Page 1 of 1

Spam getting past Conditional Statements

Posted: Sat Nov 11, 2006 12:49 pm
by Addos
I wonder if anyone can help me understand why many of my forms are breached by spammers. I have run conditional statements (below) and for example in this specific page the ‘first_name’ and ‘last_ name’ seem to be over ridden by spam because when I look in the MySQL database the ‘null’ values are showing up and I can’t see how this is. When I test the form live I can’t get it to submit until there is something filled into the form fields but yet the spammer seems to be able to get past this. Can anyone give me an idea as to why this is?
Thanks very much for any advice.
Brian

Code: Select all

/* Test whether the POST array has been set and makes certain variables are initialzed with no content.          */
$pattern = '/^\w[-.\w]*@([-a-z0-9]+\.)+[a-z]{2,4}$/i';
if ($_POST && array_key_exists('sendCom',$_POST)) {
  $messagefname='';
  $trimedfirst_name = $_POST['first_name'];
  $messagelname='';
  $trimedlast_name = $_POST['last_name'];
  $messageaddress='';
  $trimedaddress = $_POST['address'];
  $messageemail='';
  $email= $_POST['email'];
  $nospam='';
/* trim checks to see if space bar has been used and if so send an error
   strip_tags strips out any unwanted HTML */
   
// First Name Conditional Statement
    if (!trim($trimedfirst_name) && !empty($_POST['first_name'])) {
    $messagefname = '<b>Required!</b>';
    }
    if (isset($_POST['first_name']) && !empty($_POST['first_name'])) {
    $f_name_message=trim(strip_tags($_POST['first_name']));
    }else{
    $messagefname = '<b>Required</b>';
    }
// LastName Conditional Statement
    if (!trim($trimedlast_name) && !empty($_POST['last_name'])) {
     $messagelname = '<b>Required</b>!';
    }
	if (isset($_POST['last_name']) && !empty($_POST['last_name'])) {
	 $l_name_message=trim(strip_tags($_POST['last_name']));
	} else {
	 $messagelname = '<b>Required</b>';
	}
// Address Conditional Statement
   if (!trim($trimedaddress) && !empty($_POST['address'])) {
    $messageaddress = '<b>Required!</b>';
   }
   if (isset($_POST['address']) && !empty($_POST['address'])) {
    $address_message=trim(strip_tags($_POST['address']));
   }else{
   $messageaddress = '<b>Required</b>';
   }
// EmailConditional Statement
   if (isset($_POST['email']) && !empty($_POST['email'])) {
    }else{
   $messageemail= '<b>Required</b>';
   }
   // Stop Robots spaming form
// Conditional check for empty fields
 $spammed = trim(strtolower($_POST['StopSpam']));
if ($spammed ==='monday' && !empty($_POST['StopSpam'])) {
}else{
   $nospam = '<b> Error: You must answer the question </b>';
 } 
 if (empty($_POST['email'])) {// validation of email if inserted otherwise ignore
	 } else {
	if (!preg_match($pattern,$email)) $error_email['invalid'] = 'ERROR! Your email address seems to be invalid. <br> It should be similar to the following: info@me.com';
    }
	}
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
	{ etc etc….
  }
  return $theValue;
  }

// If no errors, send email and redirect to acknowledgment page
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
if (!$messagefname && !$messagelname)
if (!$messagefname && !$messageaddress)
if (!$messagefname && !$messageemail)
if (!$messagefname && !$error_email)
if (!$nomessage && !$nospam) 
{

  $insertSQL = sprintf("INSERT INTO paypal_support (),
 Etc etc

 /*strip new lines and carriage returns from any PHP string
   to comabt recent attack on vunerable form headers */
  $original = $_POST['email'];
 function stripNewLines($original) {
   return preg_replace('/\r|\n/', ' ', $original);
   }
   
	Send mail etc
}}?>

Posted: Sat Nov 11, 2006 8:56 pm
by Cameri
Phew... 8O such coding...
Can't help much but I'll try to fix whatever I can... rest is for your imagination!

Btw, I suggest you try harder e-mail validation techniques... google about it..

Note: I did not test any of this, use at your own risk xD!

Code: Select all

/* Test whether the POST array has been set and makes certain variables are initialzed with no content.          */
$pattern = '/^\w[-.\w]*@([-a-z0-9]+\.)+[a-z]{2,4}$/i';
if (isset($_POST['sendCom'])) {
    $skip = false;
 
    if (!isset($_POST['first_name']) || empty($_POST['first_name'])) {
        $messagefname = '<b>Required!</b>';
        $skip = true;
    } else {
        $f_name_message = trim(strip_tags($_POST['first_name']));
    }

    if (!isset($_POST['last_name']) || empty($_POST['last_name'])) {
        $messagelname = '<b>Required</b>!';
        $skip = true;
    } else {
        $l_name_message = trim(strip_tags($_POST['last_name']));
    }

   if (!isset($_POST['address']) || empty($_POST['address'])) {
        $messageaddress = '<b>Required!</b>';
        $skip = true;
   } else {
        $address_message= trim(strip_tags($_POST['address']));
   }

  if (!isset($_POST['email']) || !empty($_POST['email']) || !preg_match($pattern,$_POST['email'])) {
        $messageemail= '<b>Required or Invalid</b>';
        $skip = true;
   }else{
        $email_message = $_POST['email']); 
   }

