[RESOLVED] $_SESSION and rand code to stop spammers from posting to forms question

dmacman1962

Hi All,

I read about using a $_SESSION with a hidden form element containing a string of random character and numbers to ensure the person posting the form is doing so via our site. Here is the quote:

"Adding randomly generated hidden tokens to forms is the best solution to this problem. In every PHP script which generates a form add a hidden variable containing a random value. Save this value temporarily, such as in $SESSION (which cannot be tampered with by the user) and then check the random value submitted in the form against the one contained in $SESSION. Since an attacker is highly unlikely to guess a the random value correctly if this value is sufficiently long, the form submitted is guaranteed to be the one from the client who requested it."

I know I can do this:

$_SESSION["verify"] = "42k342k3j4l2k4j2l3";

Then compare it to veify that the user visited the site and didn't just "Spam" it.

But how do I get the random code?

I checked php.net and there are a ton of different posts, all saying the last one was the not the best way.

I am not a session expert, so I would appreciate any guidance.

Thanks,

Don

dmacman1962

I found this, would this do it?

I found the solution to this awhile back...

do this:
PHP Code:
$symbols = array("*", "=", "/", "\\", "-", "+", "'", "\"");

$_POST = str_replace($symbols, "", $_POST);
$_GET = str_replace($symbols, "", $_GET);
$_COOKIE = str_replace($symbols, "", $_COOKIE);
$_SESSION = str_replace($symbols, "", $_SESSION);
I use this on my header file. Works like a charm. It stops all - numbers, cross-multipliers & = signs (injections require these)

Thanks,

Don

Weedpacket

It has nothing to do with preventing spam, it just takes the listed characters out of people's submissions, replacing them with "" (which is dumb - there are better ways of defending against db injection that don't clobber what people write).

Sorry; I stuffed that paragraph up.

It has nothing to do with preventing spam, it just takes the listed characters out of peoples submissions, replacing them with (which is dumb there are better ways of defending against db injection that dont clobber what people write).

dmacman1962

Thanks Weedpacket, for you feedback.

You said "there are better ways of defending against db injection that dont clobber what people write," what would you suggest?

Obviously, you know that the way the other person suggested is lame and useless.

Thanks,
Don

Roger_Ramjet

look up mysql_real_escape_string() and use the best-practice code you'll find there.

If you search these forums, or Google, you'll find methods for preventing spam attacks via your email forms.

dmacman1962

Hi RR and WP,

I am confused, I am using 'mysql_escape_string' and it doesn't seem like it's doing anything.

Also, my form is not emailing it is adding the users post to our guestbook (really just a blog) directly.

Here is the complete code to add the users post. (minus the bad words, so I don't insult anyone ).

include "admin/x.php";
$s=$_SERVER["REMOTE_ADDR"];
$ipbancheck="SELECT * from gb_banip where IP='$s'";
$ipbancheck2=mysql_query($ipbancheck);
while($ipbancheck3=mysql_fetch_array($ipbancheck2))
{
  $IPBANNED=$ipbancheck3[IP];
}
if ($IPBANNED)
    {
       print "You have been banned from posting";
    }

else
   {

if (!isset($_POST['submit']))
{
 print "<table border='1' cellpadding='6' bgcolor='#e1e1e1'><tr><td>";
 print "<form method='post' action='addentry.php' name='form'>";
 print "<b>Name: (required)</b><br> <input type='text' name='name' size='40'><br>";
 print "<b>(optional) Homepage(include http://):</b><br><input type='text' name='homepage' size='40'><br>";
 print "<b>(optional) E-mail:</b><br><input type='text' name='email' size='40'><br>";
 print "<b>Comment:</b><br>";
 print "<textarea rows='6' name='comment' cols='45'></textarea><br>";

 print "<input type='submit' name='submit' value='submit'>";
 print "</form><br>";

