Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    New Coder
    Join Date
    Jul 2002
    Posts
    49
    Thanks
    0
    Thanked 0 Times in 0 Posts

    web form problem

    I have a comment form on my site. I thought the code was fairly secure but I keep getting spam comments. Is there anything I can do to prevent that?

    PHP Code:
    if (isset($_POST['submit_comment'])) {

        if (empty(
    $_POST['name']) || empty($_POST['email']) || empty($_POST['comment'])) {
            die(
    "You have forgotten to fill in one of the required fields! Please make sure you submit a name, e-mail address and comment.");
        }

        
    $entry htmlspecialchars(strip_tags($_POST['entry']));
        
    $timestamp htmlspecialchars(strip_tags($_POST['timestamp']));
        
    $name htmlspecialchars(strip_tags($_POST['name']));
        
    $email htmlspecialchars(strip_tags($_POST['email']));
        
    $url htmlspecialchars(strip_tags($_POST['url']));
        
    $comment htmlspecialchars(strip_tags($_POST['comment']));
        
    $comment nl2br($comment);

        if (!
    eregi("^([_a-z0-9-]+)(\.[_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]+)*(\.[a-z]{2,4})$"$email)) {
             die(
    "The e-mail address you submitted does not appear to be valid. Please go back and correct it.");
        }

        
    $result mysql_query("INSERT INTO table (entry, timestamp, name, email, url, comment) VALUES ('$entry','$timestamp','$name','$email','$url','$comment')");

        
    header("Location: comment.php?id=" $entry);
    }
    else {
        die(
    "Error: you cannot access this page directly.");


  • #2
    New to the CF scene
    Join Date
    Apr 2006
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts
    One way to prevent this is to create a session variable with a random number for the ID of the form, e.g.

    PHP Code:
    session_start();
    $_SESSION['formid'] = mt_rand(); 
    then to pass that along as a hidden variable in your form:

    PHP Code:
    echo '<input type="hidden" name="form_id" value="' $_SESSION['formid'] . '>'
    When you validate the form, check if
    PHP Code:
    $_POST['form_id'] == $_SESSION['formid'
    . If they're equal, then
    PHP Code:
    unset($_SESSION['formid']) 
    . That should prevent both multiple posting and spam posts.

  • #3
    New Coder
    Join Date
    Jul 2002
    Posts
    49
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks for the suggestion.

    I tried creating the random id and I got this error:

    Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/blah/public_html/head.php:3) in /home/blah/public_html/comment.php on line 64

  • #4
    New to the CF scene
    Join Date
    Apr 2006
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts
    When you do session_start, you can't have any output before it. No HTML, no echoes, no ntohing. So it's best if you do session_start() as the first line in the PHP file.

  • #5
    New Coder
    Join Date
    Jul 2002
    Posts
    49
    Thanks
    0
    Thanked 0 Times in 0 Posts
    excellent! thank you.

  • #6
    New Coder
    Join Date
    Jul 2002
    Posts
    49
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I don't know if I've implemented everything correctly - I'm still getting spam comments...
    This is the form:
    PHP Code:
    <? 
    session_start
    (); 
    $_SESSION['formid'] = mt_rand(); 

    <
    form method="post" action="process.php">
    <
    input type="hidden" name="id" value="<? echo $id ?>">
    <
    input type="hidden" name="timestamp" value="<? echo $timestamp ?>">
    <
    input type="hidden" name="form_id" value="<? $_SESSION['formid'] ?>">
    <
    table>
    <
    tr><td width="45">name:</td><td width="164"><input type="text" name="name" size="25"></td></tr>
    <
    tr><td width="45">email:</td><td width="164"><input type="text" name="email" size="25"></td></tr>
    <
    tr><td width="45">comment:</td><td width="164"><textarea cols="25" rows="5" name="comment"></textarea></td></tr>
    <
    tr><td colspan="2"><input type="submit" name="submit_comment" value="comment"></td></tr>
    </
    table>
    </
    form>
    This is the process script:
    PHP Code:
    <?
    if (isset($_POST['submit_comment'])) {

        if (
    $_POST['form_id'] == $_SESSION['formid']){
    unset(
    $_SESSION['formid']);
    }

        if (empty(
    $_POST['name']) || empty($_POST['email']) || empty($_POST['comment'])) {
            die(
    "You have forgotten to fill in one of the required fields!");
        }

