View Full Version : Spam issue

05-17-2008, 03:44 PM

Some of my forms are being spammed.

So, the first thing I did was insert a php page called check.php which checks the values inputted using strpos().

So, anyone who fills in a form gets sent to this page, and if it looks like spam i.e contains dodgy words or href, it stops it being sent.

If not, it goes to a CGI file. The CGI file also has a referrer, and so cannot be accessed directly without going through a page on the website. (it checks the referring url).

But now I have a puzzle. This morning, one came through with a submit button on it (I deleted the submit button from my check.php page and auto submitted it on page load). Also, the submit button had the same name as the submit button on the form the user fills in.

So basically this means they came through the form, didn't go anywhere near the check.php file (When I tried to submit their post as a user, I got stopped when it went to the check.php page).

So my question is this:

Can a spammer change the action of a form? And if so, how do I stop this happening?

I just can't understand otherwise how they would have submitted the form with a submit button with the same name as the one on the initial form page (before it gets to check). Check.php does not send a submit button!



05-17-2008, 04:19 PM
A script can submit anything to any page and if someone does not want to go to the trouble of writing a script, they can create a form (or simply grab a copy of your form and modify it) and run it on any web server that has an Internet connection and submit data to any page by just putting the correct URL in their action="..." parameter.

The address of your final form processing page is known from your check.php page and any data can be submitted directly to the final form processing page.

Using the referer for anything other than logging purposes is meaningless. A script can set the referer header to anything it wants (the popular phpproxy script deliberately sets it to the url being requested so that any request looks like it is coming from someone browsing on your site.)

Short answer - to be effective, you need to put any validation into the final form processing code or you need to pass the data from check.php to your final form processing code through session variables and not through $_POST/$_GET variables.