Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    Regular Coder Masterslave's Avatar
    Join Date
    Dec 2005
    Posts
    287
    Thanks
    2
    Thanked 0 Times in 0 Posts

    Check for characters that are not allowed

    Hi all,

    I've made a guestbook with PHP.
    Some spammers put some text in the field and I get some sex ads in my guestbook that I don't want.
    I want to stop this by making a reg.expr. that check for characters that are not allowed.
    These are "<" ">" "[" "]".
    I've chose these because the spammers uses HTML and BB-code tags.

    Can anyone tell me how to make this.
    My reg.expr skills aren't that good....

    Can I do this with preg_match of ereg ?

    PHP part guestbook.php
    PHP Code:
    session_start();
    if (
    $_SERVER["REQUEST_METHOD"] == "GET")
    {
        
    $_SESSION["guestbook"] = true;

    MySQL:
    PHP Code:
    if (isset($_SESSION["guestbook"]))
        {
            if(isset(
    $_POST['submit']))
            {
                if (
    trim(empty($_POST['name'])) || trim(empty($_POST['content']))) 
                {
                    
    $error "<br /><strong>Je dient je naam en bericht op te geven om een bericht te plaatsen.</strong>";
                }
                else
                {
                    
    $commentInsert " INSERT INTO
                                    $guestbooktable
                                    (
                                        name,
                                        email,
                                        website,
                                        content,
                                        ip,
                                        host
                                    )
                                    VALUES
                                    (
                                        '" 
    mysql_real_escape_string($_POST['name']) . "',
                                        '" 
    mysql_real_escape_string($_POST['email']) . "',
                                        '" 
    mysql_real_escape_string($_POST['website']) . "',
                                        '" 
    mysql_real_escape_string($_POST['content']) . "',
                                        '" 
    mysql_real_escape_string($_POST['ip']) . "',
                                        '" 
    mysql_real_escape_string($_POST['host']) . "'
                                     )"
    ;
                    
    $result mysql_query($commentInsert) or die (mysql_error());
                    
    header("Location: guestbook.php");
                }
            }
        }
        else
        {
            die();
        } 
    Thanks for your help.

  • #2
    UE Antagonizer Fumigator's Avatar
    Join Date
    Dec 2005
    Location
    Utah, USA, Northwestern hemisphere, Earth, Solar System, Milky Way Galaxy, Alpha Quadrant
    Posts
    7,691
    Thanks
    42
    Thanked 637 Times in 625 Posts
    Have you tried the strip_tags() function?

    The BB Code is something you'd have to put effort into activating, so it should be easy to disable (sounds like you're using a canned script).

    Other things you can try is keep track of the IPs of the spammers and blacklist those IPs, and add some sort of captcha to your form.

  • #3
    Regular Coder Masterslave's Avatar
    Join Date
    Dec 2005
    Posts
    287
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Fumigator View Post
    Have you tried the strip_tags() function?

    The BB Code is something you'd have to put effort into activating, so it should be easy to disable (sounds like you're using a canned script).

    Other things you can try is keep track of the IPs of the spammers and blacklist those IPs, and add some sort of captcha to your form.
    Thanks for your reply. Maybe I wasn't clear in my startpost put when a user entered a invalid character then the text will NOT insert in the database.
    Thus, stript_tags does strip the tags but inserted the rest of the text into the database.

    What's a canned script?
    Last edited by Masterslave; 02-26-2007 at 08:05 PM.

  • #4
    UE Antagonizer Fumigator's Avatar
    Join Date
    Dec 2005
    Location
    Utah, USA, Northwestern hemisphere, Earth, Solar System, Milky Way Galaxy, Alpha Quadrant
    Posts
    7,691
    Thanks
    42
    Thanked 637 Times in 625 Posts
    Ah, so you want to disallow the entire message if someone tries to insert a tag. In that case you can compare the results of strip_tags() to the original string and if they are different, don't insert into the table-- print a nasty message instead.

  • #5
    Regular Coder Masterslave's Avatar
    Join Date
    Dec 2005
    Posts
    287
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Ok thats a good one.
    So I've to compare the $_POST['content'] with the variable that has already striped the content. If they are equal then insert else die() or something like that.

    Am I correct?

    Edit:
    Does strip_tag also strip the "[" and "]" ?
    Last edited by Masterslave; 02-26-2007 at 10:11 PM.

  • #6
    Regular Coder Masterslave's Avatar
    Join Date
    Dec 2005
    Posts
    287
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Sorry for my late reaction, I was busy the last 3 days.
    Anyway, it is working now.
    The "[" and "]" are allowed at the moment.
    The spammers often uses HTML tags and BB-code together in one message so it won't post.
    Thanks for your help Fumigator

  • #7
    New to the CF scene
    Join Date
    Jan 2007
    Posts
    6
    Thanks
    0
    Thanked 0 Times in 0 Posts

    list of Apache Request Methods

    Sometimes on my blog I get spammers who first try to access the uri using a random REQUEST_METHOD.. Mostly Options and Head..

    You might look into blocking certain Request Methods.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •