[RESOLVED] SPAM Injection in PHP Form

conjurer

I have a website I maintain for a management association.

Recently I have started getting SPAM coming in from a form at the site that I use for conference registrations. Interestingly, it isn't currently linked to any of the other pages so either the SPAM bot is just crawling through every file in the directory or it pulled the url months ago when it was active.

For now I have just removed the files from the website - so hopefully that will solve the problem.

But my question is -- when it comes time to reactivate and put the form back up on the site are there any things I can do to help prevent a SPAM injection via the form?

I have seen many sites using those graphic image codes that require you to enter the code before submitting the form. Is that what I need and if so are there any free source tools available to do that in a php file?

Appreciate any ideas and advice.

rincewind456

It's called CAPTCHA and there's a tutorial here.

conjurer

Thanks so much

hairulazami

But some of CAPTCHA image code, cannot stop a lot of spam, cause my comment form always get spam terror every time. So how about random code, then we register it into a session.

function generateWord($length)
{
	$registerThis="";
    srand ((float) microtime() * 10000000);
    $rand1=rand(1,99); $rand2=rand(100,199); $rand3=rand(200,299); $rand4=rand(300,399); $rand5=rand(400,599);
    $input = array ("V-!-q", "$rand4", "N-s-z", "the-clash", "i-Y-s", "brush", "pattern", "s-G-l", "gradien", "style", "b-f-D", "glossy", "render", "t-i-J", "$rand1", "$rand2", "H-*-R",  "$rand3", "green-day", "danzig", "turtles-jr", "$rand5", "blur", "P-L-l", "motion", "dream", "weaver", "H-r-W", "photo", "w-x-U", "shop", "image", "ready", "flash", "web", "master", "ramones", "sex-pistols", "misfits", "F-t-L", "rancid", "exploited", "bad-religion", "a-O-P", "blink182", "haloween", "R-e-o", "offspring", "sum41", "pennywise", "s-A-Y", "social-distortion", "y-j-K", "sinergy", "last-energ!");
	$rand_keys = array_rand ($input, 55);
	for ($i=0; $i<$length; $i++)
	{
    	$registerThis = $registerThis . $input[$rand_keys[$i]];
    }
    return $registerThis;
}

echo "<form name='test' action='' method='post'>
<input type=text name='randomKey'>
<input type=submit name=submit value=submit>
</form>";
$registerThis = generateWord(2);

then register the result with session_register:

session_register('registerThis')

for form action I use this validation:

if($_POST['randomKey'] == $_SESSION['registerThis']) { echo "Your Key is VALID"; } else { echo "Your Key is Invalid"; }

so the complete code will be like this:

<?
function generateWord($length)
{
    $registerThis="";
    srand ((float) microtime() * 10000000);
    $rand1=rand(1,99); $rand2=rand(100,199); $rand3=rand(200,299); $rand4=rand(300,399); $rand5=rand(400,599);
    $input = array ("V-!-q", "$rand4", "N-s-z", "the-clash", "i-Y-s", "brush", "pattern", "s-G-l", "gradien", "style", "b-f-D", "glossy", "render", "t-i-J", "$rand1", "$rand2", "H-*-R",  "$rand3", "green-day", "danzig", "turtles-jr", "$rand5", "blur", "P-L-l", "motion", "dream", "weaver", "H-r-W", "photo", "w-x-U", "shop", "image", "ready", "flash", "web", "master", "ramones", "sex-pistols", "misfits", "F-t-L", "rancid", "exploited", "bad-religion", "a-O-P", "blink182", "haloween", "R-e-o", "offspring", "sum41", "pennywise", "s-A-Y", "social-distortion", "y-j-K", "sinergy", "last-energ!");
    $rand_keys = array_rand ($input, 55);
    for ($i=0; $i<$length; $i++)
    {
        $registerThis = $registerThis . $input[$rand_keys[$i]];
    }
    return $registerThis;
}

if($_POST['submit'])
{
	if($_POST['randomKey'] == $_SESSION['registerThis'])
	{
		echo "Your Key is VALID";
	}
	else
	{
		echo "Your Key is inVALID";
	}
}
else
{

$registerThis = generateWord(2);
session_register('registerThis');

echo "
<form name='test' action='' method='post'>
ENTER KEY: $registerThis <BR>
<input type=text name='randomKey'>
<input type=submit name=submit value=submit>
</form>";
}
?>

leatherback

hairulazami wrote:
But some of CAPTCHA image code, cannot stop a lot of spam, cause my comment form always get spam terror every time. So how about random code, then we register it into a session.

ehmm.. yes.. the idea is that you place the code in the captcha imiage in a session.. how did you do it when you had high spam volumes??

hairulazami

well, I just try it into a little bit volume of comment. 😃

but in my forum, I got a high spam volumes, the problem is, captcha image cannot handle it, how about you ?

leatherback

If your captcha does not get 95% of the spam, you must be doing something wrong. 😃 I do know that some of the more popular forums have been hacked and people have written code to autopost on those. By just slightly modifying the signup & submit procedures you can massively reduce spam volumes.

hairulazami

hmm... o'right the sound is interest to modifying register form.