   }




  else if (isset($_POST['submit']))
  {
    $name=$_POST['name'];
    $country=$_POST['country'];
    $email=$_POST['email'];
    $homepage=$_POST['homepage'];
    $aim=$_POST['aim'];
    $icq=$_POST['icq'];
    $yim=$_POST['yim'];
    $msn=$_POST['msn'];
    $comment=addslashes($_POST['comment']);
    if(!$name || !$comment)
    {
      print "<font color='red'>Name or comment not entered, please go back and sign again</font><br>";
    }
   else
    {

// Filter out the bad content
$Keyword = (isset($_POST['comment'])) ? $_POST['comment'] : '';
$trimmedKeyword = trim($Keyword);
$trimmedKeyword = stripslashes($trimmedKeyword);
//filter special characters such as % ^ &
$filter = array("truncate", "alter", "mysql_query(", "base64_encode(", "base64_decode(", "escapeshellarg(", "exec(", "passthru(", "proc_closes(", "proc_get_status(", "proc_nice", "proc_open(", "proc_terminate(", "shell_exec(", "system(", "set", "drop", "where", "insert", "select", "table1", "table2", "table3", "drop", "insert", "update", "delete", "POST", "GET", "'", "`","~", "\"" , "\\" , "!", "@" , "#" , "$" , "%" , "^" , "&" , "*" , "(", ")" , "+" , "{" , "}" , "[" , "]" ,  "<" , ">" , ";" , ":" , "?" , "/" ,"//" , "|" , "=", "http", "://", "www.","[url=http://x", "viagra", "x", ".com", ".org", ".edu", "buy adipex", "adipex", "phen", "x", "x", "x", "x", "web hosting", "pay day loans", "auto", "credit card terminal", "Money Makers", "x", "x", "xCo.", "x", "airline ticket", "spyware windows nt", "x", "spyware scan", "x", "microsoft sql server", "online tarot reading", "phentermine buy online", "prescription drugs", "pharmacy canada", "radiology continuing educ", "dell notebook", "valium tablet", "installing replacement", "installing replacement wi", "ibm notebook battery", "x", "flower silk", "play poker free", "sql server driver", "www", "auto insurance", "united airline fare", "sport betting online", "spyware remover", "viagra alternative", "air plane ticket", "notebook refurbished", "tramadol cheap price", "travel insurance quotes", "epson printer ink", "x", "x", "x", "x", "x", "x", "x", "x", "x", "online cigarettes", "home equity loan", "x", "bad credit", "free casino cash", "air ticket", "[url]", "[/url]", "[url", "[url=", "buy phentermine", "Buy phentermine", "Buy Phentermine", "gbook", "x", "x");
$trimmedKeyword = str_replace($filter, '', $trimmedKeyword);
$trimmedKeyword = preg_replace('#\s+#',' ',$trimmedKeyword);
$trimmed_arrayKeyword = explode(" ",$trimmedKeyword);
$trimmed = mysql_escape_string($trimmedKeyword);

//////////////////


// Insert the data now its cleaned	
     $r=$_SERVER["REMOTE_ADDR"];
     $day=date("D M d, Y H:i:s");
     $timegone=date("U") ; //seconds since Jan 1st, 1970
     $putinguestbook="INSERT INTO gbook(name, country, mail, homepage, comment, realtime, aim, icq, yim, msn, time,IP) VALUES('$name','$country','$email','$homepage','$trimmed','$day','$aim','$icq','$yim','$msn','$timegone','$r')";
     mysql_query($putinguestbook);
     print "Thanks for posting, you will now be redirected <META HTTP-EQUIV = 'Refresh' Content = '2; URL =index.php'> ";
    }
  }
}

As you can see, I mysql_escape_strig the $trimmedwords then set that to $trimmed and insert into the db. Did I somehow, nullify that command in my code???

Thanks,

Don

Weedpacket

I'm not sure what you mean by "it doesn't appear to do anything" - if it works properly you wouldn't see a difference (the poster's comment is being inserted without being altered), and you wouldn't need to filter out all those punctuation marks or PHP function calls (were you planning to run PHP code people submit?). The only things you'd need to filter are the "play poker free" sort of strings. Er, did you really mean to filter out the letter 'x'?

