views:

135

answers:

5

I have a form that sends info into a database table. I have it checked with a Javascript but what is the best way to stop spammers entering http and such into the database with PHP when Javascript is turned off?

+6  A: 

You could implement a CAPTCHA on the form:

http://en.wikipedia.org/wiki/CAPTCHA

Edit: Also definitely verify form data on the server side and check for html tags etc as usual, but the CAPTCHA should help against automated spam attacks.

Neal Donnan
Captcha's work against simple bots, but they can be overcome if someone really wants to. Recently it was discovered that a popular site that sells tickets to concerts was selling out in seconds because a bunch of bots were picking up all the best seats for the resale market, despite having a captcha required for each purchase.
tloach
That's bad news. Is there any simple php code to add in order to stop this?
francesco
Everything can be 'forged', one way or another. But there's no simple method to avoid this. You should just apply security measures adequate to danger. In most cases, good captcha is more than enough (along with server verification ofc).
Tomasz Struczyński
@tloach: then it was either poorly implemented or using an (outdated) 3rd party captcha API which was known to be hacked.
BalusC
@BalusC nope, but it was a large and complex attack http://www.wired.com/threatlevel/tag/ticket-master/
Andy
@Andy: interesting, thanks for the link.
BalusC
+2  A: 

There are two things to consider which should be implemented in parallel (maybe there's more).

  1. Captcha (as mentioned before)
  2. Verify your data on server side! You wrote you do this by javascript. This is good, but the very same verification proccess should be written in PHP.

Well, for CAPTCHA you'll have to make it's verification on server side anyway. But even if you decide not to implement captcha, you should make data verification on server side.

Tomasz Struczyński
+3  A: 

Never trust the client. Always validate all data on server side. JavaScript for form validation can just be an additional feature. You could start with basic PHP functions to check if the content contains certain strings you don't like, eg. "http://".

if (strpos('http://', $_POST['message']) !== false) { /* refuse */ }
Nic
+2  A: 

You can use CSRF protection to prevent spammers, I have found it quite effective.

What it is and how it works

Another sneaky method is to include a "honeypot" field - a hidden field that should never be submitted with content. If it's filled, you know it's spam. Neither of these methods require an annoying CAPTCHA.

Andy
Actually, a CAPTCHA is a kind of CSRF protection.
BalusC
CSRF is used for all kind of bad stuff, spamming forms is, however, usually not one of them. CSRF is about using somebody else's clearance/authorization to perform unauthorized actions.
Jacco
@BalusC very true
Andy
@Jacco you're right, however if you look at it simply it's intended to prevent unauthorised submissions - in this context that's the bots (except the cleverer ones!)
Andy
A: 

I suggest using the htmlentities() function before doing your insert.

Obviously your insert should be done using parametrized queries to interact with the database as well. Capatcha is certainly an option, but it more serves to limit how often someone can post, not what they can post. Use hmtl escaping (again, the htmlentities() function) to prevent the user from inputting things you don't want.

C. Ross