        
    $id htmlspecialchars(strip_tags($_POST['id']));
        
    $timestamp htmlspecialchars(strip_tags($_POST['timestamp']));
        
    $name htmlspecialchars(strip_tags($_POST['name']));
        
    $email htmlspecialchars(strip_tags($_POST['email']));
        
    $comment htmlspecialchars(strip_tags($_POST['comment']));
        
    $comment nl2br($comment);

        if (!
    eregi("^([_a-z0-9-]+)(\.[_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]+)*(\.[a-z]{2,4})$"$email)) {
             die(
    "The e-mail address you submitted does not appear to be valid.");
        }

        
    $result mysql_query("INSERT INTO table (id, timestamp, name, email, comment) VALUES ('$id','$timestamp','$name','$email','$comment')");

        
    header("Location: entry.php?id=" $id);
    }

    else {
        die(
    "Error: you cannot access this page directly.");
    }
    ?>
    Am I missing something?

  • #7
    Regular Coder
    Join Date
    Dec 2005
    Posts
    346
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by angyl
    I don't know if I've implemented everything correctly - I'm still getting spam comments...
    This is the form:
    PHP Code:
    <? 
    session_start
    (); 
    $_SESSION['formid'] = mt_rand(); 

    <
    form method="post" action="process.php">
    <
    input type="hidden" name="id" value="<? echo $id ?>">
    <
    input type="hidden" name="timestamp" value="<? echo $timestamp ?>">
    <
    input type="hidden" name="form_id" value="<? $_SESSION['formid'] ?>">
    <
    table>
    <
    tr><td width="45">name:</td><td width="164"><input type="text" name="name" size="25"></td></tr>
    <
    tr><td width="45">email:</td><td width="164"><input type="text" name="email" size="25"></td></tr>
    <
    tr><td width="45">comment:</td><td width="164"><textarea cols="25" rows="5" name="comment"></textarea></td></tr>
    <
    tr><td colspan="2"><input type="submit" name="submit_comment" value="comment"></td></tr>
    </
    table>
    </
    form>
    In this you didn't close your PHP tag after setting the session. Try that & see if that helps.

    Quote Originally Posted by angyl
    This is the process script:
    PHP Code:
    <?
    if (isset($_POST['submit_comment'])) {

        if (
    $_POST['form_id'] == $_SESSION['formid']){
    unset(
    $_SESSION['formid']);
    }

        if (empty(
    $_POST['name']) || empty($_POST['email']) || empty($_POST['comment'])) {
            die(
    "You have forgotten to fill in one of the required fields!");
        }

        
    $id htmlspecialchars(strip_tags($_POST['id']));
        
    $timestamp htmlspecialchars(strip_tags($_POST['timestamp']));
        
    $name htmlspecialchars(strip_tags($_POST['name']));
        
    $email htmlspecialchars(strip_tags($_POST['email']));
        
    $comment htmlspecialchars(strip_tags($_POST['comment']));
        
    $comment nl2br($comment);

        if (!
    eregi("^([_a-z0-9-]+)(\.[_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]+)*(\.[a-z]{2,4})$"$email)) {
             die(
    "The e-mail address you submitted does not appear to be valid.");
        }

        
    $result mysql_query("INSERT INTO table (id, timestamp, name, email, comment) VALUES ('$id','$timestamp','$name','$email','$comment')");

        
    header("Location: entry.php?id=" $id);
    }

    else {
        die(
    "Error: you cannot access this page directly.");
    }
    ?>
    Am I missing something?
    The processing page looks ok...

  • #8
    New Coder
    Join Date
    Jul 2002
    Posts
    49
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thank for catching not closing the php.

    On the actual page it is closed - I just missed it when I cut out the filler content between the head of the page and the entry form at the bottom.

    Any other suggestions?


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •