• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 361
  • Last Modified:

Filtering Spam in php Form

I've created a contact form.  And when they fill it out, it goes to a page called mailprocess.php.   At the beginning of this page, I have the following:

<?php
#######################
//Including ZipCode File
#######################

include("/zipcodes.php");

#######################
//Setting Variables
#######################

$comments=$_POST["comments"];
$zip=$_POST["zip"];

#######################
//Checking Array
#######################

	if (in_array($zip, $Huntsville)) {
	$my_email = "mine@email.com";
	}elseif (in_array($zip, $Nashville)) {
	$my_email = "yours@email.com, mine@email.com, his@email.com, hers@email.com";
	} else { $my_email = "love@email.com, mine@email.com, hers@email.com";

}


$continue = "/";
?>

Open in new window


What it is doing is seeing if the zipcode from the Form is found in an array and then it is sending the email to the appropriate people.  

The arrays are found on a file called zipcodes.php..   An array on this page might look like this:

<?php
$Nashville = array (37010, 37027, 37040, 37055, 37067);
?>

Open in new window


So I've created a new array and called it $Spam.   The purpose is to stop the form from processing in the event the "Comments" box has any URLs.  Specifically http.

Saying:

if (in_array($comments, $Spam);

That doesn't work because http://whatever.com is not equal to "http" that is in the array.

So my question is - how can I insert an if statement in the code above that will look for the word "http" in the comments box?   And if it is found - it will reroute to another page and if it is NOT found - then it will continue on to the If statements above and run accordingly.

Any ideas?

Thanks!
0
drymetal
Asked:
drymetal
  • 5
  • 4
  • 2
  • +1
3 Solutions
 
Dave BaldwinFixer of ProblemsCommented:
Here is a little code that I use to check for active links in text that is passed to forms.  You can change the last 'if' statement to redirect to another page.  I just mark the message as spam.

$errcntr = 0; // set error counter to 0

function remoove(&$arg_1)
{
global $errcntr;
if(preg_match("/href/i",$arg_1)) {
	$errcntr = $errcntr + 1 ;
	}
if(preg_match("/http/i",$arg_1)) {
	$errcntr = $errcntr + 1 ;
	}
}

remoove ($text);  // checks the variable $text

if ($errcntr) $subjectText="SPAM-SPAM Request";

Open in new window

0
 
drymetalAuthor Commented:
I don't recognize some of these things.  Can you break this down and explain it please?   Thanks!
0
 
Derek JensenCommented:
if(preg_match("/http/i", $comments)) {
    // redirect
}

Open in new window

will get the job done, but I can't help but recommend not checking just for http.

So, if you wanted to use an array of specific URLs to check for(much better solution), I'd do something like this:
if(preg_match("/http|www|\.com/i", $comments)) {    // can be expanded to check for additional key phrases in a URL
    $OkFlag = false;
    foreach($NotSpam as $url) {
        if(preg_match("/".$url."/i", $comments)) {$OkFlag = true; break;}
    }
    if(!$OkFlag) {/*redirect*/}
}

Open in new window

This will allow you to check for *allowed* URLs, which is infinitely easier than trying to check for all spam URLs.

...Or you could just redirect if "http" is in the text at all. :)
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Derek JensenCommented:
0
 
Dave BaldwinFixer of ProblemsCommented:
I set the $errcntr to 0.  Then I have a function remoove () that does a case insensitive check of the variable $arg_1 for the presence of 'href' and 'http'.  If they are found, it increment the $errcntr.  "remoove ($text);" calls the function and passes the text variable to be checked.  You can use "remoove ($----);" for each of the text variables in your form.  When you're done checking, the last 'if' statement checks to see if any errors were reported.
0
 
Ray PaseurCommented:
Consider adding a CAPTCHA test to the form.  This article talks a little about it.  In my experience, CAPTCHA is the best defense you can get against robot-spam.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_9849-Making-CAPTCHA-Friendlier-with-PHP-Image-Manipulation.html
0
 
drymetalAuthor Commented:
I've tried Bigdogman's suggestion.  I don't think I understand something though.  :(
BTW, sorry about the late response. The electric went out for a couple days and - well, P&J sandwiches are just as good as I remember.  : )

Here's the code I've created off your suggestion:

<?php
#######################
//E-Mail Sorting
#######################
include("zipcodes.php");
$comments = $_POST["comments"];
$zip = $_POST["zip"];
#######################
#######################
#######################
	
	if(preg_match("/http|www|\.com/i", $comments))
	{    // can be expanded to check for additional key phrases in a URL
    $OkFlag = false;
    foreach($NotSpam as $url) 
	{
    if(preg_match("/".$url."/i", $comments))
	{
		$OkFlag = true; break;
		}
    }
    if(!$OkFlag)
	{
	header("http://mysite.com/");
	}
}
	if (in_array($zip, $test))
	{
	$my_email = "me@mysite.com";
	}
	elseif (in_array($zip, $Nashville))
	{
	$my_email = "nashville@mysite.com";
	}
	else
	{
	$my_email = "somebodyelse@mysite.com";
	}
?>

