Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    New to the CF scene
    Join Date
    May 2014
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Pass parameter to PhP then use if statemetn

    Hi

    I am running a community organisation website and we get hit with heaps of span from one or two particular IP addresses.

    The spam seems to come through a form that creates membership renewals and I'd like to prevent those IP addresses from submitting forms.

    the Php that i have runs a form in html - gets the data - checks some validation rules then sends an email and writes to a mysql table.

    I tried to code the Php so that i could prevent certain IP addresses from being processed in the mail object with:

    if($ip !='188.143.232.230' && $ip !='188.143.232.111')

    {

    mail($email_to, $email_subject, $email_content);
    }

    to me this should prevent those IP addresses from accessing the mail function but it doesn't work. I'm not very good at php - the code I have used is a mixture of things that I peiced together from the web.

    Can I ask:
    1. is the a good way to prevent an ip address or is it better to say something like "if($ip !contain '188.143')
    2. where should i put the statement that preveents the ip from sending the mail and also if i want to prevent from access the mysql files?

    Thanks so much

    doug



    here's the code that I use:

    <?php

    // Set email variables
    $email_to = 'myemail.com.au';

    $email_subject = 'Membership renewal request website';

    // capture IP variable
    $ip=$_SERVER['REMOTE_ADDR'];

    // Set required fields
    $required_fields = array('fullname','member_type','email');

    // set error messages
    $error_messages = array(
    'fullname' => 'Please enter your name to proceed.',
    'member_type' => 'Please choose a membership type.',
    'email' => 'Please enter your email address to continue.',
    );

    // Set form status
    $form_complete = FALSE;

    // configure validation array
    $validation = array();

    // check form submittal
    if(!empty($_POST)) {
    // Sanitise POST array
    foreach($_POST as $key => $value) $_POST[$key] = remove_email_injection(trim($value));

    // Loop into required fields and make sure they match our needs
    foreach($required_fields as $field) {
    // the field has been submitted?
    if(!array_key_exists($field, $_POST)) array_push($validation, $field);

    // check there is information in the field?
    if($_POST[$field] == '') array_push($validation, $field);

    // validate the email address supplied
    if($field == 'email') if(!validate_email_address($_POST[$field])) array_push($validation, $field);


    }

    // basic validation result
    if(count($validation) == 0) {
    // Prepare our content string
    $email_content = 'Membership renewal request: ' . "\n\n";

    // simple email content
    foreach($_POST as $key => $value) {
    if($key != 'submit') $email_content .= $key . ': ' . $value . "\n";
    }

    // if validation passed ok then send the email

    // prevent renewals from ip "188.143.232.230"
    if($ip !='188.143.232.230' && $ip !='188.143.232.111')

    {

    mail($email_to, $email_subject, $email_content);
    }


    ///////////////////////////////////////////////////////////////////////////////////////////////
    // maybe put the database code here too //
    ///////////////////////////////////////////////////////////////////////////////////////////////

    $con = mysql_connect("localhost","login","password");
    if (!$con)
    {
    die('Could not connect: ' . mysql_error());
    }

    mysql_select_db("membership", $con);

    $sql="INSERT INTO members (ID, Name, Email, Type, Date, IP)
    VALUES
    (' ','$_POST[fullname]', '$_POST[email]','$_POST[member_type]',CURDATE(),'$ip')";

    if (!mysql_query($sql,$con))
    {
    die('Error: ' . mysql_error());
    }
    // echo "1 record added";

    mysql_close($con);

    ///////////////////////////////////////////////////////////////////////////////////////////////
    // end database code //
    ///////////////////////////////////////////////////////////////////////////////////////////////

    // Update form switch
    $form_complete = TRUE;
    }
    }

    function validate_email_address($email = FALSE) {
    return (preg_match('/^[^@\s]+@([-a-z0-9]+\.)+[a-z]{2,}$/i', $email))? TRUE : FALSE;
    }

    function remove_email_injection($field = FALSE) {
    return (str_ireplace(array("\r", "\n", "%0a", "%0d", "Content-Type:", "bcc:","to:","cc:"), '', $field));
    }

    ?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>The Association</title>
    <link href="contact/css/contactForm.css" rel="stylesheet" type="text/css" />
    <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/mootools/1.3.0/mootools-yui-compressed.js"></script>
    <script type="text/javascript" src="contact/validation/evalidation.js"></script>

    <!-- changed the javascript file to evalidation for this form -->


    <script type="text/javascript">
    var nameError = '<?php echo $error_messages['fullname']; ?>';
    var member_typeError = '<?php echo $error_messages['member_type']; ?>';
    var emailError = '<?php echo $error_messages['email']; ?>';

    function MM_preloadImages() { //v3.0
    var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new Array();
    var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0; i<a.length; i++)
    if (a[i].indexOf("#")!=0){ d.MM_p[j]=new Image; d.MM_p[j++].src=a[i];}}
    }
    </script>

    <link href="styles/styles.css" rel="stylesheet" type="text/css" />
    <link href="SpryAssets/SpryMenuBarHorizontal.css" rel="stylesheet" type="text/css" />
    </head>
    <body>

    <div id ="outerWrapper">
    <div id="contentWrapper">
    <div id ="content">
    <div id="formWrap">
    <pre class="thanks">
    Membership Renewal System</pre>
    <div id="form">
    <?php if($form_complete === FALSE): ?>

    <!-- change the line below to reflect the name of this php file -->

    <form action="renew_membership.php" method="post" id="events_form">

    <!-- ------------------------this part has the input for the person's name --------------------------- -->

