message board help

bvs

Hi there. We are a student group and complete newbies at php and therefore require help and advice to stop ppl dumping spam rubbish on our student message board.

There is a filter installed, but its not working, as you will see if you go to:

http://www.otago.ac.nz/teroopu/html/dynamic/messageboard.php

This is the installed script for checking and filtering:

<?
include ("msg_conf.php");

if (!$homepage) {$homepage = "http://";}

if ($action == add && $fullname == '') { # if action equal to add AND fullname is empty
$msg .= "<p class=\"messageerror\">$lang_missing_name</p>";
$format = BAD;
}

if ($action == add && $email == '') { # if action equal to add AND email is empty
$msg .= "<p class=\"messageerror\">$lang_missing_email</p>";
$format = BAD;
}

if ($action == add && $comment == '') { # if action equal to add AND comment is empty
$msg .= "<p class=\"messageerror\">$lang_missing_comment</p>";
$format = BAD;
}

if (!$email || eregi ("@", $email, $regs)) { # if email is empty OR contains @ sign
} else {
$msg .= "<p class=\"messageerror\">$lang_bad_email</p>";
$format = BAD;
}

echo "
<table class=\"messagetable\" bgcolor=\"F3F9FF\" cellpadding=\"0\" cellspacing=\"5\">
<tr ><td align=left>
<h2>Add a Message</h2>
</td></tr>
";

#========================================

Check and Display Warning Message

#----------------------------------------

If the required fields are missing,

display the warning message in order to

submit the entry.

#========================================
if ($msg) {
echo "
<tr >
<td colspan=2><font size=$fsize face=$fface color=#ff0000 >$msg</td>
</tr>
<tr></tr>
";
}

#========================================

Displaying Sign Form

#----------------------------------------

Display the signning form if format check is equal

to BAD

#========================================

if ($format == BAD || $action != add) { # if format equal to BAD OR action not equal to add

echo "  
  <form action=$PHP_SELF method=post>
  <tr >
    <td><p>$lang_fullname :</p></td>
    <td><input type=text class=\"messageinput\" name=fullname value=\"$fullname\" ></td>
  </tr>
  <tr>
      <td><p>$lang_email :</p></td>
      <td><input type=text class=\"messageinput\" name=email value=\"$email\" ></td>
  </tr>
";

if ($to_display_form_location == '1') {	
	echo "
	<tr >
	<td ><p>$lang_location :</p></td>
	<td><input type=text class=\"messageinput\" name=location value=\"$location\" ></td>
	</tr>
	";
}

echo "
<tr >
<td><p>$lang_comment :</p></td>
<td><textarea class=\"messageinput\" name=comment cols=30 rows=5 wrap=on >$comment</textarea>
</td>
</tr>
<tr></tr><tr></tr>
<tr >
<td colspan=2 align=center>
          <input class=\"messageinput\" type=submit value=\" Submit\" >
<input class=\"messageinput\" type=reset value=\" $lang_reset \" >
<input type=hidden name=action value=add>
</td>
</tr></form>
<tr></tr><tr></tr>
<tr >
<td colspan=2 align=center>
</td>
</tr>
";
} else {

#========================================

Check and Fix $homepage

#----------------------------------------

If homepage is equal to "http://", make it empty.

#========================================

if ($homepage == 'http://') {$homepage = '';}

#========================================

Check and Fix Comment Content

#----------------------------------------

To check for any < and > and change them

to special HTML tag to prevent harm to

the guestbook. And change newline to <BR>

which is to support for multiple lines, also swap any long string.