Try inserting something that has an apostrophe in it - like a post from some guy named O'Connell - oh, you don't escape that field (You should: mysql_real_escape_string() every form field that will be used to fill in a database query, because any form field could be used in an attempt to launch an attack. Even some that weren't in your form, which is why register_globals was turned off.) Write a comment that contains an apostrophe, and see what results.

Incidentally, could you use [php] instead of [code] to mark up your PHP? I found some of the variable names were starting to blur together (I should get some sleep one of these days) 🙂 - talking about "keywords" when you're talking about comments is also a bit on the confusing side. Are you using that array for anything?

dmacman1962

Hi Weedpacket, Wow! I have never recieved a response with such good and many questions as that, kudos!

I will answer them 1 at a time.

1) "mysql_string_escape doesn't seem to do anything" If I enter in a [url] or a <a href> command it strips out most of the url, but when I go to the board a few hours later, someone has posted "Hey awesome sight. Link to some site, and another and another and another" ??? Mine are filtererd out, theirs go right thru???

2) As far as the "x" goes, that was words that I didn't want posted for young people to read (not proper to be posted, and I just didn't want to go thru and delete all them).

3) I tried the following post with "mysql_escape_string and mysql_real_escape_string and strip_tags" in place:

(This was the result with the strip_tags i place)

O'Connell
<a href="http://www.intheclassroom.org>Link</a>

and it inserts

OConnell a hrefssroomLinka

which is better than all those links, but not the best. But an hour later, "somone" else has a post with 20 nasty links that got thru?????

4) Thanks for the tip on php instead of code, I just never tried that to see if it worked.

I hope this clarifies all the confusion. For some reason, my attempts to post urls does not get thru, but the spammers do.

One note. I have been altering the code between the escape real_escape and trip_tags and the strip tags did strip out the last persons post, but only one person posted, I don't have enough posts to be sure it is working better than the other two options.

I am not sure what the difference between the 3 are, I've read the php.net explaination and I don't knwo which is best to use, if at all.

Thanks a bunch,

Don

Weedpacket

Had some comments to make, realise I already put them in the code below 🙂. It's just an idea to actually step back and write something to do the job, rather than attempt to throttle what's already present into submission.

[man]mysql_escape_string[/man] is outdated, and [man]mysql_real_escape_string[/man] should be used insted (the former missed certain characters depending on the current character set). [man]strip_tags[/man] has nothing to do with MySQL, and removes everything that looks like an HTML/XML tag.

else if (isset($_POST['submit']))
  {
	// A separate sanitise function would be good...
    $name=mysql_real_escape_string(strip_tags($_POST['name']));
    $country=mysql_real_escape_string(strip_tags($_POST['country']));
    $email=mysql_real_escape_string(strip_tags($_POST['email']));
    $homepage=mysql_real_escape_string(strip_tags($_POST['homepage']));
    $aim=mysql_real_escape_string(strip_tags($_POST['aim']));
    $icq=mysql_real_escape_string(strip_tags($_POST['icq']));
    $yim=mysql_real_escape_string(strip_tags($_POST['yim']));
    $msn=mysql_real_escape_string(strip_tags($_POST['msn']));

// $comment wasn't yet defined at this point!
$comment = mysql_real_escape_string(strip_tags($_POST['comment']));

