tags:

views:

141

answers:

2
Q: 

PHP Detect how many URLS in the string

I'm implementing a contact form for a website, and I'd like to avoid using a captcha because I believe it has a negative effect on user experience.

Instead, I've decided to trial detecting the number of URLs that have been submitted with the message.

I am retrieving the message as a string from the $_POST submission. I know inbuilt PHP functions such as stristr() can give me confirmation that a substring exists within the message but what I'd like is the count.

Also, in terms of spam detection, would a match on something like "</a>" be appropriate?

Cheers.

+3  A: 

substr_count($text, "http") http://www.php.net/manual/en/function.substr-count.php

Note that isn't sufficient, but neither is allowing users to enter unfiltered data into your form fields that gets rendered as html.

I shouldn't be able to put javascript in there either due to Cross Site Scripting http://www.owasp.org/index.php/Top%5F10%5F2007-Cross%5FSite%5FScripting

I'd recommend using http://htmlpurifier.org/ to remove any malicious code.

Finally for spam filtering I'd recommend http://akismet.com/

Good luck.

Stephen lacy  2009-09-08 15:32:31
html, javascript and SQL injection handling is fine. I'm not even rendering anything on the page, I just want to automatically disallow as much spam as possible. Everyone always assumes that because I didn't specifically mention HTML injection handling that I must have neglected to do it even though it has nothing to do with my original question.
Evernoob  2009-09-08 16:15:20
Sorry, however it's still worth risking annoying you if there is a chance it hasn't occured to you. Have a look at akismet, that handles spam much better than url counting. It's what is used in practically every wordpress.
Stephen lacy  2009-09-08 16:30:00
Also in case you missed it I directly answered your question with the first part of my post. Allowing you to ignore the rest.
Stephen lacy  2009-09-08 16:30:49
A: 

if this is a contact form, there is no need to accept html. just encode the whole content and limit the number of posts from the same ip or limit the time between messages.

yes you could restrict the number of urls, but i don't think this is effective

w35l3y  2009-09-08 15:38:54
It will be effective in reducing the spam I already get through the contact form, which are all infested with URLs. Most of the bots, though clearly the same are able to switch IP addresses, but the time between messages idea is good.
Evernoob  2009-09-08 16:27:43

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases