Spam getting past Conditional Statements
Posted: Sat Nov 11, 2006 12:49 pm
I wonder if anyone can help me understand why many of my forms are breached by spammers. I have run conditional statements (below) and for example in this specific page the ‘first_name’ and ‘last_ name’ seem to be over ridden by spam because when I look in the MySQL database the ‘null’ values are showing up and I can’t see how this is. When I test the form live I can’t get it to submit until there is something filled into the form fields but yet the spammer seems to be able to get past this. Can anyone give me an idea as to why this is?
Thanks very much for any advice.
Brian
Thanks very much for any advice.
Brian
Code: Select all
/* Test whether the POST array has been set and makes certain variables are initialzed with no content. */
$pattern = '/^\w[-.\w]*@([-a-z0-9]+\.)+[a-z]{2,4}$/i';
if ($_POST && array_key_exists('sendCom',$_POST)) {
$messagefname='';
$trimedfirst_name = $_POST['first_name'];
$messagelname='';
$trimedlast_name = $_POST['last_name'];
$messageaddress='';
$trimedaddress = $_POST['address'];
$messageemail='';
$email= $_POST['email'];
$nospam='';
/* trim checks to see if space bar has been used and if so send an error
strip_tags strips out any unwanted HTML */
// First Name Conditional Statement
if (!trim($trimedfirst_name) && !empty($_POST['first_name'])) {
$messagefname = '<b>Required!</b>';
}
if (isset($_POST['first_name']) && !empty($_POST['first_name'])) {
$f_name_message=trim(strip_tags($_POST['first_name']));
}else{
$messagefname = '<b>Required</b>';
}
// LastName Conditional Statement
if (!trim($trimedlast_name) && !empty($_POST['last_name'])) {
$messagelname = '<b>Required</b>!';
}
if (isset($_POST['last_name']) && !empty($_POST['last_name'])) {
$l_name_message=trim(strip_tags($_POST['last_name']));
} else {
$messagelname = '<b>Required</b>';
}
// Address Conditional Statement
if (!trim($trimedaddress) && !empty($_POST['address'])) {
$messageaddress = '<b>Required!</b>';
}
if (isset($_POST['address']) && !empty($_POST['address'])) {
$address_message=trim(strip_tags($_POST['address']));
}else{
$messageaddress = '<b>Required</b>';
}
// EmailConditional Statement
if (isset($_POST['email']) && !empty($_POST['email'])) {
}else{
$messageemail= '<b>Required</b>';
}
// Stop Robots spaming form
// Conditional check for empty fields
$spammed = trim(strtolower($_POST['StopSpam']));
if ($spammed ==='monday' && !empty($_POST['StopSpam'])) {
}else{
$nospam = '<b> Error: You must answer the question </b>';
}
if (empty($_POST['email'])) {// validation of email if inserted otherwise ignore
} else {
if (!preg_match($pattern,$email)) $error_email['invalid'] = 'ERROR! Your email address seems to be invalid. <br> It should be similar to the following: info@me.com';
}
}
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{ etc etc….
}
return $theValue;
}
// If no errors, send email and redirect to acknowledgment page
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
if (!$messagefname && !$messagelname)
if (!$messagefname && !$messageaddress)
if (!$messagefname && !$messageemail)
if (!$messagefname && !$error_email)
if (!$nomessage && !$nospam)
{
$insertSQL = sprintf("INSERT INTO paypal_support (),
Etc etc
/*strip new lines and carriage returns from any PHP string
to comabt recent attack on vunerable form headers */
$original = $_POST['email'];
function stripNewLines($original) {
return preg_replace('/\r|\n/', ' ', $original);
}
Send mail etc
}}?>