    <div class="row">
    <div class="label">Your name</div> <!-- end .label -->
    <div class="input">
    <input type="text" id="fullname" class="detail" name="fullname"
    value="<?php echo isset($_POST['fullname'])? $_POST['fullname'] : ''; ?>" />
    <?php if(in_array('fullname', $validation)): ?><span class="error"><?php echo $error_messages['fullname']; ?></span><?php endif;

    ?>
    </div> <!-- end .input -->
    <div class="context">e.g. John Doe or Jane Smith </div> <!-- end .context -->
    </div> <!-- end .row -->

    <!-- ----------------------------------end of input for name ---------------------------------------- -->

    <!-- ---------------------------This part contains the input for email address ----------------------- -->

    <div class="row">
    <div class="label">Your email address</div> <!-- end .label -->
    <div class="input">
    <input type="text" id="email" class="detail" name="email" value="<?php echo isset($_POST['email'])? $_POST['email'] : ''; ?>" />
    <?php if(in_array('email', $validation)): ?><span class="error"><?php echo $error_messages['email']; ?></span><?php endif; ?>
    </div> <!-- end .input -->
    <div class="context">We will not share your email address or send you unwanted messages. </div> <!-- end .context -->
    </div> <!-- end .row -->

    <!-- --------------------------------end of input for email ---------------------------------------------- -->

    <!-- ---------------------------This part has the drop down for type ----------------------------------------- -->

    <div class="row">
    <div class="label">Type of membership</div> <!-- end .label -->
    <div class="input">
    <select name="member_type" style="width:276px;" id="member_type" class="detail">
    <option value="">Select membership type...</option>
    <option value="Family">Family membership ($15)</option>
    <option value="Single">Single membership ($10)</option>
    </select>
    <?php if(in_array('member_type', $validation)): ?><span class="error">
    <?php echo $error_messages['member_type']; ?></span><?php endif; ?>
    </div> <!-- end .input -->
    <div class="context">Please choose from the list.</div> <!-- end .context -->
    </div> <!-- end .row -->

    <!-- ---------------------------end of drop down for type ------------------------------------------------------- -->

    <!-- this part has the hidden ip capture -->

    <input type=hidden name=ip value="<?php echo $_SERVER['REMOTE_ADDR']; ?>">

    <!-- end of ip capture -->


    <!-- --------------------------This part has the submit button ------------------------------------------------ -->

    <div class="submit">
    <input type="submit" id="submit" name="submit" value="Submit" />
    </div>
    <!-- end of class and .submit -->

    <!-- ------------------------------end of submit button ----------------------------------------------------- -->


    </form>
    <?php else: ?>
    <p class="thanks">Thank you for your renewal request.
    <h2>We will contact you by email to provide further details about payment.
    </p>
    <script type="text/javascript">
    setTimeout('ourRedirect()',5000)
    function ourRedirect() {
    location.href='index.html'
    }
    </script>
    </h2>

    <?php endif; ?>

    </div> <!-- end form div -->



    </div><!-- end formWrap div --> </div>
    </div>
    </div>
    </body>
    </html>

  • #2
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,512
    Thanks
    8
    Thanked 1,090 Times in 1,081 Posts
    The last question in your form, ask a question like "What animal says 'moo' ?"
    Then have 3 options, where 'cow' is the 2nd choice. When you process the form, if 'cow' is not selected, cancel the email.

    This will answer the question of whether or not the spamming is from humans or robots. I have a hunch your spam will stop because robots won't pick the 2nd option. Only humans will pick 'cow'.

  • #3
    New to the CF scene
    Join Date
    May 2014
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hi

    Thanks for your response. I am not good enough at PhP to know how and where to do that in a form.

    Can you please give me an example and location in the form and I will try it.

    Thanks again

    Doug

  • #4
    New to the CF scene
    Join Date
    May 2014
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hi

    Thanks for your response. I am not good enough at PhP to know how and where to do that in a form.

    Can you please give me an example and location in the form and I will try it.

    Thanks again

    Doug

  • #5
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,364
    Thanks
    61
    Thanked 530 Times in 517 Posts
    You urgently need to look into protecting your database insert query from injection. You're currently using $_POST values in your query string. This allows an attacker to directly input SQL commands from the form. You MUST change this urgently.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #6
    New to the CF scene
    Join Date
    May 2014
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks Tangoforce,

    Could you please give me an example of how to do this?

    Doug

  • #7
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,364
    Thanks
    61
    Thanked 530 Times in 517 Posts
    This:


    $sql="INSERT INTO members (ID, Name, Email, Type, Date, IP)
    VALUES
    (' ','$_POST[fullname]', '$_POST[email]','$_POST[member_type]',CURDATE(),'$ip')";

    You should do something like this instead:
    PHP Code:

    $Fullname 
    mysql_real_escape_string($_POST['fullname']);
    $Email mysql_real_escape_string($_POST['email']);
    $MemType mysql_real_escape_string($_POST['member_type']);
    $Ip mysql_real_escape_string($ip);

    $sql="INSERT INTO members (ID, Name, Email, Type, Date, IP)
    VALUES
    (' ','$Fullname', '$Email','$MemType',CURDATE(),'$Ip')"

    mysql_real_escape_string() escapes any dangerous characters in a users input. It isn't 100% hacker proof but it's much better than providing data to the SQL directly from the users input.

    You should look into using mysqli instead (note the i) as it is safer and you bind variables to placeholders in the SQL instead of putting the data in the SQL. The normal mysql is also being discontinued in php so thats another reason to look into it however all the tutorials online still refer to it.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •