Web Forms Being exploited

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
brodie
Forum Newbie
Posts: 1
Joined: Sat Sep 10, 2005 11:15 pm

Web Forms Being exploited

Post by brodie »

on my site i currently have a form where people can register to show interest.
The form is fairly simple and takes in quite a few bits of info. I process the form with php and send myself an email to let me know they hav registered.

Now, someone is, what seems to be running his own script on my register page. hes filling in all the fields with dummy information and generating lotsof registrations. So i keep getting lots of emails, and all these fake users.

I was wondering if there was anyway i could stop a particular ip address from continually using the form, or if anyone knew where i could find some sort of extra validation, like using those images with verification keys in them. SO an actual person has to sit down and fill them out.

I am going to include an email validation too, but this wont stop the script generating lots of dummy members.

Any help would be appreciated.

Cheers guys
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Browse through the various captcha classes on phpclasses.org: http://www.google.com/search?q=site%3Ap ... %20captcha
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

I don't even like to bother with captcha, just require a user to signup with an email, and make them verify their email with a verification link before it finalizes their account, and sends you the email. Of course limiting an email to only one account, if you get an issue such as someone who writes a script to set up thousands of emails on their local MTA, you can ban their domain name

Otherwise you can just ban their subnet by IP. As to how to ban by IPs, look at $_SERVER
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Not to mention relying on a users IP to be authentic is total chaos. A user's IP may legitimantly changed several times through a session...
(cough cough AOL). Also if a user is setup behind a proxy banning his IP is utterly pointless, for obvious reasons..
Post Reply