Hi Thorpe,
I will post the entire page so you can see what I am referring to.
Note, the text file just writes the values (from the form submisson) for name, email address, comment, and I added date, time and IP address).
<center>
<body bgcolor='#666666'>
<?
include "admin/connect.php";
$s=$_SERVER["REMOTE_ADDR"];
$ipbancheck="SELECT * from gb_banip where IP='$s'";
$ipbancheck2=mysql_query($ipbancheck);
while($ipbancheck3=mysql_fetch_array($ipbancheck2))
{
$IPBANNED=$ipbancheck3[IP];
}
if ($IPBANNED)
{
print "You have been banned from posting";
}
else
{
if (!isset($_POST['submit']))
{
print "<table border='1' cellpadding='6' bgcolor='#e1e1e1'><tr><td>";
print "<form method='post' action='addentry.php' name='form'>";
print "<b>Name: (required)</b><br> <input type='text' name='name' size='40'><br>";
print "<b>(optional) E-mail:</b><br><input type='text' name='email' size='40'><br>";
print "<b>Comment:</b><br>";
print "<textarea rows='6' name='comment' cols='45'></textarea><br>";
print "<input type='submit' name='submit' value='submit'>";
print "</form><br>";
}
else if (isset($_POST['submit']))
{
// A separate sanitise function would be good...
$name=mysql_real_escape_string(strip_tags($_POST['name']));
$country=mysql_real_escape_string(strip_tags($_POST['country']));
$email=mysql_real_escape_string(strip_tags($_POST['email']));
$aim=mysql_real_escape_string(strip_tags($_POST['aim']));
$icq=mysql_real_escape_string(strip_tags($_POST['icq']));
$yim=mysql_real_escape_string(strip_tags($_POST['yim']));
$msn=mysql_real_escape_string(strip_tags($_POST['msn']));
// $comment wasn't yet defined at this point!
//$comment = mysql_real_escape_string(strip_tags($_POST['comment']));
//$comment = addslashes($_POST['comment']);
if(!$name || !$comment)
{
print "<font color='red'>Name or comment not entered, please go back and sign again</font><br>";
}
else
{
// This isn't a list of keywords, it's a comment. So all the stuff with
// collapsing spaces and so on is unnecessary.
//
// "Special" characters have already been escaped, so we don't need to
// mess with them. If this _was_ a list of keywords that we were going
// to be searching for in text, it would make sense to strip
// them out, because punctuation usually isn't a consideration in such
// searches. But we're not searching, so that doesn't apply. Using
// variable names like "$Keyword" is also inappropriate. Sounds like a
// case of cut-and-paste coding, to me. Cut-and-paste coding never works.
//
// We're not planning on running these comments as PHP code, so we don't
// need to filter out php. SQL keywords are harmless as well, because we
// never put them into SQL queries outside literal strings. Like - were
// we really not going to allow people to use the word "where"?!
//
// Figure out what you actually want to censor, and put those terms in
// this list. Tags (including tags with embedded Javascript), and
// characters that could break the syntax of SQL queries, have already
// been taken care of.
$filter = array(
"treklinkinfo",
"majord",
"hitch-cover",
"sho es",
"shoes",
"nike",
"new balance",
"http://",
"viagra",
"buy adipex",
"adipex",
"phen",
"web hosting",
"pay day loans",
"auto",
"credit card terminal",
"Money Makers",
"airline ticket",
"spyware windows nt",
"spyware scan",
"microsoft sql server",
"online tarot reading",
"phentermine buy online",
"prescription drugs",
"pharmacy canada",
"radiology continuing educ",
"dell notebook",
"valium tablet",
"installing replacement",
"installing replacement wi",
"ibm notebook battery",
"flower silk",
"play poker free",
"sql server driver",
"auto insurance",
"united airline fare",
"sport betting online",
"spyware remover",
"viagra alternative",
"air plane ticket",
"notebook refurbished",
"tramadol cheap price",
"travel insurance quotes",
"epson printer ink",
"online cigarettes",
"home equity loan",
"bad credit",
"free casino cash",
"air ticket",
"[url",
"buy phentermine",
"Buy phentermine",
"Buy Phentermine",
"buy adipex",
"adipex",
"phen",
"sex",
"penis",
"breast",
"enlargement",
"web hosting",
"pay day loans",
