Re: Newbie php problem
- From: "Beauregard T. Shagnasty" <a.nony.mous@xxxxxxxxxxxxxxx>
- Date: Wed, 7 Jan 2009 20:58:39 -0500
Tim Greer wrote:
Beauregard T. Shagnasty wrote:
Tim Greer wrote:
You probably want to evolve that script, but for the immediate
problem, why not have a form field that's a hidden HTML tag, which
is a specific value, and the script only executes the mail function
if (for example) the field name "mailed" is "wassubmitted" or any
combination you wish to use, and only then is is submitted.
What would prevent the bot people from copying your contact form
(View Source, of course), complete with "hidden" field, and
submitting it to your action script from their own server?
Nothing would and that wasn't the intent of the reply. I said that
it would stop a lot of bots and (probably) the search engine spiders.
Search engine spiders don't "submit" the form, so there is no worry
there.
All of the bots out there use specific preset fields to exploit
common mail forms,
Spam bots? Not in my experience. There is a persistent spammer who
keeps trying to exploit one of my contact forms. I have non-standard
field names, and he will submit to my action script using compromised
Windows zombies from around the planet. He will try a few times a month.
So then I will change the name of the file, change the name of a field
or two, and a week later he is back testing/trying again. Since the link
changed, he has to be coming back manually to find my 'new' contact
page.
so that would stop most (probably all), but if they copied the
field and value, then it would allow them to exploit it, of course.
Unlikely if your site isn't too popular and you use a unique field,
though. Of course, this is why I said that they'd want to use a more
advanced script, since there are better ways (and you can stop
automated bots completely, if you do it right). My suggestion was
simply to solve their immediate problem (and also to suggest a more
advanced script, which I also had done).
My spammer isn't automated .. but if he found that he could exploit my
form, you betcha he would automate it soon enough.
IMO, a hidden field is next to useless for the purpose you described.
Not really. They wanted their script to be protected from search
engines and misguided posts, and if you require a specific field to be
posted, along with non empty fields you should require, it'll suit the
purpose perfectly fine. If they want to make it so spam bots can't
take the source (or read the source) and use the fields to protect from
blank or spamful posts (they've only complained about blank posts),
then they'd certainly need to do more/different things, which I
suggested.
Yes, the OP was only complaining about blank fields, and I guess I took
it further than that. The simple answer is to test all fields prior to
calling the mail() function. The OP's code fragment shows no testing at
all. (Yes, I know it's only a fragment.)
But an additional hidden field won't help there.
--
-bts
-Friends don't let friends drive Windows
.
- Follow-Ups:
- Re: Newbie php problem
- From: Tim Greer
- Re: Newbie php problem
- References:
- Newbie php problem
- From: Floor
- Re: Newbie php problem
- From: Tim Greer
- Re: Newbie php problem
- From: Beauregard T. Shagnasty
- Re: Newbie php problem
- From: Tim Greer
- Newbie php problem
- Prev by Date: how to return a specific number of words from a query
- Next by Date: Re: how to return a specific number of words from a query
- Previous by thread: Re: Newbie php problem
- Next by thread: Re: Newbie php problem
- Index(es):
Relevant Pages
|