if(!$name || !$comment)
{
  print "<font color='red'>Name or comment not entered, please go back and sign again</font><br>";
}
   else
    {
		// This isn't a list of keywords, it's a comment. So all the stuff with
		// collapsing spaces and so on is unnecessary.
		//
		// "Special" characters have already been escaped, so we don't need to
		// mess with them. If this _was_ a list of keywords that we were going
		// to be searching for in text, it would make sense to strip
		// them out, because punctuation usually isn't a consideration in such
		// searches. But we're not searching, so that doesn't apply. Using
		// variable names like "$Keyword" is also inappropriate. Sounds like a
		// case of cut-and-paste coding, to me. Cut-and-paste coding never works.
		//
		// We're not planning on running these comments as PHP code, so we don't
		// need to filter out php. SQL keywords are harmless as well, because we
		// never put them into SQL queries outside literal strings. Like - were
		// we really not going to allow people to use the word "where"?!
		//
		// Figure out what you actually want to censor, and put those terms in
		// this list. Tags (including tags with embedded Javascript), and
		// characters that could break the syntax of SQL queries, have already
		// been taken care of.
		$filter = array(
		"http://",
		"viagra",
		"buy adipex",
		"adipex",
		"phen",
		"web hosting",
		"pay day loans",
		"auto",
		"credit card terminal",
		"Money Makers",
		"airline ticket",
		"spyware windows nt",
		"spyware scan",
		"microsoft sql server",
		"online tarot reading",
		"phentermine buy online",
		"prescription drugs",
		"pharmacy canada",
		"radiology continuing educ",
		"dell notebook",
		"valium tablet",
		"installing replacement",
		"installing replacement wi",
		"ibm notebook battery",
		"flower silk",
		"play poker free",
		"sql server driver",
		"auto insurance",
		"united airline fare",
		"sport betting online",
		"spyware remover",
		"viagra alternative",
		"air plane ticket",
		"notebook refurbished",
		"tramadol cheap price",
		"travel insurance quotes",
		"epson printer ink",
		"online cigarettes",
		"home equity loan",
		"bad credit",
		"free casino cash",
		"air ticket",
		"[url",
		"buy phentermine",
		"Buy phentermine",
		"Buy Phentermine",
		"gbook");

	$comment = str_replace($comment, '', $trimmedKeyword);

//////////////////


// Insert the data now its cleaned	
     $r=$_SERVER["REMOTE_ADDR"];
     $day=date("D M d, Y H:i:s");
     $timegone=date("U") ; //seconds since Jan 1st, 1970
$putinguestbook = "INSERT INTO gbook
	( name, country, mail, homepage, comment, realtime,
		aim, icq, yim, msn, time,IP)
	VALUES
	('$name', '$country', '$email', '$homepage', '$comment', '$day',
		'$aim', '$icq', '$yim', '$msn', '$timegone', '$r')";
     mysql_query($putinguestbook);
     print "Thanks for posting, you will now be redirected <META HTTP-EQUIV = 'Refresh' Content = '2; URL =index.php'> ";
    }
  }
}

dmacman1962

Thanks for the explanation and code and help!

I am going thru your code and comments so I can understand all the changes and why your way works and mine (poorly written) does not.

I also had to make one change, I don't know if you new or I did not give you enough of my code, but here is what I had to change to get the comments to actually post.

$comment = str_replace($comment, '', $trimmedKeyword); //(weedpackets version)
$comment = str_replace($filter, '', $comment); //(my version)

Once I did that, they post fine and strip out the url (http) and the bad words.

Thanks for all your help, I will let it run a few days and see if the spam (links) go away.

I will keep you posted, and will mark this thread resolved.

Thanks a bunch, as always,

Don

dmacman1962

Weedpacket,

I marked this thread resolved, but someone just got this url past the code I changed ??? (note, I added spaces to show the url code, otherwise it would encode as a url and you would only see "inkjet cartridges").

[u r l = h t t p://inkjet-cartridge.mlm-business-leader. c o m/]inkjet cartridge[/ u r l]

I don't understand how? If I copy and past that exact same url code in a new comment, it is stripped out???

Also, how do you mark a thread un-resolved?

Thanks,

Don

bpat1434

To stop the automatic URL linking, just uncheck the box in the "advanced" editor settings.
Also, if you're trying not to use the brackets, use the HTML entities: &#91 &#93 (each followed by a ';').
[url=http://inkjet-cartridge.mlm-business-leader.com/]Inkjet Cartridge[/url]

You could also use a regex to strip out any <a href="url_here">link</a> tags. You could also adapt it to look for [url=any_url]link[/url]. Just an idea....

~Brett

dmacman1962

Thanks, bpat.

I did add [url=, to the keywords filter.

I will check into regex, I am not familar with that command.

I will let you know how it works, but I have to look at the posts to see if they are getting by, since my attempts to spam it fail, and theirs do not. 🙁

Don

rincewind456

This may help you with the regex's Regex Library