A feedback form on my website (http://www.ldbsa.co.uk) has started getting spam. I would therefore like to add some security to the feedback form to prevent this.
What I'd like to do is have a PHP script that I can include in the form page which generates a "captcha" image that the user has to enter the auto generated text characters into a form field before being allowed to submit the form.
I've found various incarnations of this, but have been unable to get it to work with my form. The HTML page is http://www.ldbsa.co.uk/feedback.php, and the sendmail.php code is as follows:
| Code: |
<?php
$contactname = $_REQUEST['contactname'] ;
$email = $_REQUEST['email'] ;
$email2 = 'me@domain.co.uk' ;
$club = $_REQUEST['club'] ;
$query = $_REQUEST['query'] ;
$comments = $_REQUEST['comments'] ;
if (!isset($_REQUEST['email'])) {
header( "Location: http://www.ldbsa.co.uk/feedback.php" );
}
elseif (empty($email) || empty($club) || empty($query) || empty($comments) || empty($contactname)) {
echo '
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<meta http-equiv="Content-Type" content="text/html; charset=shift_jis" />
<title>Leamington and District Billiards and Snooker Association - Feedback Form Error</title>
<link rel="stylesheet" type="text/css" href="css/css_main.css" />
</head>
<body>
<div id="header">
<?php include "includes/header.php";?>
</div>
<div id="sponsors">
<?php include "sponsors.php";?>
</div>
<div id="wrapper">
<div class="leftMenu">
<?php include "includes/nav.php";?>
</div>
<div class="content">
<h1>ERROR</h1>
<p>Not all fields have been filled in. Please try again.</p>
<p><a href="feedback.php"><< Back to form</a>
</div>
<div class="rightMenu">
<?php include "includes/right.php";?>
</div>
</div>
<div id="footer">
<?php include "includes/footer.php";?>
</div>
</body>
</html>
';
}
else {
mail( "$email, $email2", "Thank you for your feedback/questions",
"Leamington and District Billiards and Snooker Association", "Thank you for your e-mail. We will be in touch soon.\n\nHere are the details of the message you sent:\n\n------------------------------------------------------------\n\nName: $contactname\n\nE-Mail Address: $email\n\nYour club: $club\n\nYour query was regarding: $query\n\nComments/Questions: $comments.\n\n------------------------------------------------------------\n\nMany thanks once again.\n\nKind regards\n\nLDBSA Committee") ;
header( "Location: http://www.ldbsa.co.uk/thanks.php" );
}
?>
|
Is anybody able to help at all? What I would do is the following.
1) Verification images. Display a random image and the user must input it correct for the mail to send.
2) Insert IP into database and only let them send 3 messages in a week or something.
I will soon be adding the verification image tutorial to my website but look at the following.
http://www.php-mysql-tutorial.com/user-authentication/image-verification.php What DanielXP said are great ideas, image verification, and preventing one ip from sending to much mail.
Also, you could add a check for one e-mail being able to send to much mail.
Or make it so the ip address or email has to wait like 10 seconds before each send, usually bots send as much as they can within seconds, so preventing them from sending for another ten seconds will reduce it a lot.
Thanks guys. I'm pretty new to PHP. Do you have an example I can use with my code above? What I'd like to do I think is to stop any IP address from sending more than three e-mails in say 30 seconds. The reason I say three is that with the form, I have it sending to the sender, then to my e-mail address, and to a colleagues e-mail as well. So with every submission, three e-mails need to be sent.
Before two months I am creating one simple SPAM protection with sessions (without image) and I didn't get any spam in this two months. Maybe you can insert SPAM part in your code. Here is full mail script.
http://www.frihost.com/users/sonam/blog/vp-83950.html
Sonam | welshsteve wrote: |
| Thanks guys. I'm pretty new to PHP. Do you have an example I can use with my code above? What I'd like to do I think is to stop any IP address from sending more than three e-mails in say 30 seconds. The reason I say three is that with the form, I have it sending to the sender, then to my e-mail address, and to a colleagues e-mail as well. So with every submission, three e-mails need to be sent. |
Well you could use cookies. I am unaware how you use cookies though, so you may have to do some googling to find out. You can make the cookies store the amount, and if the cookie says that it is 3 or greator then it will display a message. The only problem is that the user is able to delete the cookie. Sessions may work as well. | welshsteve wrote: |
| Thanks guys. I'm pretty new to PHP. Do you have an example I can use with my code above? What I'd like to do I think is to stop any IP address from sending more than three e-mails in say 30 seconds. The reason I say three is that with the form, I have it sending to the sender, then to my e-mail address, and to a colleagues e-mail as well. So with every submission, three e-mails need to be sent. |
Well, I used a similar system for spam protection for one of my scripts.
While you could use Cookies, they can be prevented from being stored, so it's not the best.
What I did, is stored the ip and the time and date into a MySQL table, and checked the current ip and time against that, and it is within whatever time, then you don't allow the page to go through, with three, that will be easy, just store which one it is sending to, and if you can't find it, you allow it to go through.
You could also (although I am not familiar with how to do it) after a minute or so, have the variable just expire, that way you won't be wasting lots of space by continually adding rows to the database that you will never look at after 30 seconds.
I have the code, and can post it, maybe a little later, although it is a bit messy 
from my younger days 
Changing your IP address is too easy, and so is removing cookies. Using a captcha is the only failsafe way to stop automated spam. The captcha doesn't need to be a hard one, perhaps just text (no distortion) will be enough, and it is really easy to make such a captcha. There are also good captcha generation functions available on the web, just use google 
Thanks everyone, I will read over these posts and report back when I've tried stuff.
| Arno v. Lumig wrote: |
| Changing your IP address is too easy, and so is removing cookies. Using a captcha is the only failsafe way to stop automated spam. The captcha doesn't need to be a hard one, perhaps just text (no distortion) will be enough, and it is really easy to make such a captcha. There are also good captcha generation functions available on the web, just use google |
no need to use google
just make a randomnizer and put all the images | mahirharoon wrote: |
| Arno v. Lumig wrote: | | Changing your IP address is too easy, and so is removing cookies. Using a captcha is the only failsafe way to stop automated spam. The captcha doesn't need to be a hard one, perhaps just text (no distortion) will be enough, and it is really easy to make such a captcha. There are also good captcha generation functions available on the web, just use google |
no need to use google
just make a randomnizer and put all the images |
yes I would agree, its very easyly done | flatliner wrote: |
| mahirharoon wrote: | | Arno v. Lumig wrote: | | Changing your IP address is too easy, and so is removing cookies. Using a captcha is the only failsafe way to stop automated spam. The captcha doesn't need to be a hard one, perhaps just text (no distortion) will be enough, and it is really easy to make such a captcha. There are also good captcha generation functions available on the web, just use google |
no need to use google
just make a randomnizer and put all the images |
yes I would agree, its very easyly done |
That it is easy doesn't mean that anyone can do it. If I didn't have any experience with the GD library I probably wouldn't bother creating my own captcha-script.Another way to do this would be to time how long it takes between the page loading and the submission. A spam bot will be almost instantaneous because it's computerised whereas a human will take at least a few seconds to type something. So, if it takes less than a second for the message to be submitted either ignore it or display an error page.
You can do this by adding a hidden field to your forum which PHP will populate with the current time when the form loads. Then the form's target page can compare this to the current time and act appropriately.
This is a simple way make up several images all the same size. Use a randomizing script to pick the image. Record in a database what the image says. If the two match the reader is a human. If they don't match have them try again with a different image.
| JediPad wrote: |
| This is a simple way make up several images all the same size. Use a randomizing script to pick the image. Record in a database what the image says. If the two match the reader is a human. If they don't match have them try again with a different image. |
This sounds interesting. Do you have an example I can use?I can make one today and I will post the code later.
An easy way is to change the names of the input tags. If the email field has the name "name" the spambot will most likely put a name instead of an email address and if you validate you will see that it's not an valid name and no. I have found this very useful against spambots.
| JediPad wrote: |
| I can make one today and I will post the code later. |
Thanks, that would be greatly appreciated. I will award you with 100 Frih$ 