Open in new window


It sorts the email fine based on zip codes.  But it isn't detecting any URL stuff in the contact form and seems oblivious to that part.  Did I not do something?  Thanks!
0
 
Derek JensenCommented:
No, um...everything looks fine. Is it getting inside the first preg_match test? You can do an echo inside each code block to see how far it's getting. And, what are you using for your comments?
0
 
drymetalAuthor Commented:
Ok, no matter what, nobody should insert a link in the contact form.  It doesn't fit within the scope of what it is intended to be used for.  I don't know what is wrong.  So here is the process from start to finish:

First the form is located in /includes/form.php and it contains the following:
<?php 
 $ip2=$_SERVER['REMOTE_ADDR'];
 ?> 
 <div class="form"> 
      	  <p>Fill out our contact form and someone will contact you as soon as possible. </p>
      	  <form name="form1" method="post" action="/formmail.php" class="page-form">
      	    <fieldset><p>
      	      <label for="name"></label>
      	      <input name="name" type="text" class="leftfield" id="name" value="Your Name"  onFocus="if(this.value=='Your Name') {  this.value=''; }"
              onblur="if(this.value=='') { this.value='Your Name'; }">
      	      <label for="phone"></label>
      	      <input name="phone" type="text" class="rightfield" id="phone" value="Phone Number"  onFocus="if(this.value=='Phone Number') {  this.value=''; }"
              onblur="if(this.value=='') { this.value='Phone Number'; }">
      	    
      	      <label for="email"></label>
      	      <input name="email" type="text" class="leftfield" id="email" value="E-Mail Address"  onFocus="if(this.value=='E-Mail Address') {  this.value=''; }"
              onblur="if(this.value=='') { this.value='E-Mail Address'; }">
              
      	      <label for="address"></label>
      	      <input name="address" type="text" class="rightfield" id="address" value="Address"  onFocus="if(this.value=='Address') {  this.value=''; }"
              onblur="if(this.value=='') { this.value='Address'; }">

      	      <label for="city"></label>
      	      <input name="city" type="text" class="leftfield" id="city" value="City"  onFocus="if(this.value=='City') {  this.value=''; }"
              onblur="if(this.value=='') { this.value='City'; }">
      	      <label for="state"></label>
      	      <select name="state" class="rightfield" id="state"><option value="" selected="selected">State...</option> 
<option value="AL">Alabama</option> 
<option value="AK">Alaska</option> 
<option value="AZ">Arizona</option> 
<option value="AR">Arkansas</option> 
<option value="CA">California</option> 
<option value="CO">Colorado</option> 
<option value="CT">Connecticut</option> 
<option value="DE">Delaware</option> 
<option value="DC">District Of Columbia</option>
<option value="FL">Florida</option> 
<option value="GA">Georgia</option> 
<option value="HI">Hawaii</option> 
<option value="ID">Idaho</option> 
<option value="IL">Illinois</option> 
<option value="IN">Indiana</option> 
<option value="IA">Iowa</option> 
<option value="KS">Kansas</option> 
<option value="KY">Kentucky</option> 
<option value="LA">Louisiana</option> 
<option value="ME">Maine</option> 
<option value="MD">Maryland</option> 
<option value="MA">Massachusetts</option> 
<option value="MI">Michigan</option> 
<option value="MN">Minnesota</option> 
<option value="MS">Mississippi</option> 
<option value="MO">Missouri</option> 
<option value="MT">Montana</option> 
<option value="NE">Nebraska</option> 
<option value="NV">Nevada</option> 
<option value="NH">New Hampshire</option> 
<option value="NJ">New Jersey</option> 
<option value="NM">New Mexico</option> 
<option value="NY">New York</option> 
<option value="NC">North Carolina</option> 
<option value="ND">North Dakota</option> 
<option value="OH">Ohio</option> 
<option value="OK">Oklahoma</option> 
<option value="OR">Oregon</option> 
<option value="PA">Pennsylvania</option> 
<option value="RI">Rhode Island</option> 
<option value="SC">South Carolina</option> 
<option value="SD">South Dakota</option> 
<option value="TN">Tennessee</option> 
<option value="TX">Texas</option> 
<option value="UT">Utah</option> 
<option value="VT">Vermont</option> 
<option value="VA">Virginia</option> 
<option value="WA">Washington</option> 
<option value="WV">West Virginia</option> 
<option value="WI">Wisconsin</option> 
<option value="WY">Wyoming</option>
   	          </select>
      	      <label for="zip"></label>
      	      <input type="text" name="zip"  class="leftfield" id="zip" value="Zipcode"  onFocus="if(this.value=='Zipcode') {  this.value=''; }"
              onblur="if(this.value=='') { this.value='Zipcode'; }">
      	    <div class="clr">"<p>Comments</p></div>
      	      <label for="comments"></label>
      	      <textarea name="comments" id="comments" cols="45" rows="5"></textarea>
               <!--Hidden Fields-->
                <input name="User Contacted Us From Page" type="hidden" value="<?php echo curPageURL();?>" />
                <input name="IP ADDRESS" type="hidden" value="<?php echo $ip2;?>" />

