Copy link to clipboard
Copied
Our Mr Osgood kindly provided some code which I have added to my contact page but spam keeps arriving, usually one or two emails each day. It attempts to defeat the spammer by requiring an answer to the calculation: 3 x 4 to be entered. Could he or one of his esteemed colleagues take a look at the code please? The page is at http://ancestry.higgsy.co.uk/contact5.php
Copy link to clipboard
Copied
As Osgoods code is probably in php we will be unable to view it, as php code is applied on the server, not in the browser.
Osgood may look in on the forum, so patience is necessary.
Copy link to clipboard
Copied
Part of the problem is that you're using client-side (Javascript) validation that requires jQuery, but you're loading jQuery AFTER the validation.js file.
I sincerely hope you're also using server-side PHP validation. Using JS alone is a very bad idea.
HTH,
^ _ ^
Copy link to clipboard
Copied
WolfShade wrote
Part of the problem is that you're using client-side (Javascript) validation that requires jQuery, but you're loading jQuery AFTER the validation.js file.
I sincerely hope you're also using server-side PHP validation. Using JS alone is a very bad idea.
HTH,
^ _ ^
I would assume whatever it is that I supplied is in the php file because I dont see any client side validation for the spam form field.
Copy link to clipboard
Copied
I clicked the link to his site, did a View Source, and noticed that there is a "validation.js" file loading before jQuery. I looked at the .js file source, and the client-side form validation is in there, using jQuery selectors for the form elements.
It may not be the only thing that's not properly working, but moving the jQuery load before the .js file should be a huge improvement.
V/r,
^ _ ^
Copy link to clipboard
Copied
WolfShade wrote
I clicked the link to his site, did a View Source, and noticed that there is a "validation.js" file loading before jQuery. I looked at the .js file source, and the client-side form validation is in there, using jQuery selectors for the form elements.
Yes but theres nothing in that validation file that addresses the spam field that I could see, so it must only be being checked in the php file.
Copy link to clipboard
Copied
OK here;s the code
<?php
error_log( "DH0010 *************** HIGGS *********************************", 0 );
error_log( "DH0020 - from contact5", 0 );
// Set email variables
$email_to = 'billy@higgsy.com';
$email_subject = 'Form submission';
$required_fields = array( 'fullname', 'email', 'comment' );
// set error messages
$error_messages = array(
'fullname' => 'Please enter a Name to proceed.',
'email' => 'Please enter a valid Email Address to continue.',
'comment' => 'Please enter your Message to continue.'
);
error_log( "DH0030 - array error messages created", 0 );
// Set form status
$form_complete = FALSE;
// configure validation array
$validation = array();
error_log( "DH0035 - two vars set", 0 );
// check form submittal
if ( !empty( $_POST ) ) {
error_log( "DH0035a - printing the POST contents...", 0 );
// print_r($_POST); prints the data across top of web page
error_log( "DH0040 - POST array found NOT empty, so checking value of security question field, alien_attack", 0 );
// Security check
$alien_attack = $_POST[ 'alien_attack' ];
if ( empty( $alien_attack ) ) {
$error[ 'alien_attack' ] = "Please provide the correct answer";
error_log( "DH0050 - security question (alien_attack) is empty", 0 );
}
if ( $alien_attack != "12" ) {
$error[ 'alien_attack' ] = "Please provide the correct answer";
error_log( "DH0060 - security question (alien_attack) not = 12", 0 );
}
$alien = $_POST[ 'alien' ];
if ( !empty( $alien ) ) {
error_log( "DH0070 - alien attack detected, exiting process", 0 );
exit;
}
// Sanitise POST array
error_log( "DH0080 - sanitising post array", 0 );
foreach ( $_POST as $key => $value )$_POST[ $key ] = remove_email_injection( trim( $value ) );
error_log( "DH0090 - First foreach completed", 0 );
// Loop into required fields and make sure they match our needs
foreach ( $required_fields as $field ) {
// the field has been submitted?
if ( !array_key_exists( $field, $_POST ) )array_push( $validation, $field );
// check there is information in the field?
