PHP Form Handling Problem & SPAM - PHP Server Side Scripting forum at WebmasterWorld - WebmasterWorld

Forum Moderators: coopster

Message Too Old, No Replies

PHP Form Handling Problem & SPAM

No check being performed to validate access to the handler

IcarusGraphics

12:03 am on Apr 12, 2006 (gmt 0)

10+ Year Member

I'm rather new at coding & debugging PHP files, so bear with me. My question is regarding webpage form processing using a .PHP file on a website. I'll try to explain the problem in as much detail as possible. Keep in mind that the existing php file (form_contact.php) is now disabled to prevent spamming.

A viewer on the website is prompted to enter info into a form contact.html. Once data is entered and the <SUBMIT> button is pressed, the code looks like it validates some of the fields of the form and if successful, it begins sending the data to the PHP file to be processed.

However, other data external to the webform data has been getting processed by this PHP file. It was getting sent through as spam until the PHP file was disabled by setting the file permission to 400.

My question is...

Is it possible to add code (perhaps a function) to the form_contact.php file so that it verifies the post is coming from the website (from the webform). Conversely, if the data does not originate from the form on the website as a valid form post, I would like the process request to simply be "killed" so that the data coming through is not processed.

This is how the problem was explained to me, and what the person who explained it to me thought may be a solution. If I'm looking at the problem the wrong way and there is another solution, I would be delighted to have someone provide some assistance. I am hesitant to post the actual code online because it contains the organization's domain name, etc. Although having been a programmer since the late 80's and now a new web developer, I am rather new at coding PHP. But I'm sure I can muddle through editing, saving, & testing any new code, if someone can provide some assistance.

If you need to see the actual code itself, I would be happy to provide it but offline. Thank you...

- IcarusGraphics -

eelixduppy

1:29 am on Apr 12, 2006 (gmt 0)

Hello!

If you are using Apache, i would use its global variables ...it should look like this

<?php

if($_SERVER[HTTP_REFERER]!= "http://yoursite/yourform.html") {
code to dismiss form info }
else {
...your form processing code... }

?>

IcarusGraphics

2:09 am on Apr 12, 2006 (gmt 0)

10+ Year Member

Yes it is Apache. I will make the changes with the code that you've suggested and let you know whether that works. I appreciate your assistance greatly.

Ron
[ IcarusGraphics ]

BarryStCyr

2:22 am on Apr 12, 2006 (gmt 0)

10+ Year Member

Some browsers do not return referrer.

You might try hidden fields in the form.

The values of two hidden fields should be some value that you encode and can decode by two different methods or with two different keys.

While the fields are visible to the user the encoded values should be something you can verify come only from you and are disposable in that they can't be reused by someone faking the form.

Hope this helps.
Barry

BarryStCyr

2:26 am on Apr 12, 2006 (gmt 0)

10+ Year Member

You might also want to check any text fields that the user enters for conformity items like lenght of text, no HTML and so on so that you don't get any suprises like viruses and the like.

Barry

IcarusGraphics

2:54 am on Apr 12, 2006 (gmt 0)

10+ Year Member

Barry,

Still a bit confused...As I said previously, I'm new at coding & debugging PHP files...like brand new (as of yesterday & today).

Using the code supplied above in the previous posting (and listed below), would I nest my existing site code (also listed further down below) under the else condition? And if so, what is the coding to dismiss the form info? I previously received code from another source for killing the request if the request does not originate from the site

if (!is_string(url)) die("with some error message");

--------------------

Here is what the other poster suggested I use and next my code within.

<?php

if($_SERVER[HTTP_REFERER]! = "http://yoursite/yourform.html")
{ code to dismiss form info }
else
{ my form processing code below }

This is part of the existing code in the PHP file (actually the first part)...

------------------

if (isset($HTTP_POST_VARS)){
$http_web="www.mysitename.com";
$SETUP[siteurl] = $http_web;
if (!strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST']))
{
header("Location: $SETUP[siteurl]");
exit();
}
$from = trim($Contact_EMAIL);
$headers = "From: $from\r\n";
$headers .= "Reply-To: $from\r\n";
$headers .= "X-Priority: 1\n";

--------------------------

I would be happy to supply all of the PHP code if needed.

Thx

Ron
[ icarusgraphics ]

[edited by: coopster at 11:19 am (utc) on April 12, 2006]
[edit reason] removed email per TOS [webmasterworld.com] [/edit]

eelixduppy

2:09 pm on Apr 12, 2006 (gmt 0)

Anything within the else condition will be executed if the referer is valid, but will not show up if its not. The code that you want to be seen all the time should be placed after the whole if else statements.

IcarusGraphics

2:23 pm on Apr 12, 2006 (gmt 0)

10+ Year Member

This is basically what I added to the PHP file. Please confirm that this is correct and I will stop bothering everyone (lol). Nevertheless, I am very appreciative of all the help I received from everyone, especially considering I'm now a two-day old PHP programmer.

<?php

if ($_SERVER['HTTP_REFERER']!= "http://www.mysite.com/contact.htm") {
die("Invalid request from: " . $_SERVER['HTTP_REFERER']);
}else{

if (isset($HTTP_POST_VARS)){

$http_web="www.mysite.com";
$SETUP[siteurl] = $http_web;
if (!strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST']))
{
header("Location: $SETUP[siteurl]");
exit();
}

The coding continues until the else condition is completed, followed by the end } for the else condition for checking the HTTP_REFERER.

Thank you...

- IcarusGraphics -