tenpastmidnight blog

Making hay while the sun shines

PHP contact form spam checking

I've written up the code I'm now using to block spammers trying to usurp the contact forms on my PHP sites. It seems to be catching them all OK, one of the sites mails me their IP address and it's catching everything consistently.

Contact form spam blocking. The function at the bottom of the page is more elegant than mine, but I wrote mine up anyway, having put it all together.
Comments:
Surely all you have to do to stop injection is ensure the From: the person's entered consists of a single valid email address? As long as extra headers can't be inserted then you're safe and there's no need to check for suspicious data.

(Even so, I've been anxiously checking my own forms!)
 
Before I put the protection in, I saw spam coming through four times in each attack, they were shoving the same data in to each form field and submitting it, and the spam was going through. When my first batch of checking just checked one form field (by mistake) it blocked one but not the others.

So, whatever injection technique they're using is over-riding something in my mail sending and it works even if they've only put one address in the 'from' bit of the form (or if I hard code the from.)

If I knew more about injection I think I'd be able to block some of this with better mail-sending code, but I haven't got time to look at it properly at the moment.
 
Post a Comment



<< Home

This page is powered by Blogger. Isn't yours?