1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 1:38 am Apr 28, 2026

Forum Moderators: coopster

Message Too Old, No Replies

Problem with code

PHP code within form to prevent spamming

         

Jade_Turtle

6:23 pm on May 3, 2012 (gmt 0)

10+ Year Member



A form was compromised on my website. Because writing code is not my forte, this code was given to me to prevent users from using the form more than once and overloading the database and server.

The problem is, it doesn't seem to work. Instead it seems to generate two emails to the admin and two entries to the table on the database.

What do I need to change to make it work?


mysql_connect($mysql_server, $mysql_username, $mysql_password) or die('Failed to connect to database server!<br>'.mysql_error());
mysql_select_db($mysql_database) or die('Failed to select database<br>'.mysql_error());
$result = mysql_query("SELECT * FROM $mysql_table WHERE IP = $_SERVER[REMOTE_ADDR]");
if ($data = mysql_fetch_array($result))
{
if ($data['IP'] == $_SERVER[REMOTE_ADDR])
{
header('Location: '.$error_url);
exit;
}
}
mysql_close();

rocknbil

12:24 am on May 4, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



There is a piece missing. What this does is looks up the current IP address and if it's in the database, redirects to $error_url. What's missing is how that gets into the database.

This has several flaws anyway.

1. This is stored permanently. If it were working and a legitimate user comes back to re-submit the form, they'd get rejected.
2. If an IP is assigned dynamically, as in many ISP nets, that user would be able to submit each time.
3. Spammers usually work from a network of compromised servers, all with different IP's, and bounce between them. So they hit you from this IP, then that IP, then another, then another . . . . doesn't slow them down much.

If you really want to try and get it working, it has another problem - there's no error trap to let you know about it either. The IP address is very likely stored in a varchar field, so it needs to be quoted in the select statement. Secondly you can't dereference an associative array variable in that way, it needs to be concatenated (or other way). Carefully look at the difference, right there around $_SERVER[REMOTE_ADDR]

$query = "SELECT * FROM $mysql_table WHERE IP = '" . $_SERVER[REMOTE_ADDR] . "'";

That would make it output this:
SELECT * FROM the_table WHERE IP = '123.343.455.255'

All together, it will look like this

$query = "SELECT * FROM $mysql_table WHERE IP = '" . $_SERVER[REMOTE_ADDR] . "'";
$result = mysql_query($query);

That might get it to work but it's not a "fix" it's a "patch."
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 1:38 am Apr 28, 2026