if ( $_POST[ $field ] == '' )array_push( $validation, $field );
// validate the email address supplied
if ( $field == 'email' )
if ( !validate_email_address( $_POST[ $field ] ) )array_push( $validation, $field );
}
error_log( "DH0100 - Second foreach completed", 0 );
// basic validation result
if ( count( $validation ) == 0 && !isset( $error[ 'alien_attack' ] ) ) {
// if ( count( $validation ) == 0 ) {
error_log( "DH0110 - Preparing our content string (sets email_content var)", 0 );
// Prepare our content string
$email_content = 'from my ancestry website v38 ' . "\n\n";
error_log( "DH0120 - Now entering foreach loop to ...?", 0 ); // simple email content
foreach ( $_POST as $key => $value ) {
if ( $key != 'submit' )$email_content .= $key . ': ' . $value . "\n";
}
// if validation passed ok then send the email
error_log( "DH0130 - validation passed, sending email", 0 ); // simple email content
mail( $email_to, $email_subject, $email_content );
// Update form switch
$form_complete = TRUE;
}
}
error_log( "DH5000 - post array was empty OR post array processed and mail sent ok", 0 );
function validate_email_address( $email = FALSE ) {
error_log( "DH0130 - function validate_email_address entered", 0 ); // simple email content
return ( preg_match( '/^[^@\s]+@([-a-z0-9]+\.)+[a-z]{2,}$/i', $email ) ) ? TRUE : FALSE;
}
function remove_email_injection( $field = FALSE ) {
error_log( "DH0140 - function remove_email_injection entered", 0 ); // simple email content
return ( str_ireplace( array( "\r", "\n", "%0a", "%0d", "Content-Type:", "bcc:", "to:", "cc:" ), '', $field ) );
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<?php include("includes/ANC_head_tag.php"); ?>
HERE's THE ANC_HEAD_TAG.PHP:
<!-- *** START include meta, javascript and css links *** -->
<meta charset="UTF-8">
<meta name="description" content="A site for recording the family tree of the higgs family from Holborn London UK">
<!-- older requirement -->
<meta name="keywords" content="ancestry, binning, higgs, peterson, rockliffe, frederick higgs, rosina higgs, elizabeth higgs, richard higgs, robert higgs, harry higgs, david higgs, family, ancestry, holborn, london, family tree, amber"/>
<meta name="author" content="David Charles Higgs">
<meta name="viewport" content="width=device-width, initial-scale=1">
<!--<script src="js/jquery.js"></script>-->
<script src="js/jquery-3.3.1.min.js"></script>
<script src="js/myscripts.js"></script>
<!-- jQuery (necessary for Bootstrap's JavaScript plugins) -->
<!-- <script src="js/jquery-3.2.1.min.js"></script>-->
<!-- Include all compiled plugins (below), or include individual files as needed -->
<script src="js/popper.min.js"></script>
<script src="js/bootstrap-4.0.0.js"></script>
<link href="https://fonts.googleapis.com/css?family=Istok+Web" rel="stylesheet"/>
<link href="css/bootstrap-4.0.0.css" rel="stylesheet"/>
<link href="css/main.css" rel="stylesheet"/>
<link href="css/ancestry.css" rel="stylesheet"/>
<link href="css/common.css" rel="stylesheet"/>
<link href="css/mybootstrap-overrides.css" rel="stylesheet"/>
<!-- *** END include meta, javascript and css links *** -->
<title>Ancestry of the Higgs family, Contact Formn</title>
<!-- Contact Form Designed by James Brand @ dreamweavertutorial.co.uk -->
<!-- Covered under creative commons license - http://dreamweavertutorial.co.uk/permissions/contact-form-permissions.htm -->
<link href="contact/css/contactform.css" rel="stylesheet" type="text/css"/>
<script src="https://ajax.googleapis.com/ajax/libs/mootools/1.3.0/mootools-yui-compressed.js"></script>
<script src="contact/validation/validation.js"></script>
<script>
var nameError = '<?php echo $error_messages['
fullname ']; ?>';
var emailError = '<?php echo $error_messages['
email ']; ?>';
var commentError = '<?php echo $error_messages['
comment ']; ?>';
</script>
</head>
<body>
<div class="container">
<img class="banner_image" id="top" src="archive/multiphoto_logo2.jpg" alt="banner image showing some nice pictures"/>
<?php include("includes/ANC_main_menu1_with_banner_image.php"); ?>
<!-- superfish menu removed from here -->