   // Stop Robots spaming form <--- this anti-robot thing is useless, I suggest you read up on CAPTCHA, like on Wikipedia and then google on how to make your own CAPTCHA using PHP

// If no errors, send email and redirect to acknowledgment page
if (isset($_POST["MM_insert"]) && strcmp($_POST['MM_insert'],"form1")==0 && !$skip) {
  $insertSQL = sprintf("INSERT INTO ...");
  //etc etc
}

Posted: Sat Nov 11, 2006 10:34 pm
by neophyte
One of the simplest ways to beef up security is to give your form a string token. This same string token is also stored in a session variable. When the form is submitted, the token stored in the session is compared to that found in the post. If the tokens match you process the form. If they do not match you send them back to an empty form or spit out an error message. Using similar techniques you can do things to prevent flooding. You'll probably want to read up on header injection with mail() too as this is a common problem with email forms.

Posted: Sat Nov 11, 2006 11:17 pm
by John Cartwright
neophyte wrote:One of the simplest ways to beef up security is to give your form a string token. This same string token is also stored in a session variable. When the form is submitted, the token stored in the session is compared to that found in the post. If the tokens match you process the form. If they do not match you send them back to an empty form or spit out an error message. Using similar techniques you can do things to prevent flooding. You'll probably want to read up on header injection with mail() too as this is a common problem with email forms.
Isn't exactly the best option for preventing bots. For instance, a quick call with cURL can determine the form token with the help of regex, and using the same curl handler proceed to make the neccesary form submittions. All this forces the bot to do is use your actual form.

Even still, I would use a captcha if you are instanstant on preventing bots -- although you should consider alternatives for visually impaired users (such as audio captcha).

Posted: Sun Nov 12, 2006 5:30 pm
by Addos
Thanks for all this great help.
I’ve been playing with a tutorial setting up Catcha and although I’m getting on relatively well the code below seems to stop at header("Content-type: image/png"); imagepng($captcha); and not display the content between the<body></body> tags As I’m new to PHP it’s very puzzling. If I try to move anything from the head of the page I get the usual cannot modify headers message so if you can point me in the right direction I’d be most grateful.
Thanks

Code: Select all

<?php
//Start the session so we can store what the code actually is.
session_start();

//Now lets use md5 to generate a totally random string eg f918f 4b8ead7cbbe96fa003abc32dec1

$md5 = md5(microtime() * mktime());
/*
We dont need a 32 character long string so we trim it down to 5 eg f918f of above
*/
$string = substr($md5,0,5);
/*
Now for the GD stuff, for ease of use lets create
 the image from a background image.
*/

$captcha = imagecreatefrompng("captcha.png");

/*
Lets set the colours, the colour $line is used to generate lines.
 Using a blue misty colours. The colour codes are in RGB
*/

$black = imagecolorallocate($captcha, 0, 0, 0);
$line = imagecolorallocate($captcha,233,239,239);

/*
Now to make it a little bit harder for any bots to break, 
assuming they can break it so far. Lets add some lines
in (static lines) to attempt to make the bots life a little harder
*/
imageline($captcha,0,0,39,29,$line);
imageline($captcha,40,0,64,29,$line);
/*
Now for the all important writing of the randomly generated string to the image.
*/
imagestring($captcha, 5, 20, 10, $string, $black);


/*
Encrypt and store the key inside of a session
*/

$_SESSION['key'] = md5($string);

/*
Output the image
*/
header("Content-type: image/png");
imagepng($captcha);
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Untitled Document</title>
</head>

<body>

Code: Select all

<?php
//Encrypt the posted code field and then compare with the stored key

if(md5($_POST['code']) != $_SESSION['key'])
{
  die("Error: You must enter the code correctly");
}else{
  echo 'You entered the code correctly';
}
?>

Code: Select all

<img src="<? $captcha?>" alt="Please enter the text here">
<form method="post" name="form1" action="">
<input type="text" name="Name" id="Name" size="32" value="" >
<input name="send" type="submit" id="send" value="Post Message" />
</form>
</body>
</html>

Posted: Sun Nov 12, 2006 5:38 pm
by feyd
Are all these segments a single (continuous) file?

viewtopic.php?t=1157 may be of interest.

Posted: Sun Nov 12, 2006 5:49 pm
by Addos
Are all these segments a single (continuous) file?
I think so. As a beginner I'm a little in the dark. I tracked this tutorial down at http://codewalkers.com/tutorials/95/2.html and found it a good starting point. I even have a working page of exactly the entire code above at http://www.ahamay.com/caputra.php and if you look in source code it's completely blank and the Form is missing.

Thank your for this help and the link too.
B