colours. The colour codes are in RGB
*/

$black = imagecolorallocate($captcha, 0, 0, 0);
$line = imagecolorallocate($captcha,233,239,239);

/*
Now to make it a little bit harder for any bots to break, 
assuming they can break it so far. Lets add some lines
in (static lines) to attempt to make the bots life a little harder
*/
imageline($captcha,0,0,39,29,$line);
imageline($captcha,40,0,64,29,$line);
/*
Now for the all important writing of the randomly generated string to the image.
*/
imagestring($captcha, 5, 20, 10, $string, $black);


/*
Encrypt and store the key inside of a session
*/

$_SESSION['key'] = md5($string);

/*
Output the image
*/
header("Content-type: image/png");
imagepng($captcha);
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Untitled Document</title>
</head>

<body>

Code: Select all

<?php
//Encrypt the posted code field and then compare with the stored key

if(md5($_POST['code']) != $_SESSION['key'])
{
  die("Error: You must enter the code correctly");
}else{
  echo 'You entered the code correctly';
}
?>

Code: Select all

<img src="<? $captcha?>" alt="Please enter the text here">
<form method="post" name="form1" action="">
<input type="text" name="Name" id="Name" size="32" value="" >
<input name="send" type="submit" id="send" value="Post Message" />
</form>
</body>
</html>
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Are all these segments a single (continuous) file?

viewtopic.php?t=1157 may be of interest.
Addos
Forum Contributor
Posts: 305
Joined: Mon Jan 17, 2005 4:13 pm

Post by Addos »

Are all these segments a single (continuous) file?
I think so. As a beginner I'm a little in the dark. I tracked this tutorial down at http://codewalkers.com/tutorials/95/2.html and found it a good starting point. I even have a working page of exactly the entire code above at http://www.ahamay.com/caputra.php and if you look in source code it's completely blank and the Form is missing.

Thank your for this help and the link too.
B
Post Reply