I have a form that sends info into a database table. I have it checked with a Javascript but what is the best way to stop spammers entering http and such into the database with PHP when Javascript is turned off?
You could implement a CAPTCHA on the form:
http://en.wikipedia.org/wiki/CAPTCHA
Edit: Also definitely verify form data on the server side and check for html tags etc as usual, but the CAPTCHA should help against automated spam attacks.
There are two things to consider which should be implemented in parallel (maybe there's more).
- Captcha (as mentioned before)
- Verify your data on server side! You wrote you do this by javascript. This is good, but the very same verification proccess should be written in PHP.
Well, for CAPTCHA you'll have to make it's verification on server side anyway. But even if you decide not to implement captcha, you should make data verification on server side.
Never trust the client. Always validate all data on server side. JavaScript for form validation can just be an additional feature. You could start with basic PHP functions to check if the content contains certain strings you don't like, eg. "http://".
if (strpos('http://', $_POST['message']) !== false) { /* refuse */ }
You can use CSRF protection to prevent spammers, I have found it quite effective.
Another sneaky method is to include a "honeypot" field - a hidden field that should never be submitted with content. If it's filled, you know it's spam. Neither of these methods require an annoying CAPTCHA.
I suggest using the htmlentities()
function before doing your insert.
Obviously your insert should be done using parametrized queries to interact with the database as well. Capatcha is certainly an option, but it more serves to limit how often someone can post, not what they can post. Use hmtl escaping (again, the htmlentities()
function) to prevent the user from inputting things you don't want.