The script fails to fight the spammers

Forum Moderators: coopster

Message Too Old, No Replies

The script fails to fight the spammers

what did I do wrong?

adder

8:58 am on Jul 10, 2008 (gmt 0)

Hi,

I am running a simple enquiry form on my website. Yesterday I received 245 "enquiries" from spammers, which almost killed my e-mail.

So my mailer sript looks like this:


<?php
$entry = $_POST['entry1'];
$subject = "My Subject";
$message = "$entry";
if ($entry > 4) {
 header( "location: veryRudeURL/" );
} else {
 mail($to, $subject, $message, "From: $name <$email>\nX-Mailer: PHP/" . phpversion());
header( "location: thankyou.html" );
}
?>

When I test this script on my browser, and enter a string that is longer than 4 characters, I get transfered to the veryRudeURL - it is a certain URL where a spambot would just crash because... vell, just because :D

When a spambot uses this script, it doesn't work on my benefit and even when it enters a string longer than 4 characters, it gets through :(

What did I do wrong? Why it works in my browser and fails to work with spambot?

dreamcatcher

11:41 am on Jul 10, 2008 (gmt 0)

if (strlen [php.net]($entry) > 4)

The injection probably came from your headers. You should sanitize the header data better.

adder

9:06 am on Jul 11, 2008 (gmt 0)

Thank you.
How can I sanitize my headers? I don't think it is an injection - it doesn't even use SQL - it's just a plain HTML output with a simple web-form.

dreamcatcher

10:16 am on Jul 11, 2008 (gmt 0)

Doesn`t have to be mysql to run a header injection on a form. Header injections are common ways for spammers to turn your form into spam central.

Try a search on Google for some more information:
[google.co.uk...]