Check for characters that are not allowed

Masterslave · 02-26-2007, 06:41 PM

Hi all,

I've made a guestbook with PHP.
Some spammers put some text in the field and I get some sex ads in my guestbook that I don't want.
I want to stop this by making a reg.expr. that check for characters that are not allowed.
These are "<" ">" "[" "]".
I've chose these because the spammers uses HTML and BB-code tags.

Can anyone tell me how to make this.
My reg.expr skills aren't that good....

Can I do this with preg_match of ereg ?

PHP part guestbook.php

PHP Code:


			
session_start();
if ($_SERVER["REQUEST_METHOD"] == "GET")
{
    $_SESSION["guestbook"] = true;
}

MySQL:

PHP Code:


			
if (isset($_SESSION["guestbook"]))
    {
        if(isset($_POST['submit']))
        {
            if (trim(empty($_POST['name'])) || trim(empty($_POST['content']))) 
            {
                $error = "<br /><strong>Je dient je naam en bericht op te geven om een bericht te plaatsen.</strong>";
            }
            else
            {
                $commentInsert = " INSERT INTO
                                $guestbooktable
                                (
                                    name,
                                    email,
                                    website,
                                    content,
                                    ip,
                                    host
                                )
                                VALUES
                                (
                                    '" . mysql_real_escape_string($_POST['name']) . "',
                                    '" . mysql_real_escape_string($_POST['email']) . "',
                                    '" . mysql_real_escape_string($_POST['website']) . "',
                                    '" . mysql_real_escape_string($_POST['content']) . "',
                                    '" . mysql_real_escape_string($_POST['ip']) . "',
                                    '" . mysql_real_escape_string($_POST['host']) . "'
                                 )";
                $result = mysql_query($commentInsert) or die (mysql_error());
                header("Location: guestbook.php");
            }
        }
    }
    else
    {
        die();
    }

Thanks for your help.

Fumigator · 02-26-2007, 06:50 PM

Have you tried the strip_tags() function?

The BB Code is something you'd have to put effort into activating, so it should be easy to disable (sounds like you're using a canned script).

Other things you can try is keep track of the IPs of the spammers and blacklist those IPs, and add some sort of captcha to your form.

Masterslave · 02-26-2007, 06:58 PM

Quote:

Originally Posted by Fumigator

Have you tried the strip_tags() function?

The BB Code is something you'd have to put effort into activating, so it should be easy to disable (sounds like you're using a canned script).

Other things you can try is keep track of the IPs of the spammers and blacklist those IPs, and add some sort of captcha to your form.

Thanks for your reply. Maybe I wasn't clear in my startpost put when a user entered a invalid character then the text will NOT insert in the database.
Thus, stript_tags does strip the tags but inserted the rest of the text into the database.

What's a canned script?

Fumigator · 02-26-2007, 08:23 PM

Ah, so you want to disallow the entire message if someone tries to insert a tag. In that case you can compare the results of strip_tags() to the original string and if they are different, don't insert into the table-- print a nasty message instead.

Masterslave · 02-26-2007, 08:27 PM

Ok thats a good one.
So I've to compare the $_POST['content'] with the variable that has already striped the content. If they are equal then insert else die() or something like that.

Am I correct?

Edit:
Does strip_tag also strip the "[" and "]" ?

Masterslave · 03-01-2007, 03:41 PM

Sorry for my late reaction, I was busy the last 3 days.
Anyway, it is working now.
The "[" and "]" are allowed at the moment.
The spammers often uses HTML tags and BB-code together in one message so it won't post.
Thanks for your help Fumigator

apachehtaccess · 03-07-2007, 09:48 AM

Sometimes on my blog I get spammers who first try to access the uri using a random REQUEST_METHOD.. Mostly Options and Head..

You might look into blocking certain Request Methods.