<div class="content">
<div id="formWrap">
<h2 class="centered_text">Contact.</h2>
<div id="form">
<?php if($form_complete === FALSE): ?>
<form action="contact5.php" method="post" id="comments_form">
<!--Each form element is in a row, so there are 4 rows below-->
<div class="row">
<div class="label">Your Name</div>
<!--end .label -->
<div class="input">
<input type="text" id="fullname" class="detail" name="fullname" value="<?php echo isset($_POST['fullname'])? $_POST['fullname'] : ''; ?>"/>
<?php if(in_array('fullname', $validation)): ?>
<span class="error">
<?php echo $error_messages['fullname']; ?>
</span>
<?php endif; ?>
</div>
<!-- end .input -->
<div class="context">e.g. John Smith or Jane Doe</div>
<!-- end .context -->
</div>
<!--end .row -->
<div class="row">
<div class="label">Your Email Address</div>
<!--end .label -->
<div class="input">
<input type="text" id="email" class="detail" name="email" value="<?php echo isset($_POST['email'])? $_POST['email'] : ''; ?>"/>
<?php if(in_array('email', $validation)): ?>
<span class="error">
<?php echo $error_messages['email']; ?>
</span>
<?php endif; ?>
</div>
<!-- end .input -->
<div class="context">I will never share your details</div>
<!-- end .context -->
</div>
<!--end .row -->
<div class="row">
<div class="label">Your Message</div>
<!--end .label -->
<div class="input">
<textarea id="comment" name="comment" class="mess">
<?php echo isset($_POST['comment'])? $_POST['comment'] : ''; ?>
</textarea>
<?php if(in_array('comment', $validation)): ?>
<span class="error">
<?php echo $error_messages['comment']; ?>
</span>
<?php endif; ?>
</div>
<!-- end .input -->
</div>
<!--end .row -->
<div class="row">
<div class="label">Security Question: 3 x 4 = ?</div>
<!--end .label -->
<input type="text" name="alien_attack" class="alien_attack" value="<?php if(!isset($error['alien_attack'])) {echo $alien_attack;} ?>"/>
<?php if(isset($error['alien_attack'])) {echo $error['alien_attack'];} ?>
</div>
<!-- end .input -->
<!--end .row -->
<!-- class names are case sensitive!
-->
<div class="Submit">
<input type="submit" id="submit" name="submit" value="Send Message"/>
</div>
<!-- end .submit -->
<input type="hidden" name="alien"/>
</form>
<?php else: ?>
<p style="font-size:18px; font-family:Verdana, Geneva, sans-serif; font-weight:bold; color:#000; margin-left:25px;">Thank you for your Message!</p>
<?php endif; ?>
</div>
<!--end of form -->
</div>
<!-- end of .formWrap -->
</div>
<br>
<!-- end .content -->
<div class="footer">
<?php include("includes/footer.htm"); ?>
</div>
<!-- end .footer -->
</div>
<!-- end .container -->
</body>
</html>
Copy link to clipboard
Copied
I cant be sure as the form looks overly complex to me BUT you could try the direct approach and wrap the mail function in an 'if' statement to test that $error['alien_attack'] is NOT set. ie that 12 has been sent as the answer, so no error is set. I know it looks like you have done exactly that eariler on in the validation process but its a bit knee deep in { } so complex to visualise
If you set it again as below its definitely functioning and should not affect anything else.
if(!isset($error['alien_attack'])) {
mail( $email_to, $email_subject, $email_content );
}
Copy link to clipboard
Copied
We would need to see the PHP code. Maybe there's nothing wrong with your code. Math problems will only defeat spambots. It won't stop human spammers. Unless you block their IP address at the server level, nothing will stop human spam.
Copy link to clipboard
Copied
Thanks everybody. I think Wolfshade's comment about putting my jquery call in the wrong place needs to be corrected before any further debugging need take place. So I have moved the jquery call to appear before the validation.js and I'll wait a few days and see if that fixes it. BTW Nancy, are you suggesting some poor soul is sitting each day filling in my contact form manually? I find it hard to believe but, hey, what do I know? 🙂 Thanks again.
Copy link to clipboard
Copied
https://forums.adobe.com/people/Nancy+OShea wrote
nothing will stop human spam.
Apart from a shotgun