"credit card terminal",
"Money Makers",
"matto",
"Larry",
"Yasemin Co.",
"Jeffery",
"airline ticket",
"spyware windows nt",
"Ottis",
"spyware scan",
"Mike Tyler",
"microsoft sql server",
"online tarot reading",
"phentermine buy online",
"prescription drugs",
"pharmacy canada",
"radiology continuing educ",
"dell notebook",
"valium tablet",
"installing replacement",
"installing replacement wi",
"ibm notebook battery",
"Abram",
"flower silk",
"play poker free",
"sql server driver",
"www",
"auto insurance",
"united airline fare",
"sport betting online",
"spyware remover",
"viagra alternative",
"air plane ticket",
"notebook refurbished",
"tramadol cheap price",
"travel insurance quotes",
"epson printer ink",
"Jayson",
"Robert",
"Herman",
"George",
"Alton",
"nigger",
"nigga",
"Nigger",
"Nigga",
"Christopher",
"Lori",
"Mark",
"Alena",
"online cigarettes",
"home equity loan",
"Sasha",
"bad credit",
"free casino cash",
"air ticket",
"Mortal Krue",
"Jabo",
"Tino Cereteli",
"Marta Hueva",
"Geny Krina",
"Tonny Blerr",
"preteen lolita",
"little lolitas",
"portable basketball hoops",
"Sanekus",
"Antony Shwarz",
"Tommy Lee",
"Bred Silver",
"Buy Tramadol",
"Frantichek Tenniken",
"Buy tramadol",
"Fransis Mentos",
"John Rendis",
"Jennis Jeckson",
"Jad",
"Buy viagra",
"34000000000 jackpot lotte",
"Kasius Mon",
"Karas Adult Playground",
"Brendon Kleyton",
"xanax",
"Bam",
"Dim",
"Miranda Jenning",
"people health",
"replica rolex watch",
"black girls pimp",
"Funtik Shpuntik",
"buy phentermine",
"Buy phentermine",
"Buy Phentermine",
"gbook",
"inthecla",
"board",
"buy diet pill online",
"phe ntermine",
"phentermine",
"weight loss",
"result",
"cheap online",
"order phentermine",
"cheap phentermine target",
"phentermine buy phentermine",
"hyd rocodone",
"phentermine 37.5",
"mgphentermine weight loss result",
"amb ien",
"cheap online order phentermine",
"cheap phentermine target",
"phentermine buy phentermine",
"phentermine 37.5 mg",
"phe ntermine",
"[url]",
"[/url]",
"[url",
"[url=",
"<?",
"?>",
"<a",
"/a>",
"=",
"script ",
"type=",
"javascript",
"function",
"/script",
"http:",
"url",
"steroids",
"gambling",
"poker",
"casino",
"strip",
".com",
".org",
".tv",
".net",
"anabolic ",
"blackjack",
"avelox ",
"acyclovir",
"aciphex",
"mg",
"http",
"HTTP",
"zyban",
"href",
"]",
"<".
">",
"gbook");
$fixedcomment = str_replace($filter, '', $comment); //(weedpackets version)
// $comment = str_replace($filter, '', $comment); //(my version)
//////////////////
$name = addslashes($_POST['name']);
//$comment = addslashes($_POST['comment']);
$Date = date('Y\-m\-d');
$Time = date('g\:i A', time() + 10800);
$State = "Teachers Forum";
//saving record in a text file
$outputtext = "---------"."\r\n"
. "Date: $Date\r\n"
. "Ip Address is: $s\r\n"
. "Time: $Time\r\n"
. "name: $name\r\n"
. "comment: $comment\r\n\r\n";
$TeachersForum = "TeachersForum";
// Create the text file name from the stat picked
$write_file_txt = $TeachersForum.'.'."txt";
$fp = fopen($write_file_txt, 'a+') or die("Couldn't open ".$write_file_txt);
// Tell me if it did not write out the text file!
if (!$fp)
{
echo '<p><strong> Your comments could not be saved to the server at this time.</strong></p>';
echo '<p><strong> Please try again later. Thank You</strong></p></body></html>';
exit;
}
// Write out the text data
fwrite($fp, '--'.$outputtext, strlen('--'.$outputtext));
fclose($fp);
// Insert the data now its cleaned
$r=$_SERVER["REMOTE_ADDR"];
$day=date("D M d, Y H:i:s");
$timegone=date("U") ; //seconds since Jan 1st, 1970
$putinguestbook = "INSERT INTO gbook
( name, country, mail, fixedcomment, realtime,
aim, icq, yim, msn, time,IP)
VALUES
('$name', '$country', '$email','$fixedcomment', '$day',
'$aim', '$icq', '$yim', '$msn', '$timegone', '$r')";
mysql_query($putinguestbook);
print "Thanks for posting, you will now be redirected <META HTTP-EQUIV = 'Refresh' Content = '2; URL =index.php'> ";
}
}
}
?>
</td></tr></table>
</center>
Like I said, someone posted to the database, w/o going thru the form, otherwise, the text file would have recorded the info I wrote above.
Thanks,
Don
