(See my edit below)
Hey guys,
I started Googling some stuff about it because I've never heard of it before. I'm not a great (or even good, by some standards) programmer. This is new to me.
I'm reading http://www.w3schools.com/PHP/php_filter.asp
and http://us.php.net/manual/en/function.filter-var.php.
I think I'm going to implement this stuff on the forms I have on all my sites...
It's surprising to me, but someone has found a site that I maintain for a friend of mine already (that is only 1 month old) and I'm getting spam out the wazoo. I implemented a security trick a couple days ago that seems to work for my other sites, but isn't working. I just deleted another 15 or 20 spam comments.
It's a Guest Book that I wrote from scratch that basically works like blog comments. 5 comments show up per page, and there's a form to fill out. I don't have a CAPTCHA (which is probably 1/2 my problem), which I CAN implement.
But beyond this, I'm doing an escape_string call on everything that I insert into the MySQL database. I would have thought this would do it. Guess not. So now I'm looking into this filtering stuff.
Here's what I have currently:
Should I add something like this, before inserting it into the database:?
I don't intend to be a full-time professional programmer... but if I am going to do it as a hobby, and if I'm going to do web hosting, and if I'm going to maintain websites and do stuff like that, the more I learn, the better it is.
Edit
After doing some more research, I decided to just do a strip_tags for the time being (something else I forgot about until Google's search results told me about it and reminded me about it).
That's all I want to do anyway. Prevent the spammer from getting his link in the comments section. Why is it important for me to do more than that?
- David
Hey guys,
I started Googling some stuff about it because I've never heard of it before. I'm not a great (or even good, by some standards) programmer. This is new to me.
I'm reading http://www.w3schools.com/PHP/php_filter.asp
and http://us.php.net/manual/en/function.filter-var.php.
I think I'm going to implement this stuff on the forms I have on all my sites...
It's surprising to me, but someone has found a site that I maintain for a friend of mine already (that is only 1 month old) and I'm getting spam out the wazoo. I implemented a security trick a couple days ago that seems to work for my other sites, but isn't working. I just deleted another 15 or 20 spam comments.
It's a Guest Book that I wrote from scratch that basically works like blog comments. 5 comments show up per page, and there's a form to fill out. I don't have a CAPTCHA (which is probably 1/2 my problem), which I CAN implement.
But beyond this, I'm doing an escape_string call on everything that I insert into the MySQL database. I would have thought this would do it. Guess not. So now I'm looking into this filtering stuff.
Here's what I have currently:
Code:
if ($_POST['name'] != "" && $_POST['email'] != "" && $_POST['comments'] != "") {
// insert data into database
if ($_POST['website']) {
if (substr($_POST['website'], 0, 7) == "http://") {
$website = $_POST['website'];
}
else {
$website = 'http://'.$_POST['website'];
}
}
$insert = "INSERT INTO guestbook (name, email, website, comments)
VALUES
( '".escape_string($_POST['name'])."'
, '".escape_string($_POST['email'])."'
, '".mysql_real_escape_string($website)."'
, '".escape_string($_POST['comments'])."')";
mysql_query($insert) or die(mysql_error());
echo "<center><p><b>Thanks for signing my guestbook!</b></p></center>";
echo "<br><br>";
}Should I add something like this, before inserting it into the database:?
Code:
filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);
filter_var($_POST['website'], FILTER_VALIDATE_URL);
// And then Preg Replaces for the rest? (I don't know how to do Preg Replaces, btw... I need to learn though)Edit
After doing some more research, I decided to just do a strip_tags for the time being (something else I forgot about until Google's search results told me about it and reminded me about it).
That's all I want to do anyway. Prevent the spammer from getting his link in the comments section. Why is it important for me to do more than that?
- David
Last edited:
