Go Back   CodingForums.com > :: Server side development > PHP
Reload this Page Spam issue

Before you post, read our: Rules & Posting Guidelines

Reply
 
Thread Tools Rate Thread
Enjoy an ad free experience by logging in. Not a member yet? Register.
Old 05-17-2008, 02:44 PM   PM User | #1
nickyfraggle
Regular Coder

 
Join Date: Mar 2006
Posts: 196
Thanks: 27
Thanked 2 Times in 2 Posts
nickyfraggle is an unknown quantity at this point
Spam issue
Hello,

Some of my forms are being spammed.

So, the first thing I did was insert a php page called check.php which checks the values inputted using strpos().

So, anyone who fills in a form gets sent to this page, and if it looks like spam i.e contains dodgy words or href, it stops it being sent.

If not, it goes to a CGI file. The CGI file also has a referrer, and so cannot be accessed directly without going through a page on the website. (it checks the referring url).

But now I have a puzzle. This morning, one came through with a submit button on it (I deleted the submit button from my check.php page and auto submitted it on page load). Also, the submit button had the same name as the submit button on the form the user fills in.

So basically this means they came through the form, didn't go anywhere near the check.php file (When I tried to submit their post as a user, I got stopped when it went to the check.php page).

So my question is this:

Can a spammer change the action of a form? And if so, how do I stop this happening?

I just can't understand otherwise how they would have submitted the form with a submit button with the same name as the one on the initial form page (before it gets to check). Check.php does not send a submit button!

Thanks,

Nicky
nickyfraggle is offline   Reply With Quote
Old 05-17-2008, 03:19 PM   PM User | #2
CFMaBiSmAd
Senior Coder

 
CFMaBiSmAd's Avatar
 
Join Date: Oct 2006
Location: Denver, Colorado USA
Posts: 2,712
Thanks: 2
Thanked 251 Times in 243 Posts
CFMaBiSmAd is a jewel in the roughCFMaBiSmAd is a jewel in the roughCFMaBiSmAd is a jewel in the roughCFMaBiSmAd is a jewel in the rough
A script can submit anything to any page and if someone does not want to go to the trouble of writing a script, they can create a form (or simply grab a copy of your form and modify it) and run it on any web server that has an Internet connection and submit data to any page by just putting the correct URL in their action="..." parameter.

The address of your final form processing page is known from your check.php page and any data can be submitted directly to the final form processing page.

Using the referer for anything other than logging purposes is meaningless. A script can set the referer header to anything it wants (the popular phpproxy script deliberately sets it to the url being requested so that any request looks like it is coming from someone browsing on your site.)

Short answer - to be effective, you need to put any validation into the final form processing code or you need to pass the data from check.php to your final form processing code through session variables and not through $_POST/$_GET variables.
__________________
If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.
CFMaBiSmAd is online now   Reply With Quote
Reply

Bookmarks

Jump To Top of Thread


« Previous Thread | Next Thread »
Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT +1. The time now is 02:30 PM.
Advertisement
Log in to turn off these ads.