Page 1 of 1

php error please help

Posted: Mon Jun 29, 2009 11:30 pm
by kintetaylor
I am in no way a programmer, I am a designer. My fiancée and I have created a site for our upcoming wedding, http://www.sonyandkinte.info/. We recently have been getting spam on our contact up form page. I tried to implement the code I found here http://webspamprotect.com/scripts_and_plugins.php to make so spam bots cannot send us spam and I get this error message.

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/content/k/i/n/kintetaylor/html/sonyandkinte/contact_us.php:6) in /home/content/k/i/n/kintetaylor/html/sonyandkinte/contact_us.php on line 175

the files in use are

http://www.sonyandkinte.info/contact_us.php and http://www.sonyandkinte.info/wsp_get_captcha.php
can someone please tell me what the problem is or point me in the direction of another way to secure that portion of the site from spammers?

Thanks
Kinte :banghead:

Re: php error please help

Posted: Tue Jun 30, 2009 6:48 am
by kaisellgren
I think using a CAPTCHA is the best approach for you to take.

Open up contact_us.php and look at line 6. Is there an echo or something that outputs HTML/content? As the error says, you have outputted something before calling session_start(). Start the session in the very beginning of your documents and you shouldn't have problems with that.

Re: php error please help

Posted: Tue Jun 30, 2009 11:21 am
by Eric!
If you have a simple contact form where you don't really want people sending you html or links then try these forceful methods of rejecting input. Filter your input variables through a function that checks for injection attempts so your mail doesn't get hijacked.

Code: Select all

function InjectionAttempt($input) // this detects any injection characters
{
    if (eregi("%0a", $input) ||
    eregi("%0d", $input) ||
    eregi("Content-Type:", $input) ||
    eregi("bcc:", $input) ||
    eregi("to:", $input) ||
    eregi("cc:", $input)) 
    {
        return 1;  // bastards
    } 
    else 
    {
        return 0;
    }
}
 
function InjectionAttempt2($input) // use this for fields that contain return codes and line feeds
{
    if (eregi("Content-Type:", $input) ||
    eregi("bcc:", $input) ||
    eregi("to:", $input) ||
    eregi("cc:", $input)) 
    {
        return 1;  // bastards
    } 
    else 
    {
        return 0;
    }
}
Use injectionattempt2 for fields that contain return characters like a message body. Use injectionattempt for anything going into your header fields like email addresses, subject, etc. If either function returns 1, then generate an error message and reload the contact form.

Here are some example calls to the injectionattempt functions. Excuse the old school printf, you can change these to echo.


Code: Select all

    if(InjectionAttempt($_POST["Username"]) ) {printf ("Problem with Name Field<br>"); errormsg(); return;}
    if(InjectionAttempt($_POST["UserEmail"]) ) {printf ("Problem with your Email Field<br>"); errormsg(); return;}
    if(InjectionAttempt2($_POST["Comments"]) ) {printf ("Problem with Comments<br>"); errormsg(); return;}
    if(InjectionAttempt($_POST["Subject"]) ) {printf ("Problem with the Subject field<br>"); errormsg(); return,
The errormsg() routine just tells them what can not be entered (non-alpha numeric characters and to: bcc: cc: etc)

Next for spam that is sent directly to you, just scan the message for links and reject the message.

Code: Select all

 if(stristr($comments,"http")!=FALSE) // does http appear in the text?
{
    errormsg2();  // this is a spam attempt.  Tell user no links allowed and reload form
    return;
}
errormsg2() just does what the comments say.

Make sure your error messages are verbose, explaining to the user exactly what they did wrong in case it is a legitimate user who innocently entered to: in the subject or http://visit.my.page in the message body.