[RESOLVED] Help!

John881

Hey PHPBuilders!
I'm John, and I'm new to your forums...
I have a BAD spam problem on my site.. I have a comments system which me and my friend made in PHP and SQL... it works great!
There's one huge problem though, people keep "spamming" it.. posting loads of messages like "name: sosioiosojsiojsijosi message: djdjdkkdjjdkjkll" over and over and over, it takes me forever to delete them all. I can ban their IP addresses manually, but there is no actual control to stop them from submitting LOADS and LOADS over and over.

I asked my friend about it, and he gave me this code to work from:

<?php

//VERY IMPORTANT: The folder "antispam" must exist on your server for this to work.

//Right, I would do it like so:
//(php source with comments)

$their_IP=$_SERVER["REMOTE_ADDR"];
//get their IP

if(file_exists("antispam/".$their_IP)){
//check for a file called their IP in an 'antispam' folder (or whatever you want to call it)

if(!$ip_file=file("antispam/".$their_IP)){
//if so, get the contents of that file as a string

echo '<BR>Server error.<BR>';
exit;
}
//if there's an error opening the file, display an error message and exit (note the ! operator in the if statement above)

trim($ip_file[0]);
//strip any carriage returns and white space; the above should now contain just a date

if((date("dmYHis")-$ip_file[0])<10){
//get the current date and subtract the old date from the current date

echo '<BR>You cannot post a comment more than once every ten minutes.<BR>';
exit;
}
//if less than 10 minutes, display an explanation and exit
}
//otherwise it's all good, so just end the if statement

//similarly, if a file with their IP address didn't exist, it can be assumed they didn't post within ten minutes
//because of the next bit we're going to do

if(!$S_file=fopen("antispam/".$their_IP,"w")){
//open a file named the same as their ip; if doesn't exist, it will be created
echo '<BR>Server error.<BR>';
exit;
//if there's an error, print a message about it and exit
}
fputs($S_file, date("dmYHis"));
//put in the date; if the file existed already, it will be overwritten completely
fclose($S_file);
//close the file

//comment posting code would then go here

//note that this doesn't involve error handling for if their IP file contains something other than a date
//which it shouldn't

//mc
?>

You can probably get the idea of it.. it's meant to stop the user from posting, and limit them to one post every ten minutes. The only problem is, it doesn't work, it's very glitchey (yes I did right the folder 777), and I can't put my finger on the problem (I'm still pretty new to PHP).
So If someone could correct my friend's coding, I would be extreamly greatful!
All help is appreciated!
Thanks,
John

bpat1434

And what is glitchy? What doesn't work?

You know a better way to do it is to just use another table in the database if you can. Then it's just a matter of INSERTing a row, or UPDATEing a row already there. Same principle, but much easier.

Using SQL, it would look something like:

<?php

function updateTime($table, $ip)
{
    $query = "UPDATE $table SET lastPost=UNIX_TIMESTAMP(NOW()) WHERE ip='$ip'";

if(false != ($result = mysql_query($query)))
    return TRUE;
else
    return FALSE;
}

function insertTime($table, $ip)
{
    $query = "INSERT INTO $table (ip, lastPost) VALUES ('$ip', UNIX_TIMESTAMP(NOW()))";

if(false != ($result = mysql_query($query)))
    return TRUE;
else
    return FALSE;
}

function findPoster($table, $ip)
{
    $query = "SELECT lastPost FROM $table WHERE ip='$ip' LIMIT 1"

if(false != ($result = mysql_query($query)))
    return mysql_result($result, 0, 'lastPost');
else
    return FALSE;
}

$table = 'spam';
// The table to store everything....