               <!--END OF HIDDEN FIELDS-->
      	 </fieldset>
      	      <input type="submit" name="submit" id="submit" value="Contact Us" class="button">      	

      	    </p>
  </form>
      	</div>

Open in new window



The form action is /formmail.php which contains the following:

<?php


$con = mysql_connect("localhost","username","password");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("database_name", $con);
$sql="INSERT INTO contact (name, address, city, `state`, zip, phone, email, comments) VALUES ('$_POST[name]','$_POST[address]','$_POST[city]','$_POST[state]','$_POST[zip]','$_POST[phone]','$_POST[email]','$_POST[comments]')";
					   
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}


// Add this
include "/var/www/places/mysite.com/httpdocs/phpmail.php";
?>

Open in new window



Then - as you can see, it includes the phpmail.php file.   This contains a lot of code - all for processing the email but to keep this post from becoming a novel I'll post the first part that is important here:

<?php
#######################
//E-Mail Sorting
#######################
include("zipcodes.php");
$comments = $_POST["comments"];
$zip = $_POST["zip"];
#######################
#######################
#######################
	
	if(preg_match("/http|www|\.com/i", $comments))
	{    // can be expanded to check for additional key phrases in a URL
    $OkFlag = false;
    foreach($NotSpam as $url) 
	{
    if(preg_match("/".$url."/i", $comments))
	{
		$OkFlag = true; break;
		}
    }
    if(!$OkFlag)
	{
	header("http://mysite.com/");
	}
}
	if (in_array($zip, $test))
	{
	$my_email = "test@mysite.com";
	}
	elseif (in_array($zip, $Nashville))
	{
	$my_email = "nashville@mysite.com";
	}
	else
	{
	$my_email = "everyone@mysite.com";
	}
?>

Open in new window




Now, as you can see, it is looking at arrays in the zipcodes.php file.  This file looks like this in part:

<?php
$test = array(12345, 12346);
?>


<?php
$Nashville = array(37010, 37027, 37040, 37055, 37067, 37075, 37088, 37121, 37133, 37152, 37179, 37201, 37209, 37217, 37228, 37238, 37246, 37015, 37034);
?>

Open in new window



The thing that sucks is that I came up with this whole thing on my own.  And of course when I start getting spam, I decided to block anything with a URL in the comments.  <-That is a pain in the butt.  :(   I don't know why I'm having such a hard time wrapping my head around this.

Anyways, when I tested the form, it isn't redirecting when I put a url or email in the comments box.  (Email has .com in it...).  It just processes the form regardless.

This sucks.  :(  lol   Thanks

Oh in regards to Captcha, I've thought of that - but being someone who has to make 50 attempts to get the characters right on other sites - I don't necessarily think that is a good idea.
0
 
Derek JensenCommented:
Okay, so, couple things:
$sql="INSERT INTO contact (name, address, city, `state`, zip, phone, email, comments) VALUES ('$_POST[name]','$_POST[address]','$_POST[city]','$_POST[state]','$_POST[zip]','$_POST[phone]','$_POST[email]','$_POST[comments]')";

Open in new window

Bad bad bad bad bad bad BAD.

I hate to be over-dramatic here(and I'm praying this isn't what your code actually looks like), but this is about the fastest way to blow up your DB. You *cannot* use unfiltered, unvalidated, or otherwise unsanitized $_POST(or GET) variables in your insert query. This needs to be fixed Yesterday. Assuming that's what your code actually looks like.

Okay, moving on...

So, if you are trying to redirect *all* website addresses, then go with what I first posted. Keep in mind you're not going to catch all of them without a massive amount of regex tweaking, but here's a good start.

Replace all pre-existing URL redirect code w/this:
if(preg_match("/http|www/i", $comments)) {    // tweak this line if any URLs slip thru
    header("http://mysite.com/");
}

Open in new window


Also keep in mind that no one is going to be able to perfect this for you. You will have to learn regex sooner or later, so it might as well be sooner. ;-)
Also, you'll want to learn how to properly sanitize form data (if you don't know already).
Both of these you can learn all about from google. :-)

Having said that, here's why it wasn't working: You didn't define the $NotSpam array, so it had nothing to check against, so it never even got to the second regex test.
Moot at this point, of course, but just...FYI. :-)
0
 
drymetalAuthor Commented:
Thank you.  I am learning about your suggestions now.  Thanks for your help!
0
 
Derek JensenCommented:
Anytime! Glad I could help. :)
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 5
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now