Forum Moderators: coopster
I built a site for a client with a php-driven guestbook. Some unknown party(ies) are pouring very strange url stings (real long ones!) into this guestbook which the site owner is having to take out. I built a CMS system for the site owner as well, so it's easy to extract, but a pain to be a constant watchdog to guard against such activities
So, yes, I do have to revisit the code and do something to prevent this type of content being submitted into my clients guest book, but the real reason for my question is: Why would someone do this? These urls point to stuff like cheap cigarettes, viagra, mba diplomas and other strange stuff.
By doing this, is the perpetrator somehow benefiting driving traffic to the sites these urls are pointing to?
Would be interested in any enlightenment on the "why's" of this kind of activity.
Thanks to all in advance,
Neophyte
Nowadays it's a bit more complicated but links to a site still count in the equation somewhere.
The submissions are usually automated and once your site is on their list you can expect the submissions to increase.
Large sites try and combat this by showing you a random word when submitting data and asking you to enter it. Something the automated systems have trouble doing (but it's not fool proof). This method would probably work on your site but may be a bit of overkill.
You could check any submissions for anything that looks like a link (http:// or www.) etc and stop them from showing.
You could ask for an email address when somebody is posting and getting them to confirm the address by sending them a link to a page to confirm their existence before letting any comment go live.
You could couple this with an email to the site owner showing the comment and letting them decide whether to show it on the site or just to ignore it.
In the end though, anywhere that you allow people to interact with your site is subject to these problems. Forums, guestbooks, reviews etc all are prone to this type of stuff.
Good luck.
They are attempting to break the guestbook, and use it as a mail forwarder for spamming.
There are several drop-in PHP guestbooks which fail when a long enough string is passed to unchecked fields, and thenafter can be used as a relay for spam.
My suggestion is that you validate the strings in Javascript, then in PHP prior to passing it to your mail system.
What's scary is if this is being done "automatically".
If I write some validation script that checks for "http://" or "www" which, when caught, would disallow entries that contain these strings, would that be my best defense against this type of attack?
I want to fix this vunerability but I don't want to go overboard.
Neophyte
The procedure I use is this:
1: user enters comments.
2: comments enter into database with a "show_field" set to 0
3: email is sent to site owner showing the full comment
4: owner can click on link in email to set the DB "show_field" to 1
5: comment is shown on the site.
If the record's "show_field" is not '1' then the comment will not show on the site.
If you want to check for somebody trying to use your form to send spam emails then you could check for "MIME-Version" that should be present before actioning the comment.
Collect all your variables together and check like:
if(eregi("MIME-Version:",$_POST['guestbook_name'].$_POST['guestbook_comment'].$_POST['anything_else']))
{
die('<p>Error - There seems to have been a problem with your entry');
}
First, in your form, create a random value and store it in a session variable $_SESSION['random']. On the form, make the end user put that random value into a text form field <input type="text" name="random">
Then, in your "add" file, see if the posted form values matches the session variable
$matchvalue = $_SESSION['random'];
$_SESSION['random'] = '';
$random = $_POST['random'];
if ($matchvalue == $random)
{
//...add to guestbook
}
This worked like a charm for me!
(code was cut-n-paste! please validate it)
I'm wondering, though, wouldn't it just be easier if did an ereg trap for "http://" and "url=" and "www". If after the submit button was pressed the trap returned true the entire post would be vaporized (not added to the DB)?
In the spirit of (real vs automated) user-understanding I suppose I should indicate on the form the URL's of any kind would not be accepted in any post.
But wouldn't the above idea be a path of least resistance?
Neophyte
Bummer. Thanks for the advice, though.
Neophyte
