Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 10 of 10
  1. #1
    New Coder
    Join Date
    Jan 2013
    Location
    Oregon
    Posts
    34
    Thanks
    5
    Thanked 0 Times in 0 Posts

    Unhappy PHP Form getting spammed despite javascript validation

    I keep getting blank submissions from my php contact form even though if a human were to use it, it doesn't let them leave fields blank. So I know this is a web crawler thing. I know about robots.txt but I don't want to prevent my site from being indexed. I think I just want to prevent them from entering the php file. Is that possible? Or even the solution I'm looking for? Any suggestions are much appreciated!

  • #2
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,281
    Thanks
    57
    Thanked 523 Times in 510 Posts
    Blog Entries
    5
    Validate your form on the server side in php aswell as on the client side in javascript.

    If you show us the code for your script we might be able to help
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #3
    New Coder
    Join Date
    Jan 2013
    Location
    Oregon
    Posts
    34
    Thanks
    5
    Thanked 0 Times in 0 Posts
    Ok this is my code.

    PHP Code:
    <?php $name $_POST['name'];
        
    $email $_POST['email'];
        
    $message $_POST['message'];
        
    $reason $_POST['reason'];
        
    $formcontent="Web Contact Form Submitted from www.mywebsite.com \n Regarding: $reason \n From: $name \n Email: $email \n Message: $message";
        
    $recipient "name@gmail.com";
        
    $subject "The Whole You Now Contact Form from $name";
        
    $mailheader "From: $email \r\n";
        
    mail($recipient$subject$formcontent$mailheader) or die("Error!");
        echo 
    "Thank You! Your message has been sent successfully!";
        
    ?>

  • #4
    Regular Coder patryk's Avatar
    Join Date
    Oct 2012
    Location
    /dev/couch
    Posts
    398
    Thanks
    2
    Thanked 64 Times in 64 Posts
    you can use honey pot to trap bots. they work as good as captchas
    the trick is to name you form inputs in smart way. you make you honeypot look like message input, make message input look like some optional data, and you hide honeypot with css.

    in your processing script if honeypot field isn't empty then you know it's a bot.

    -------------------------------------------------------------------------------
    "Real Programmers can write assembly code in any language" - Larry Wall

  • #5
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,592
    Thanks
    0
    Thanked 644 Times in 634 Posts
    Never write c ode such as :

    Code:
    $name = $_POST['name']; 
        $email = $_POST['email']; 
        $message = $_POST['message']; 
        $reason = $_POST['reason'];
    You should always either sanitize or validate the $_POST fields BEFORE copying them to other fields - that's the entire point in using separate fields.

    For example:

    Code:
    $email = '';
    if (filter_var( $_POST['email'], FILTER_VALIDATE_EMAIL)) $email = $_POST['email'];
    ensures that $email will only ever contain an email address and cannot contain anything else - whereas $_POST['email'] can contain anything at all.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #6
    Banned
    Join Date
    Mar 2013
    Posts
    139
    Thanks
    0
    Thanked 9 Times in 9 Posts
    Quote Originally Posted by patryk View Post
    in your processing script if honeypot field isn't empty then you know it's a bot.
    Even if the honeypot field is empty it could still be a bot. Honeypots are not 100% protection.

    If I wanted to attack a site, I would have a look at as much of the code (html, css, javascript) as possible to determine vulnerabilities and attempts at defence.

    Honeypots are then easily identifiable and subsequently side-stepped by people who know what they are doing.

  • #7
    New Coder
    Join Date
    Jan 2013
    Location
    Oregon
    Posts
    34
    Thanks
    5
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by knightCoder View Post
    Even if the honeypot field is empty it could still be a bot. Honeypots are not 100% protection.

    If I wanted to attack a site, I would have a look at as much of the code (html, css, javascript) as possible to determine vulnerabilities and attempts at defence.

    Honeypots are then easily identifiable and subsequently side-stepped by people who know what they are doing.

    So what's the solution?

  • #8
    Regular Coder patryk's Avatar
    Join Date
    Oct 2012
    Location
    /dev/couch
    Posts
    398
    Thanks
    2
    Thanked 64 Times in 64 Posts
    @knightCoder: ...and if i were to spam a site i would use OCR to read captchas, or better yet i would find kids to spam it for me for a pack of candies. but so what?. who writes a bot to target only one speciffic site? cmon

    @samuelito.mcf: validate your data in server-side script, and use captcha or/and honeypot to give bots a hard time.
    Last edited by patryk; 04-03-2013 at 04:33 PM.

    -------------------------------------------------------------------------------
    "Real Programmers can write assembly code in any language" - Larry Wall

  • #9
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,281
    Thanks
    57
    Thanked 523 Times in 510 Posts
    Blog Entries
    5
    Quote Originally Posted by knightCoder View Post
    If I wanted to attack a site, I would have a look at as much of the code (html, css, javascript) as possible to determine vulnerabilities and attempts at defence.

    Honeypots are then easily identifiable and subsequently side-stepped by people who know what they are doing.
    Yes but we're not talking about someone maliciously attacking the site are we. We're talking about bots that probably scan millions of pages html code looking for commonly named form elements in order to add them to their own database ready to send spam to.

    What you've said is fair of any attacker looking at any website they want to attack. If an experienced attacker wants to attack a site then unless the php coder is a pro (and also a IT security expert) then they don't stand much chance against an experienced attacker anyway.

    The point is the op wants to reduce the amount of spam being sent to as little as possible. Using a honeypot will probably do this effectively but using random field names would be better along with an emailed confirmation link which witholds the form data in a table until the link is clicked.

    Again even if you're not an attacker you could sit there submitting the form multiple times so in reality your arguement about an attacker looking at the source isn't overly persuasive from my POV.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #10
    Banned
    Join Date
    Mar 2013
    Posts
    139
    Thanks
    0
    Thanked 9 Times in 9 Posts
    Quote Originally Posted by patryk View Post
    @knightCoder: ...who writes a bot to target only one speciffic site? cmon
    Surely you're not suggesting no-one ever has or that it still isn't done to some extent even today? It depends on the type of site and the intent of the attacker.

    But in any case, no CAPTCHA is 100% effective because you can always find a human who will be prepared to sit infront of a computer to by pass any CAPTCHA and send spam or whatever. With labour so cheap in some oarts of the world, it is not an expensive exercise.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •