Mike,
I 100% agree with 2 and 4. Before you know it someone is using this to
send spam without you having any clue it's happening.
I recently fixed the 'contact/feedback form' for a bunch of sites I
maintain by filtering out all posts containing any kind of http links.
Real users allmost never posted links (and if they do, they get a nice
message now), those botposts almost always contain links (except the
kind that I think looks for contact forms exploitable for spamming).
This kind of form spamming got a lot worse the last 2-3 months it seems,
and a lot of this went undetected by the spamfilter.
Another option you might consider is using a captcha. But the filtering
method above was for me 10 mins work and then 5 mins to adapt/check each
site and seems to do the job.
regards,
Piet.
-----Original Message-----
From: php-list@yahoogroups.com [mailto:[EMAIL PROTECTED]
On Behalf Of Mike Brandonisio
Sent: woensdag 2 augustus 2006 14:29
To: php-list@yahoogroups.com
Subject: Re: [php-list] Preventing scripted form posts
Hi Phill,
Yes I see. So a script that POST's to itself can be made more
secure
than a 2 part script of form and script, since you can use PHP
to
setup the mechanism before the POST to test for. Thanks. I'll
tinker
with that.
Also some comments on what not may be obvious to others in
creating a
secure script:
1. Only allow the form to send limited data from the form to the
form
POSTed email address.
2. Better yet do not send an email to the form POSTed email
address
at all.
3. scrub all POST data for special characters like \n, \r, \0,
and
comma's. You might even use something like htmlspecialchars() to
convert things like <,>, ",', and so on.
4. Do not put the recipient email address as a hidden form
input. Put
it in the script.
Sincerely,
Mike
--
Mike Brandonisio * Web Hosting
Tech One Illustration * Internet Marketing
tel (630) 759-9283 * e-Commerce
[EMAIL PROTECTED] * http://www.jikometrix.net
JIKOmetrix - Reliable web hosting
On Aug 2, 2006, at 2:56 AM, Phill Sparks wrote:
> Hi Mike
>
> This is quite an interesting problem that many people face.
One issue
> to be aware of is that often many people share the same public
IP.
> For example I am on NTL (in england) and all of my internet
traffic is
> routed through a local proxy by my ISP. What web servers see
is the
> IP Address of the proxy not the IP Address of my house, or
even my
> machine.
>
> If you do wish to use this approach perhaps consider storing
the
> users's IP along with the time they visited; your scripts can
then
> easily delete any entries that are more than [some amount of
time]
> old. I would suggest that you might make an allowance for a
time of 0
> and exclude this from the delete query so that you can add a
list of
> IP Addresses to block forever.
>
> Most scripts do not use cookies, and do not use the form
itself (but
> rather submit directly themselves). You can use this
information to
> your advantage. When the user visits your form generate a
random
> number (or if your site uses sessions use the session id) and
add it
> hidden to your form, at this point record somewhere that the
user has
> visited the form itself and when they visited. When they
submit the
> form check the database for your random number to find out a)
if the
> user visited the form itself and b) if/when the user last
submitted
> the form. This way scripts must use your form to submit data
(rather
> than submitting it directly).
>
> Hope this helps,
>
> Phill
>
> On 02/08/06, Mike Brandonisio <[EMAIL PROTECTED]> wrote:
>>
>> Hi,
>>
>> Does anyone have a good technique to prevent someone from
hijacking
>> my web form with a script and posting to it a zillion times.
It's a
>> form script that emails the form content. I've been able to
prevent
>> more than one email per post, but would also like to limit
the
>> number
>> of posts per user IP per hour. Maybe I could write to a
MySQL table
>> and count the entries per hour from a given IP. So the table
does
>> not
>> get full I could empty it daily.
>>
>> Ideas?
>>
>> Sincerely,
>> Mike
>> --
>> Mike Brandonisio * Web Hosting
>> Tech One Illustration * Internet Marketing
>> tel (630) 759-9283 * e-Commerce
>> [EMAIL PROTECTED] * http://www.jikometrix.net
>>
>> JIKOmetrix - Reliable web hosting
>>
>>
>
>
> Community email addresses:
> Post message: php-list@yahoogroups.com
> Subscribe: [EMAIL PROTECTED]
> Unsubscribe: [EMAIL PROTECTED]
> List owner: [EMAIL PROTECTED]
>
> Shortcut URL to this page:
> http://groups.yahoo.com/group/php-list
> Yahoo! Groups Links
>
>
>
>
>
>
>
>
Community email addresses:
Post message: php-list@yahoogroups.com
Subscribe: [EMAIL PROTECTED]
Unsubscribe: [EMAIL PROTECTED]
List owner: [EMAIL PROTECTED]
Shortcut URL to this page:
http://groups.yahoo.com/group/php-list
Yahoo! Groups Links
[Non-text portions of this message have been removed]
Community email addresses:
Post message: php-list@yahoogroups.com
Subscribe: [EMAIL PROTECTED]
Unsubscribe: [EMAIL PROTECTED]
List owner: [EMAIL PROTECTED]
Shortcut URL to this page:
http://groups.yahoo.com/group/php-list
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/php-list/
<*> To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
