PHP Filtering

[Rudy]

(See my edit below)

Hey guys,

I started Googling some stuff about it because I've never heard of it before. I'm not a great (or even good, by some standards) programmer. This is new to me.

I'm reading http://www.w3schools.com/PHP/php_filter.asp
and http://us.php.net/manual/en/function.filter-var.php.

I think I'm going to implement this stuff on the forms I have on all my sites...

It's surprising to me, but someone has found a site that I maintain for a friend of mine already (that is only 1 month old) and I'm getting spam out the wazoo. I implemented a security trick a couple days ago that seems to work for my other sites, but isn't working. I just deleted another 15 or 20 spam comments.

It's a Guest Book that I wrote from scratch that basically works like blog comments. 5 comments show up per page, and there's a form to fill out. I don't have a CAPTCHA (which is probably 1/2 my problem), which I CAN implement.

But beyond this, I'm doing an escape_string call on everything that I insert into the MySQL database. I would have thought this would do it. Guess not. So now I'm looking into this filtering stuff.

Here's what I have currently:

		if ($_POST['name'] != "" && $_POST['email'] != "" && $_POST['comments'] != "") {
		// insert data into database
 			if ($_POST['website']) {
				if (substr($_POST['website'], 0, 7) == "http://") {
					$website = $_POST['website'];
				}
				else {
					$website = 'http://'.$_POST['website'];
				}
			}
			$insert = "INSERT INTO guestbook (name, email, website, comments)
			VALUES
				( '".escape_string($_POST['name'])."'
				, '".escape_string($_POST['email'])."'
				, '".mysql_real_escape_string($website)."'
				, '".escape_string($_POST['comments'])."')";

			mysql_query($insert) or die(mysql_error());


	  		echo "<center><p><b>Thanks for signing my guestbook!</b></p></center>";
  			echo "<br><br>";
		}

Should I add something like this, before inserting it into the database:?

filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);
filter_var($_POST['website'], FILTER_VALIDATE_URL);
// And then Preg Replaces for the rest? (I don't know how to do Preg Replaces, btw... I need to learn though)

I don't intend to be a full-time professional programmer... but if I am going to do it as a hobby, and if I'm going to do web hosting, and if I'm going to maintain websites and do stuff like that, the more I learn, the better it is.

Edit
After doing some more research, I decided to just do a strip_tags for the time being (something else I forgot about until Google's search results told me about it and reminded me about it).

That's all I want to do anyway. Prevent the spammer from getting his link in the comments section. Why is it important for me to do more than that?

- David

 

[nasaboy007]

You should use both strip_tags and escape_string just to prevent not only spammers, but also to prevent any SQL injection. If you don't sanitize inputs, people can inject into your forms and harm the data.

Example would be if the malicious user puts a field as:
"')-- DROP TABLE `users`"

(not exact syntax, but you get the idea). Since the php code would see the entire "query" as something liek:
INSERT INTO guestbook (name, email, website, comments)
VALUES
( '') -- DROP TABLE `users`


the sql has chances of executing the drop table command as well. (again, it's not exactly like that syntax. i'm not a hacker, but i know what security vulnerabilities exist.)


that's why you should do both escape string and strip_tags, because w/ escape string the things such as quotes will be escaped to be \' rather than ' and therefore cannot be misinterpreted by the SQL parser.

 

[galoop]

You gotta get captcha, sooner than later. Try http://recaptcha.net/

 

[Rudy]

Thanks guys.
Yeah Nasaboy, I kept the escape_strings in, because I know that SQL Injunctions can happen. I guess I should have said that I "added" strip_tags() and nothing else (like a filtering mechanism or a preg_replace sort of deal.

I already have captchas working on other websites, and that's the next security measure I'm going to implement if the two that I have in place now don't curb the spam. It's a small script I wrote myself actually and has been working GREAT.

So if I implement it, I won't delete the other 2 - I'll just add the captcha, making 3 different security measures. Looks like the one I added yesterday is working so far (or the spammers haven't been back yet).

I've got a nice little trick that I don't think many people use (which only tricks the bots - it does nothing against human spammers) that I implemented first. I think it's helping a bit...

 

[Mattias]

I've got a nice little trick that I don't think many people use (which only tricks the bots - it does nothing against human spammers) that I implemented first. I think it's helping a bit...

Would you care to share?

 

[ruchi]

To filter a variable, one of the following filter functions can be used.

* filter_var() - Filters a single variable with a specified filter
* filter_var_array() - Filter several variables with the same or different filters
* filter_input - Get one input variable and filter it
* filter_input_array - Get several input variables and filter them with the same or different filters
___________________________________________
high speed internet providers
Salt Lake City Web Design