What are these few functions in my php for email form.

Forum Moderators: coopster

Message Too Old, No Replies

What are these few functions in my php for email form.

Simone100

2:38 am on Oct 5, 2006 (gmt 0)

Hi, I have a form that sends to my email and there are a couple values in the php form that are supposed to help with spam but they don't seem to be working. Because when I change them to just anything the form still sends to my email. I am hoping someone can tell me what these do so that I can fix them to actually work and protect my form. Here they are and I have no idea what they do. Thank you!

$http_referrer = getenv( "HTTP_REFERER" );
if (!isset($_POST['email'])) { header( "Location: $formurl" ); exit ; }
This one is at the end of my mail() string and I am supposed to list in it the name of the page with the php in it. But when I change it to anything it doesn't seem to matter. It all still sends.
"X-Mailer: chemailphp.php 2.07"

eelixduppy

2:45 am on Oct 5, 2006 (gmt 0)

The code you have doesn't protect from 'spamming' at all. Here's a related thread: [webmasterworld.com...]

I personally like Dreamcatcher's Solution:

Another easy solution and less server intense than the Captcha is to create a random simple sum and have people enter the total in a text box. I`ve found this to be very effective indeed.

;)

Good luck!

Simone100

7:12 pm on Oct 5, 2006 (gmt 0)

Thanks, man they don't let you reply to that thread.

Anyone have the code for if it isn't sent from the form page?

Also, any idea what this does? I don't understand it.

if ($_POST['token']!= $_SESSION['token'])
If the mail script was called remotely i.e. NOT from the website the form was residing on, the $_POST['token'] would be an empty string, as well as $_SESSION['token']... so the IF statement would evaluate as true and would be allowed.

You should therefore add at the begining:

if ($_POST['token']=="") exit; // who sent you here without a token?!?!

coopster

7:05 pm on Oct 9, 2006 (gmt 0)

Looks like a token was being set by the site that initiated the session in the first place. That way, if the page was hit from somewhere else and didn't have the correct matching token the form process is halted.

Simone100

5:32 am on Oct 16, 2006 (gmt 0)

Coopster, do you have any idea how I would add a token like that?

herculese

6:14 pm on Oct 16, 2006 (gmt 0)

You should be able to add some amount of protection with a cookie. (May not be the best, but it can make simple bots fail.). Here's How:

1. Generate a random string and send it as a cookie to the user when he arrives the contact page.
2. Include the cookie value as a hidden field in the post form
3. In the processing part, check for the existence of the post variable and the cookie and that they match. Send the mail only if they do.

Have a nice day!

herculese

6:21 pm on Oct 16, 2006 (gmt 0)

Heres an outline of the code, if you need it

Page with the form:


<?php
$code = md5(microtime());
setcookie("botcheck", $code);
?><form method="post" action="sendmail.php">
<!-- Your form elements here -->
<input type="hidden" name="botcheck" value="<?php echo $code;?>"></form>

sendmail.php


<?php
if ($_COOKIE['botcheck'] && $_POST['botcheck'] == $_COOKIE['botcheck'])
{
 // Send mail here
}
?>

Simone100

8:12 am on Oct 19, 2006 (gmt 0)

Oh gosh, looks like that might be a good one but how do I know its not just a cookie from the bot and a real user?

Please let me know, Thank you!

herculese

1:43 pm on Oct 19, 2006 (gmt 0)

Well... I am definitely not the best "bot buster" out here :) But as far as I know, bots don't usually target a specific website and most of the time, are more generic in nature. And chances of bots sending a cookie along with a request are quite less. So when the form is actually POSTed by a bot, it won't usually have the cookie with it and the script won't be sending the mail.

As I had told, it is not the best spam protection method but it can definitely provide some amount of security. Maybe you can give it a try and see how the results are?

Simone100

12:34 am on Oct 20, 2006 (gmt 0)

OK I'll see how it goes. Thank you.

Anyone know how to add code to the php form so that if the form
isn't sent from the same http: address as the from is on, then the form won't send?

Thanks.