$ip = $_SERVER['REMOTE_HOST'];
// Get their IP

$now = time();
// Get the current timestamp

$threshold = 600; // seconds * minutes: 60 * 10 = 600 seconds (10 Minutes)
// Set the post threshold

if(false != ($time = findPoster($table, $ip)))
{
    if($threshold >= (time()-$time))
        die('You can not post more than once within ' . round($threshold/60) . ' minutes.');
    else
    {
        if(true == updateTime($table, $ip))
            die('Successfully insterted comment(s).');
        else
            die('There was an error inserting your comments.');
    }
}
else
{
    if(true == insertTime($table, $ip))
        die('Successfully inserted your comment(s).');
    else
        die('There was an error inserting your comments.');
}

?>

Just another option for you 😉

John881

Hey, thanks a bomb for this ^... but before the comment is written to the database, it under goes testing (posting as an admin / empty fields).. here's all the coding (PHP & SQL):

<? ob_start(); ?>
<?
$name = addslashes(strip_tags($_POST['name']));
if ( preg_match("/ca1um/i", $name) ) {
	header('Location: http://www.ca1um.com/commenterror1.php');
	exit;
}
$name = addslashes(strip_tags($_POST['name']));
if ( preg_match("/&/i", $name) ) { // I CHECK FOR & INCASE A USER TRYS TO INPUT HTML INSTEAD OF A LETTER
	header('Location: http://www.ca1um.com/commenterror1.php');
	exit;
}
$name = addslashes(strip_tags($_POST['name']));
if ( preg_match("/#/i", $name) ) {// I CHECK FOR # INCASE A USER TRYS TO INPUT HTML INSTEAD OF A LETTER
	header('Location: http://www.ca1um.com/commenterror1.php');
	exit;
}
$name = addslashes(strip_tags($_POST['name']));
if ( preg_match("/ca1um/i", $name) ) {
	header('Location: http://www.ca1um.com/commenterror1.php');
	exit;
}
$name = addslashes(strip_tags($_POST['name']));
if ( preg_match("/calum/i", $name) ) {
	header('Location: http://www.ca1um.com/commenterror1.php');
	exit;
}
$name = addslashes(strip_tags($_POST['name']));
if ( preg_match("/admin/i", $name) ) {
	header('Location: http://www.ca1um.com/commenterror1.php');
	exit;
}
$name = addslashes(strip_tags($_POST['name']));
if ( preg_match("/administrator/i", $name) ) {
	header('Location: http://www.ca1um.com/commenterror1.php');
	exit;
}
?>
<?
// If a user has got this far, they are not trying to post as an administrator
$name=addslashes(strip_tags($_POST['name'])); //sets the variables
$comment=addslashes(strip_tags($_POST['comment']));
if ($name == ""){ // checking for blank fields
echo "Fill everything in.";
exit;
}
if ($comment == ""){ // checking for blank fields
echo "Fill everything in.";
exit;
} else { // user is not trying to post as an admin, and everything is filled in...
@mysql_connect('localhost','username','password') OR die('Could not connect to MySQL');
@mysql_select_db('db') OR die('Could not connect to database');
mysql_query("INSERT INTO comments (name,comment,ip_address) VALUES('$name','$comment','{$_SERVER['REMOTE_ADDR']}')");
if(mysql_affected_rows() == 1){
// comment and name written to database, redirecting user for thank you message
header('Location: http://ca1um.com/index.php?action=postedmessage'); 
}else{ // error!
echo 'An error occured, please try again'; // error message
}
}
?>
<? ob_end_flush(); ?>

I'm sorry, but I'm really new to PHP and I get cought with the simple things 😕 .. can you tell me where I need to add your code for it to work?

Thanks a bomb!,
John

bpat1434

well gee.... my code was meant to replace your original code.....

Not sure where you'd want to put it, cuz your original code isn't in there 🙁

John881

Hey bpat1434, any chance we can talk on an instant messanger? You're not on AIM, and you haven't accepted me on MSN...

I understand what you mean about inserting the code where the old one was, but your code exits (dies) if the user is allowed to post... but if the script dies, the rest of the scripting on the page won't process, so the comment won't be written to the database...? Can I just delete the die and replace it with echo"", so that if the user passes the test, their comment will be tested for blank fileds and then written? 😕 😕
I hope you understand...
John

John881

Problem solved 🙂! It turns out that it was checking secounds instead of minutes. Thanks for your help!