Got Spammed from a contact form

[eluser]Référencement Google[/eluser]
Does that mean we can have an issue doing :

Code:

if($this->input->post('firstname'))
{
    // Do something sensible here
}

instead of:

Code:

if($this->input->post('firstname') === TRUE)
{
    // Do something sensible here
}

?

[eluser]cahva[/eluser]
The best way to stop spam is to ask a question that human knows the answer but bot doesnt. Its easy to implement and doesnt annoy humans(that much) but are almost impossible to bots(well it depends what questions you use).

What color is red firetruck?
What color is this word?
You have two dollars in your pocket and you spend one. How much you have left?



Offcourse spambots are getting more clever. This technique works best on non-english sites.

[eluser]Colin Williams[/eluser]

The problem with this is if some smart ass goes and puts ‘FALSE’ into a form field that you are using an if() statement on: eg: if ($this->input->post(‘firstname’)) {do something}. a person could set the value of the form field ‘firstname’ to be ‘FALSE’ which would completely screw up your if statement.

Huh? Are you saying 'FALSE' == FALSE would return TRUE? I think not. Non-empty strings always equate a boolean type of TRUE.

[eluser]Blazeme[/eluser]
In my opinion, CAPTCHA is only secure way to avoid bot spamming.
Although, questions are also hard for bots (like: is 10 > 2 ? and etc, like cahva said).

I did made BOT in C# .NET once (it was for Windows).
Just wanted to try few things.
It worked this way:
I set method (post or get), enter how many times page will be visited (or form submited), enter arguments (like: name=Me&subject=Spammm&text=Something goes here), and press button.
Ofc, this wasn't bot that would go and search net and so on, but did worked well, if there was no captcha/questions.
As far as javascript concerned I could just type: &js_field=something and that's it..

And ye, CAPTCHA is only annoying when you post many times something (for example chat of some kind).
But, for email form - it's simply must.
After all, guest won't contact your like 43424 times in row, and typing few letters in box isn't so hard...
( And ye, just don't make CAPTCHA too hard to read, if you decide to use it )

[eluser]rogierb[/eluser]
I use a number of methods that keep most spambots away

1: a hidden field containing a unique value. The value is stored in the users session and checked against the posted field. This prevents mosts playback bots from posting.

2: A common filed that is not displayed(CSS). Like 'country'. if it gets posted with a value, then it is a bot. This fools a some of the form-filling bots.

3: a hidden timestamp field. Usually something like date('Y-m-d').time().somestring
If the form returns within 5-xx seconds( depending on complexiy of form) it is most likely a bot.

4: Captcha. I don't like them but I have a bigger dislike for spam.

5: if an emailaddress is required or a website, check if they are valid and exist (through DNS)

6: a few JS tricks, same as mentioned earlier

I hope this ignites some new ideas;-)

[eluser]Référencement Google[/eluser]
Point number 2 didn't protected me as I tried earlier (read the post from start).

The point number 5 is not a reliable solution either, using checkdns() throught PHP is not reliable because many servers are protected for that.

Your other points are good.

Also, nobody to answer the logic question about what PHP returns when using FALSE == FALSE ?

[eluser]m4rw3r[/eluser]

Code:

FALSE ==  FALSE    -> true
FALSE ==  0        -> true
FALSE ==  ''       -> true
FALSE ==  array()  -> true
FALSE === FALSE    -> true
FALSE === 0        -> false
FALSE === ''       -> false
FALSE === array()  -> false

and finally:
TRUE == ''         -> false
TRUE == 'somestr'  -> true  (?!?!?!)

(used PHP 5.2.5)

[eluser]rogierb[/eluser]
indeed, point 2 is rather outdated, but it still seems to stop some older bots so I still include the check.

As for point 5, I use a series of checks:
- checkdnsrr()
- checkmxrr()
- fsockopen on port 25 and 587

So far I havn't had any complaints;-)

As for the FALSE===FALSE, it should return TRUE Both are of the same type and have the same value.

[eluser]sl3dg3hamm3r[/eluser]
another variation: php sends a mathematical task (e.g. adding two numbers), which will be resolved by javascript and sent back with the form. assumes javascript as well though, but prevents the user from solving additional tasks...

[eluser]Scott - Beyond Coding[/eluser]
[quote author="Too Pixel" date="1226255654"]Does that mean we can have an issue doing :

Code:

if($this->input->post('firstname'))
{
    // Do something sensible here
}

instead of:

Code:

if($this->input->post('firstname') === TRUE)
{
    // Do something sensible here
}

?[/quote]

Just did some quick tests and I was never able to get if($this->input->post('firstname')) to evaluate to false with anything other than an empty string.

It seems that even when you look at what comes in through the raw $_POST array, everything is sent as strings (at least for the text boxes I was testing with). Checked it with var_dump($_POST).

[quote author="Colin Williams" date="1226288837"]

The problem with this is if some smart ass goes and puts ‘FALSE’ into a form field that you are using an if() statement on: eg: if ($this->input->post(‘firstname’)) {do something}. a person could set the value of the form field ‘firstname’ to be ‘FALSE’ which would completely screw up your if statement.

Huh? Are you saying 'FALSE' == FALSE would return TRUE? I think not. Non-empty strings always equate a boolean type of TRUE.[/quote]

Colin is spot-on here So we don't have to use === after all (at least where known string types are concerned).