Spam what to do next?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Addos
Forum Contributor
Posts: 305
Joined: Mon Jan 17, 2005 4:13 pm

Spam what to do next?

Post by Addos »

http://www.leedaviesracing.com/guestbook_sign.php

I've been playing around with setting up my own 'Captura' and
despite successfully getting it to run the script ok I'm still getting hit
by spam. Has anyone got any ideas? I cant understand with all the
conditional statements in run in the form fields plus the image to insert text from, spam is still
getting through. I can supply code no problem if necessary.

Thanks for any help

B
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Did you use an existing captcha routine?

We'll probably need to see full code.
User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Post by aaronhall »

Are you checking that the same form data hasn't already been submitted?
Addos
Forum Contributor
Posts: 305
Joined: Mon Jan 17, 2005 4:13 pm

Post by Addos »

Hi ya,
Thanks for the reply. This is the code I'm using to enter the details. I know there are probably better ways but I'm only learning PHP for the last 6 months so be patient.

Code: Select all

<?php //session start for captcha
 session_start();

// Test whether the POST array has been set and makes certain 
// variables are initialzed with no content.
$pattern = '/^\w[-.\w]*@([-a-z0-9]+\.)+[a-z]{2,4}$/i';
if ($_POST && array_key_exists('sendCom',$_POST)) {
  $nomessage='';
  $error=array();
  $error_email=array();
  $message='';
  $GuestEmail= $_POST['GuestEmail'];
  $trimmedGuestDetails = $_POST['GuestDetails'];
// Trim out white space and srtip out unwanted HTML 
  $trimmedLocation=trim(strip_tags($_POST['GuestLocation']));
// Check each field and build errors array if problems found
if (isset($_POST['GuestDetails']) && !empty($_POST['GuestDetails'])) {
 $trimmedGuestDetails=trim(strip_tags($_POST['GuestDetails']));
  }
else {
  $nomessage = 'Message Required';
  }
if (isset($_POST['GuestName']) && !empty($_POST['GuestName'])) {
  $trimmedGuestName=trim(strip_tags($_POST['GuestName']));
  }
else {
  $error['GuestName'] = 'Name Required';
  }
 	// run Captcha
 if (md5($_POST['code']) != $_SESSION['key']) {
	  $error_code = 'Incorrect entry. Try again!';
	}
// Removes HTTP:// or http:// and strips white space and unwanted html tags
	 $url = trim(strip_tags($_POST['GuestWebsite']));
	 if (strpos(strtolower($url), 'http://') ===0) {
	 $url = substr($url, 7);
	}
 if (empty($_POST['GuestEmail'])) {// validation of email if inserted otherwise ignore
	 } else {
	 if (!preg_match($pattern,$GuestEmail)) $error_email['invalid'] = 'ERROR! Your email address seems to be invalid. <br> It should be similar to the following: info@me.com';
     }
	 }
	
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}

$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
if (!$nomessage && !$error)  {
if (!$nomessage && !$error_email)
if (!$nomessage && !$error_code)
//if (!$nomessage && !$nospam) 

 {
// If no errors, send email 
	mail($to,$subject,$message,$headers);	etc...
				
		  $insertSQL = sprintf("INSERT INTO guestbook (GuestName, GuestLocation, GuestDetails, GuestWebsite, GuestEmail, ip, GuestDate) VALUES (%s,%s, %s, %s, %s, '".$_SERVER['REMOTE_ADDR']."', CURDATE())",
                       GetSQLValueString("$trimmedGuestName", "text"),
                       GetSQLValueString("$trimmedLocation", "text"),
                       GetSQLValueString("$trimmedGuestDetails", "text"),
                       GetSQLValueString("$url", "text"),
                       GetSQLValueString($_POST['GuestEmail'], "text"));

  mysql_select_db($database_davies, $davies);
  $Result1 = mysql_query($insertSQL, $davies) or die(mysql_error());

  $insertGoTo = "guestbook.php";
  if (isset($_SERVER['QUERY_STRING'])) {
    $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
    $insertGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $insertGoTo));
}}}?>
This is the captura code thats in a separate page under the root folder.

Code: Select all

<?php
//Start the session so we can store what the code actually is.
session_start();

//Now lets use md5 to generate a totally random string eg f918f 4b8ead7cbbe96fa003abc32dec1

$md5 = md5(microtime() * mktime());
/*
We dont need a 32 character long string so we trim it down to 5 eg f918f of above
*/
$string = substr($md5,0,5);
/*
Now for the GD stuff, for ease of use lets create
 the image from a background image.
*/

$captcha = imagecreatefrompng("image.png");

/*
Lets set the colours, the colour $line is used to generate lines.
 Using a blue misty colours. The colour codes are in RGB
*/

$black = imagecolorallocate($captcha, 0, 0, 0);
$line = imagecolorallocate($captcha,233,239,239);

/*
Now to make it a little bit harder for any bots to break, 
assuming they can break it so far. Lets add some lines
in (static lines) to attempt to make the bots life a little harder
*/
imageline($captcha,0,0,39,29,$line);
imageline($captcha,40,0,64,29,$line);
imageline($captcha,20,0,14,31,$line);
imageline($captcha,10,0,1,31,$line);
/*
Now for the all important writing of the randomly generated string to the image.
*/
imagestring($captcha, 5, 20, 10, $string, $black);

/*
Encrypt and store the key inside of a session
*/

$_SESSION['key'] = md5($string);

/*
Output the image
*/
header("Content-type: image/png");
imagepng($captcha);
?>
User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Post by aaronhall »

I wonder if you read my question..
Addos
Forum Contributor
Posts: 305
Joined: Mon Jan 17, 2005 4:13 pm

Post by Addos »

Are you checking that the same form data hasn't already been submitted?
Hi Aaron,
Only getting to reply to this now too!

I’m not sure I follow what you ask me. In the database usually the values are all ‘null’ which really baffles me as I have statements running to try and stop this. When I do get a run of similar email addresses showing up in the database or anything else I usually run something like

Code: Select all

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
if ($_POST['GuestEmail'] !== 'rgergerger')
if ($_POST['GuestEmail'] !== 'radtt@hotmail.com')
if ($_POST['GuestEmail'] !== 'jryfibofbvc')
if ($_POST['GuestEmail'] !== 'red@red.com')
if ($_POST['GuestEmail'] !== 'red%40red.com')
if ($_POST['GuestEmail'] !== 'dim@serbin.com')
if (!$nomessage && !$error)  {
if (!$nomessage && !$error_email)
if (!$nomessage && !$error_code)
and this quite often can be successful for a good time but lately nothing I do is stopping the database from being breached.

Let me know more if you can.
Thanks a mil
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

I was having the same spam problem on my email contact form... the solution i used was not to use standard names for the input elements... the spam bots will search out any input fields named "name, email, contact, etc..." so i just changed the names to "input_1, input_2" etc... it stopped the spam cold...
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

nice little trick, that has always worked for me
Post Reply