#========================================

$fullname = ereg_replace("<", "<", $fullname); # replace <
$email = ereg_replace("<", "<", $email); # replace <
$location = ereg_replace("<", "<", $location); # replace <

$array_encoded = explode(" ",$comment);

for ($i = 0; $i < count($array_encoded); $i++) {
$array_encoded[$i] = wordwrap( $array_encoded[$i], $comment_swap, " ", 1);
$final_encoded .= "$array_encoded[$i] ";
}

if ($html_filter == '1') {
$final_encoded = ereg_replace("<", "<", $final_encoded); # replace <
$final_encoded = ereg_replace(">", ">", $final_encoded); # replace >
}

$final_encoded = ereg_replace("\n", "<br>", $final_encoded); # replace newline to <br>

$dis_encoded = ereg_replace("\\'", "'", $dis_encoded);
$dis_encoded = ereg_replace("\\\"", "\"", $dis_encoded);

#========================================

mySQL Connect and Insert

#----------------------------------------

Connecting to mySQL server, open database

and insert data into tables.

#========================================

if ($REMOTE_ADDR == '') {
$remoteip = 'Unknown';
} else {
$remoteip = $REMOTE_ADDR;
}

mysql_connect ("$sqlhost", "$sqlname", "$sqlpw"); # connection mySQL
mysql_select_db("$sqldb"); # select database

$insertString =
"INSERT INTO $sqltable( fullname, email, location, comment, date, ip ) VALUES " .
" ( \"$fullname\", \"$email\", \"$location\" , \"$final_encoded\",\"$date\",\"$remoteip\");";

mysql_query( $insertString); # add the data to table "wdb"

#========================================

Confirm Signned and Preview

#----------------------------------------

If passed all checking, add the entry into

database and display message and preview.

#========================================

echo "
<tr >
<td colspan=2 ><p>$lang_submitted</p></td>
</tr>
<tr></tr><tr></tr>
<tr>
<td colspan=2 class=\"messagecell\" bgcolor=\"#F3F9FF\"><b>$fullname</b>";

if ($email && $to_display_email == '1') {

echo " <a href=\"mailto:$email\"><img src=$gif_email border=0 alt=\"$email\"></a>";
}

if ($location && $to_display_location == '1') { # if location, print it
echo "<br>Location: $location\n";
}

echo "<br><br>$dis_encoded<font size=1><p class=\"messagedate\" align=right>"; # print comment and date

if ($to_display_date == '1') {
echo " [$lang_date: $date]";
}

if ($to_display_ip == '1') {
echo " [$lang_ip: $remoteip]";
}

echo "</p></td></tr>";

}

echo "
<tr ><td colspan=2 align=\"center\">
<h2><a href=messageboard.php class=\"messagelink\">$lang_view_guestbook</a></h2>
</td></tr>
";

#========================================

Print Page Footer

#----------------------------------------

This is the coding for the page footer.

You can change the AD coding to anything you want.

#========================================

echo "
</table>
";

#========================================

End of File

#========================================
?>

Any help or advice would be greatly appreciated.

kkobashi

It is next to impossible to weed out anonymous/guest users based on email address (because they will just give you a fake one), IP address (the address may be shared among many users in a dialup setting or they could even go through a proxy server), first or last name (they'll just fake it). Forget trying to validate a user this way. It won't work.

The best way to avoid people from spamming you is to force people to login with a username and password. That way, if they get disruptive, you get rid of their accounts. This solution requires you to actively monitor messages on your board and then take action of eliminating the disruptive user. You must require a user to supply a email address. You send an email to that email address asking them to respond. By responsing you enable the user account. You should avoid accepting free email accounts like yahoo, hotmail, etc. because they can be easily created.

Another way to stop spamming is to submit all messages to a queue that await your approval before they get publicly posted. This solution requires a lot of attention and administration daily. The messages won't be posted in real time.

bvs

Gosh, thank you greatly for your sound advice. I really like the idea of queueing all msgs before they go live. Our admin team should be able to handle it. Can you suggest anywhere we can look for such a script? We just need a basic student board to exchange announcements etc.

Many thanks

kkobashi

Check out these:

http://www.ikonboard.com
http://www.phpbb.com
http://www.vbulletin.com

I've used phpBB and it works great... would recommend it.

bvs

Thanks so much Kerry.

I will go look at the links. Much appreciated.