Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    Regular Coder
    Join Date
    Feb 2006
    Posts
    110
    Thanks
    23
    Thanked 0 Times in 0 Posts

    forms and php security

    i have a form (name, email and comments) which is being spammed mercilessly and I dont know what to do as I have image verification, validation and have changed the location of the form several times but spamming hasn't stop!!!

    Has anyone got any solution? or give me a valuable advice. thank you.

  • #2
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,007
    Thanks
    2
    Thanked 311 Times in 303 Posts
    You would need to post your form code and your form processing code to get specific help with what they are or are not doing.

    There are several threads in this and almost every serious programming help forum, that you can search for, that discuss things like email header injection.

    Edit: You don't mention javascript, but the validation you do mention is probably using javascript. Here are some recent threads on the subject of form to email abuse -

    form validation - is being over ridden?
    HTML code (spam) in my form fields- Oh my!
    Form Spam: What happened, what to do?
    spam problem

    I even had someone in a different forum post the "ultimate" spam proof form code, but he passed the secret answer in a hidden form field and then blindly compared the entered answer with the secret answer. When both of them were empty (as in a script submitting the data) the test passed and sent the email...
    Last edited by CFMaBiSmAd; 04-02-2007 at 04:43 AM.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #3
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,455
    Thanks
    8
    Thanked 1,084 Times in 1,075 Posts
    I have one suggestion that is easy to try.

    Create another "fake" form on your page, before the "real" form,
    and comment it out in your HTML code.

    Spammer robots will scan your HTML and see the "fake" form first.
    I've discovered that once they find the form, they look no further.

    Also, on your "real" form, for your form processing script, don't use
    script names such as email.php, formmail.php, etc. Make the
    script name cryptic ( "E3d8Uhk.php" ) ... same with your form variable names.

  • #4
    Senior Coder
    Join Date
    Jan 2007
    Posts
    1,648
    Thanks
    1
    Thanked 58 Times in 54 Posts
    One thing to remember with all these "tricks", is that there are a lot of people in low wage countries that spend their day spamming forms (and get paid to do it). So adding in measures like commented out forms and cryptic filenames won't benefit you all the time.

  • #5
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,007
    Thanks
    2
    Thanked 311 Times in 303 Posts
    If your form to email code is written securely, so that nothing bad that is put in a form field makes its' way into the header field to set its own TO:, CC:, BCC:, ... field, then then there is no way for a spammer to send his email through your code. If there is no benefit received, the spammer won't continue to abuse your code and there is no need for any of these "tricks." If you have securely written form to email code, you don't even need a captcha.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #6
    Senior Coder
    Join Date
    Jan 2007
    Posts
    1,648
    Thanks
    1
    Thanked 58 Times in 54 Posts
    They don't look for this benefit. They hardly ever know whether it works or not.

    Just the chance of it working is enough.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •