mailer.php /Antispam/SEO

This is where you share YOUR scripts with others

Moderators: egami, macek, gesf

Post Reply
seandisanti
php-forum Fan User
php-forum Fan User
Posts: 973
Joined: Mon Oct 01, 2012 12:32 pm

Tue Apr 22, 2014 9:29 pm

Ok, you've asked a few questions, Ill try to address each:
would love to have some input on how to improve it and make it more bullet proof to spam
1) use code tags when posting on forum, just the word 'code' between square braces to start and /code to stop. it will make your code stand out better, and you can even use code=php if you really want it to look fancy.

2) Validate input and source. url_decode and then strip_tags on your values, and assume every user input is also an attack on your code, server, and data. Sounds extreme, but it's the only way to avoid the ones that actually are attacks.
- Force all fields in html form (name, emails and comments in that case) to be completed. Now I still received full empty emails using that script.

Code: Select all

// start with an array of fields you want populated:
$required = array('field1','field2','field3');
foreach ($required as $r){
if (empty($_POST) || empty($_POST[$r])){
// code to fail out with error would go here
}
}
// if execution reaches this  point then all required fields were passed values 
// but those values must still be sanitized and verified
 
Check language as an antispam measure. For instance on a French website I would request French language in the comments field only...Everytime if the language is not french for a french website, this is spam. Same goes for Italian etc.....Is there a php function for such thing? I assume there is...
you could presumably use google translate or another web based translation service API with curl, but I think it's a lot more trouble than it's worth, and doesn't account for typos or misspellings, and you'll have plenty of bad matches based on those, or on words that are present in multiple languages.

Also, don't ever assume. It will bite you as badly in programming as it will in any other portion of your life and can lead to lost hours trying to track down logic errors.

There is a great book published by oreilly, Programming Collective Intelligence by Toby Segaran. It's just a couple of years old, but it's still a great book. The concepts are mostly covered in the python language, but it has sample code, logic and explanations on teaching your computer to understand datasets, and even implementation of machine learning for spam identification etc. I recommend it to anyone trying to adventure into programming.

seandisanti
php-forum Fan User
php-forum Fan User
Posts: 973
Joined: Mon Oct 01, 2012 12:32 pm

Wed Apr 23, 2014 10:49 pm

The functions listed, url_decode and strip_tags are standard functions in php that can help avoid a lot of attacks based on input; such as parameter pollution, html and sql injection, etc. Those attacks all depend on being able to get your server to execute code entered by an attacker. url_decode makes sure that printable characters are evaluated as the actual character rather than their url encoded values, and strip_tags removes html and php tags from a string. You should still do additional checking with preg_match whenever possible to make sure you're getting only the data and type that you're expecting, but url_decode and strip_tags should be run at the very minimum on any user input prior to using the input

Post Reply
  • Information
  • Who is online

    Users browsing this forum: No registered users and 0 guests