How do you stop form spamming?

**matrixxxxxx1** · 06-24-2007, 04:22 PM

Re: How do you stop form spamming?

[quote=Andy128;165391]Well-it is definetly comming from the comments section. Most likely- your form has been targeted by a bot. However- it is also possible that some one is manually doing the injection (but less likely).

So- if it were me, I would do something simple to start out. Change the name of the comments area on the form to something else like- tell_me
Then change it in the appropriate areas in the php scritp (see areas below in blue).

Hey Andy

For the record, this simple technique worked very effectively. It must have been bots. I received zero spam since I changed the comments area to something else.

Great suggestion

Thnx again

**navaldesign** · 06-24-2007, 06:25 PM

Re: How do you stop form spamming?

No, it has only been a coincidence. Yourtext area was NEVER "comments" and it never became "tell_me".

In fact, the text area in your form was called "smsInput" as coded by the html code, and not "comments" which was checked by the script for max length. However, now i have text length, text content, referer and session authentication installed on your form/script, so there should be no problem any more.

**Andy128** · 06-24-2007, 10:51 PM

Re: How do you stop form spamming?

I don't understand. The smsInput was from the javascript that counted the amount of text entered in the form as specified by "form name".

So- are you saying that adding a javascript such as this now makes the text area smsInput and then overrides the php handling?

Andy

**navaldesign** · 06-25-2007, 05:27 AM

Re: How do you stop form spamming?

Hi Andy,

Mike did NOT have a real (i mean one he created) textarea in his form. He had this script to count the characters and show them in a editbox called "count". If you take a look at the code in his post above, the comments area was called "smsInput" as it was defined by this code:

<form NAME="xxxxxx">

<input type="text" name="count" value="500" size="3" onFocus="this.blur" readonly>

<br>

<textarea rows="7" cols="36" name="smsInput" wrap
onKeyUp="
val = this.value;
if (val.length > 500) {
alert('Sorry, you are over the limit of 500 characters');
this.value = val.substring(0,500);
smsInput.focus()
}
this.form.count.value=500-parseInt(this.value.length);
"></textarea>

</form>

</body>

So, the textarea field name was "smsInput" and that is what was passed over to the php script. As you understand, the php script never validated the field (there was no validation for a field named "smsInput").

So it could also have been a submission directly from the form.

I had not paid attention at the begining, but i discovered this when i made a test submission after installing ABVFP on Mike's site and the field that got back to me was titled "smsInput". I did change it after that.

What i also would like to state is that a BOT submission does not necessarily go directly to the processing script. MANY times it submits through the form. There are bots capable of filling in the form fields and submitting. And that is where captchas are usefull (though even a captcha image can be "read" by a specialized bot).

Some good ideas (but not 100% efficient) for protection would be:

1. Establish an authentication session.
2. Use a captcha (in that case step 1 is not needed anymore, as the captcha value is sent from the form to the script through both POST and SESSION. Then the two are compared to see if that is a legal submission)
3. Strip tags in the script
4. Check the user input for @, http://, www. and ANY other character combination useful to spammers, and deny processing if more than 0 or 1 or 2 or whatever you decide are found in the input.
5. Set lenght limits to avoid also simple harvesting with long text (manually) by simply idiots that want to "play".
6. Set, if you have a specific problem, a IP or email address blocker.

or, use a combination of some or all of the above.

**Andy128** · 06-25-2007, 11:00 AM

Re: How do you stop form spamming?

Makes sense now. I thought it was simply a javascript that you add after the form is made regularly that simply counts the text in a specific field and displays it realtime as they type. Something like e-bay's comment field where it counts down the characters as you type.

I did not notice that it had defined it as smsInput. Thanks for the heads up. Still lots and lots to learn..........................

Andy

**navaldesign** · 06-25-2007, 11:19 AM

Re: How do you stop form spamming?

The visual effect is that of a normal textare filed. In the page code view it also appears as the textarea was done directly in the page.

I have seen the problem when Mike sent me the .bvp file, as well as when i recieved the test submission. It was not important to me, as i created a custom script that took care of it, but i thought i should let you know, just because you were worried on how the script was not able to validate the input.

**matrixxxxxx1** · 06-26-2007, 03:27 AM

Re: How do you stop form spamming?

Originally posted by navaldesign View Post

No, it has only been a coincidence. Yourtext area was NEVER "comments" and it never became "tell_me".

In fact, the text area in your form was called "smsInput" as coded by the html code, and not "comments" which was checked by the script for max length. However, now i have text length, text content, referer and session authentication installed on your form/script, so there should be no problem any more.

navaldesign

Thank you for the incredible & secure script you made me. Also Thnx for the added touch on the enhancments you made such as the count in BV. Very very cool.

**Andy128** · 06-26-2007, 03:57 AM

Re: How do you stop form spamming?

He is the GrandMaster!

Andy

How do you stop form spamming?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment