Weeding out spammers/bots via php

StackOverflow https://stackoverflow.com/questions/21863546

Frage

I am trying to create a hidden email field in my contact form that, when filled out, will not send me an email (meaning a spammer filled in the hidden email field), instead, just sending the spammer to a confirmation page saying that the email was sent.

I can't get it to work properly.

Test site - http://www.webexplosive.com/s1/contact.html

Here is my php script for the contact form:

<?php
    $firstname = $_POST['firstname'];
    $lastname = $_POST['lastname'];
    $email1 = $_POST ['email1'];
    $phone = $_POST ['phone'];
    $comments = $_POST ['comments'];
    $testBot = $_POST ['email2'];

    $headers = "MIME-Version: 1.0\r\n";
    $headers = "From: $email1";
    $to = 'beefjelly69@yahoo.com';
    $subject = 'Contact Form Submitted - Virginia Subsite';
    $message = "
    First name: $firstname \n
    Last name: $lastname \n
    Email: $email1 \n
    Phone: $phone \n
    Comments: $comments \n";

    mail($to, $subject, $message, $headers);

    header("Location: thankyou.html");

    if(email2 == "") { //If email2 form section is blank then... 
        $firstname = $_POST['firstname'];
        $lastname = $_POST['lastname'];
        $email1 = $_POST ['email1'];
        $phone = $_POST ['phone'];
        $comments = $_POST ['comments'];
        $testBot = $_POST ['email2'];

        $headers = "MIME-Version: 1.0\r\n";
        $headers = "From: $email1";
        $to = 'beefjelly69@yahoo.com';
        $subject = 'Contact Form Submitted - Virginia Subsite';
        $message = "
        First name: $firstname \n
        Last name: $lastname \n
        Email: $email1 \n
        Phone: $phone \n
        Comments: $comments \n";

        mail($to, $subject, $message, $headers);

        header("Location: thankyou.html");
    }
    else {
        header("Location: thankyou.html");

    }
?>
War es hilfreich?

Lösung 2

This is because you always call the mail form first. You need to validate it before you call it. Call the mail function after you have checked that the email2 field is empty.

As it is, it will always send the mail, before hitting the if statement.

Suggestion: Look into implementing a captcha or something similar than that.

Andere Tipps

Code Technique

The best way, I've seen for weeding out bots and spammers in conmment and public forms, without captcha. Is to generate a random md5 hash (each refresh, should render the previous hash useless), store said hash in a cookie (for POST retrieval). Then append the hash string to each input[name=username_d109770c2788b022deb0fac1182c9e19] (I'd also POST the hash on the form, and validate the POST against the cookie).

The benefit to hashing input fields is.. it will increase the difficulty of bots being able to hard code to specific inputs (plus passive server validation).

Once you've done this simply add input validation such as email regular expressions and so fourth.

Security Technique

Install the honeypot project to your server, it has 101,130,389 spam servers identified as of 8:48 PM, 19/02/2014 (UTC+12:00).

Project Honey Pot is a web based honeypot network which uses software embedded in web sites to collect information about IP addresses used when harvesting e-mail addresses for spam

Here's a revised version of your code with basic form validation (but it only checks for empty fields, it doesn't check if the e-mail is valid - you can easily add that though) and more importantly, email header injection protection.

Note : I didn't test this code and it may fail miserably - feel free to downvote if that's the case

// Form validation, display errors
// in case of empty fields

$fields = ["firstname", "lastname", "email1", "phone", "comments"]

foreach ($fields as $field) {
    if (!isset($_POST[$field]) || empty($_POST[$field])) {
        die("Error, ".$field." can't be empty, please retry."); // if validation fails we stop the script
    }
}

if (isset($_POST["email2"]) && !empty($_POST["email2"])) {
    die(); // hidden field isn't empty, so it's spam, so we stop there
}

// e-mail header injection protection
$email1 = filter_var($_POST["email1"], FILTER_SANITIZE_EMAIL);


$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$phone = $_POST ['phone'];
$comments = $_POST ['comments'];

$headers = "MIME-Version: 1.0\r\n";
$headers = "From: $email1";
$to = 'beefjelly69@yahoo.com';
$subject = 'Contact Form Submitted - Virginia Subsite';
$message = "
First name: $firstname \n
Last name: $lastname \n
Email: $email1 \n
Phone: $phone \n
Comments: $comments \n";

mail($to, $subject, $message, $headers);

header("Location: thankyou.html");

(A late answer, but could prove to be useful down the road).

Generally, SPAMBOTS will look for a form element called email or contact or any visible input they can put their little spammy hands on.

What you could do is to show/mark an input stating "If you're human, DO NOT fill this".

For example:

If you're human, DO NOT fill this: <input type="text" name="email">

then check if the field is not empty. If it is not empty and (most likely) filled in by the SPAMBOT, then make it die(); or redirect.

For example: and using an if(isset... from a named submit button:

<input type="submit" name="soobmeet" value="Send">

Sidenote: I chose "soobmeet" because it's generally not a good idea to name it "submit" etc.

(Something I learned recently from one the BIG GUNS here on SO)

PHP

<?php
if(isset($_POST['soobmeet'])){

    $firstname = $_POST['firstname'];
    $lastname = $_POST['lastname'];
    $email1 = $_POST ['email1'];
    $phone = $_POST ['phone'];
    $comments = $_POST ['comments'];
    $email = $_POST ['email'];

    if(!empty($_POST['email'])){
        header("Location: get_lost.html");
    // or make it die();
    }

    else{
    $headers = "MIME-Version: 1.0\r\n";
    $headers = "From: $email1";
    $to = 'email@example.com';
    $subject = 'Contact Form Submitted - Virginia Subsite';
    $message = "
    First name: $firstname \n
    Last name: $lastname \n
    Email: $email1 \n
    Phone: $phone \n
    Comments: $comments \n";

    mail($to, $subject, $message, $headers);
    header("Location: thankyou.html");
    }
}
?>

First of all, I honestly don't recommend this as a spam/bot deterrent - there are many well tested third party libraries out there for you to use. Having said that, I've edited your code with some minor improvements. Hope this helps somewhat.

<?php

// Note: It is your own responsibility to validate user input!

if(isset($_POST['email2']) && $_POST['email2'] != "") {
    $strFirstName = $_REQUEST['firstname'];
    $strLastName = $_REQUEST['lastname'];
    $strEmail = $_REQUEST['email1'];
    $strPhone = $_REQUEST['phone'];
    $strComments = $_REQUEST['comments'];
    $strTestBot = $_REQUEST['email2'];

    $strBody = "First name: ".$strFirstName." \nLast name: ".$strLastName." \nEmail: ".$strEmail." \nPhone: ".$strComments." \n";
    mail('beefjelly69@yahoo.com', 'Contact Form Submitted - Virginia Subsite', $strBody, 'From: '.$strEmail);

    header("Location: thankyou.html");
} else {
    header("Location: thankyou.html");
}

?>

Is this what you're trying to achieve? Also, you should be validating each of the fields e.g. checking whether they're empty, of the right format and length etc. preg_match() is an awesome way of doing this, plus you can add some minor validation at the client side as well.

Lizenziert unter: CC-BY-SA mit Zuschreibung
Nicht verbunden mit StackOverflow
scroll top