mailer.php /Antispam/SEO

This is where you share YOUR scripts with others

Moderators: macek, egami, gesf

gilitrawangan
New php-forum User
New php-forum User
Posts: 2
Joined: Tue Apr 22, 2014 8:29 pm

mailer.php /Antispam/SEO

Postby gilitrawangan » Tue Apr 22, 2014 8:49 pm

Hi everyone,

New to the forum, I want to share a script I use for enquieries on my website and would love to have some input on how to improve it and make it more bullet proof to spam.

Few ideas behind....I use a simple contact form per page on my websites....This helps me to go around the google analytics "not provided"...I then know which page has been used thus which keywords works for me (since normally you know which page you rank for what right?)...

There is an antispam feature with $bad_words. So basically every time there is a bad word from the list you can define, no email in your mailbox and a thanks page appears as if the email went through but it didn't.

Anyway, here is the script for mailer.php

<?php
$from = $_POST['From'];
$name = $_POST['Name'];
$email = $_POST['Email'];
$comments = $_POST['Comments'];


$formcontent=" De: $name \n Email: $email \n Demande: $comments \n";
$recipient = "EMAIL ADRESSES1,EMAIL ADRESSES2";
$subject = "From: $from \r\n";
$mailheader = "From: $name \r\n";
$bad_words = array('http', 'www', 'url', '<a href');
$found_bad_word = false;
foreach ($bad_words as $word) {
if (strpos($formcontent,$word) !== false) {
$found_bad_word = true;
break;
}
}
if ($found_bad_word) {
Header("Location: URL FOR THANKS PAGE");
} else {
mail($recipient, $subject, $formcontent, $mailheader) or die("MESSAGE IN CASE there is a problem with PHP SERVERS. PERSO I PUT A DIRECT CONTACT EMAIL ADDRESS HERE AND EXPLAIN THERE IS A PROBLEM");
Header("Location: URL FOR THANKS PAGE");
}
?>


What i'd like to add....and I don't know how since I am no php tech:

- Force all fields in html form (name, emails and comments in that case) to be completed. Now I still received full empty emails using that script.

- Check language as an antispam measure. For instance on a French website I would request French language in the comments field only...Everytime if the language is not french for a french website, this is spam. Same goes for Italian etc.....Is there a php function for such thing? I assume there is...

Anyway....hope this help some people around and thanks for feedback. Anybody need the html contact form I can share too.... :)

Cheers

seandisanti
php-forum Fan User
php-forum Fan User
Posts: 838
Joined: Mon Oct 01, 2012 12:32 pm

Re: mailer.php /Antispam/SEO

Postby seandisanti » Tue Apr 22, 2014 9:29 pm

Ok, you've asked a few questions, Ill try to address each:
would love to have some input on how to improve it and make it more bullet proof to spam

1) use code tags when posting on forum, just the word 'code' between square braces to start and /code to stop. it will make your code stand out better, and you can even use code=php if you really want it to look fancy.

2) Validate input and source. url_decode and then strip_tags on your values, and assume every user input is also an attack on your code, server, and data. Sounds extreme, but it's the only way to avoid the ones that actually are attacks.

- Force all fields in html form (name, emails and comments in that case) to be completed. Now I still received full empty emails using that script.


Code: Select all

// start with an array of fields you want populated:
$required = array('field1','field2','field3');
foreach ($required as $r){
if (empty($_POST) || empty($_POST[$r])){
// code to fail out with error would go here
}
}
// if execution reaches this  point then all required fields were passed values 
// but those values must still be sanitized and verified
 

Check language as an antispam measure. For instance on a French website I would request French language in the comments field only...Everytime if the language is not french for a french website, this is spam. Same goes for Italian etc.....Is there a php function for such thing? I assume there is...

you could presumably use google translate or another web based translation service API with curl, but I think it's a lot more trouble than it's worth, and doesn't account for typos or misspellings, and you'll have plenty of bad matches based on those, or on words that are present in multiple languages.

Also, don't ever assume. It will bite you as badly in programming as it will in any other portion of your life and can lead to lost hours trying to track down logic errors.

There is a great book published by oreilly, Programming Collective Intelligence by Toby Segaran. It's just a couple of years old, but it's still a great book. The concepts are mostly covered in the python language, but it has sample code, logic and explanations on teaching your computer to understand datasets, and even implementation of machine learning for spam identification etc. I recommend it to anyone trying to adventure into programming.

gilitrawangan
New php-forum User
New php-forum User
Posts: 2
Joined: Tue Apr 22, 2014 8:29 pm

Re: mailer.php /Antispam/SEO

Postby gilitrawangan » Wed Apr 23, 2014 10:41 pm

Hi,

First of all, big thanks for the super fast answer and the introduction of Segaran' Book. Just found it and reading it now.

Fully get your input on the language thing....Guess I will try to identify classic words used in spam and add them to the bad words list step by step. This would be good enough in fact.

Code to require all fields works perfectly. Thanks for that.

Checking what you mean in your 2) about validate input and source. Not sure I understand exactly, but googling now to find out more, so I should get it.

Thanks again.

seandisanti
php-forum Fan User
php-forum Fan User
Posts: 838
Joined: Mon Oct 01, 2012 12:32 pm

Re: mailer.php /Antispam/SEO

Postby seandisanti » Wed Apr 23, 2014 10:49 pm

The functions listed, url_decode and strip_tags are standard functions in php that can help avoid a lot of attacks based on input; such as parameter pollution, html and sql injection, etc. Those attacks all depend on being able to get your server to execute code entered by an attacker. url_decode makes sure that printable characters are evaluated as the actual character rather than their url encoded values, and strip_tags removes html and php tags from a string. You should still do additional checking with preg_match whenever possible to make sure you're getting only the data and type that you're expecting, but url_decode and strip_tags should be run at the very minimum on any user input prior to using the input


Return to “Your Scripts”

Who is online

Users browsing this forum: No registered users and 0 guests