I have a form that sends info into a database table. I have it checked with a Javascript but what is the best way to stop spammers entering http and such into the database with PHP when Javascript is turned off?
+6
A:
You could implement a CAPTCHA on the form:
http://en.wikipedia.org/wiki/CAPTCHA
Edit: Also definitely verify form data on the server side and check for html tags etc as usual, but the CAPTCHA should help against automated spam attacks.
Neal Donnan
2010-03-18 13:19:23
Captcha's work against simple bots, but they can be overcome if someone really wants to. Recently it was discovered that a popular site that sells tickets to concerts was selling out in seconds because a bunch of bots were picking up all the best seats for the resale market, despite having a captcha required for each purchase.
tloach
2010-03-18 13:22:42
That's bad news. Is there any simple php code to add in order to stop this?
francesco
2010-03-18 13:24:43
Everything can be 'forged', one way or another. But there's no simple method to avoid this. You should just apply security measures adequate to danger. In most cases, good captcha is more than enough (along with server verification ofc).
Tomasz Struczyński
2010-03-18 13:43:42
@tloach: then it was either poorly implemented or using an (outdated) 3rd party captcha API which was known to be hacked.
BalusC
2010-03-18 13:55:57
@BalusC nope, but it was a large and complex attack http://www.wired.com/threatlevel/tag/ticket-master/
Andy
2010-03-18 14:03:46
@Andy: interesting, thanks for the link.
BalusC
2010-03-18 14:11:17
+2
A:
There are two things to consider which should be implemented in parallel (maybe there's more).
- Captcha (as mentioned before)
- Verify your data on server side! You wrote you do this by javascript. This is good, but the very same verification proccess should be written in PHP.
Well, for CAPTCHA you'll have to make it's verification on server side anyway. But even if you decide not to implement captcha, you should make data verification on server side.
Tomasz Struczyński
2010-03-18 13:23:00
+3
A:
Never trust the client. Always validate all data on server side. JavaScript for form validation can just be an additional feature. You could start with basic PHP functions to check if the content contains certain strings you don't like, eg. "http://".
if (strpos('http://', $_POST['message']) !== false) { /* refuse */ }
Nic
2010-03-18 13:23:25
+2
A:
You can use CSRF protection to prevent spammers, I have found it quite effective.
Another sneaky method is to include a "honeypot" field - a hidden field that should never be submitted with content. If it's filled, you know it's spam. Neither of these methods require an annoying CAPTCHA.
Andy
2010-03-18 13:39:45
CSRF is used for all kind of bad stuff, spamming forms is, however, usually not one of them. CSRF is about using somebody else's clearance/authorization to perform unauthorized actions.
Jacco
2010-03-18 14:11:35
@Jacco you're right, however if you look at it simply it's intended to prevent unauthorised submissions - in this context that's the bots (except the cleverer ones!)
Andy
2010-03-18 15:03:58
A:
I suggest using the htmlentities() function before doing your insert.
Obviously your insert should be done using parametrized queries to interact with the database as well. Capatcha is certainly an option, but it more serves to limit how often someone can post, not what they can post. Use hmtl escaping (again, the htmlentities() function) to prevent the user from inputting things you don't want.
C. Ross
2010-03-18 13:46:22