Associate
- Joined
- 29 May 2003
- Posts
- 2,038
- Location
- Cambridge
The script I'm using for taking a user-submitted form and building an email from it works well for preventing header injection via its use of a pair of regular expressions, but I've come up against another abuse that I'd like to stamp out and I'm unsure what would be the best way to go about it. I have a theory of my own - outlined below - but would welcome any other suggestions.
Some little toerag - Russian, if the email address that appears with the submission is in any way genuine - is inserting text and hyperlinks to various porn sites into the comments field of my form and then submitting it.
As a short term measure, I've run the strip_tags() function on the string stored in the $_POST array which at least means that there are no clickable links in what's sent to the recipient. In addition, I've created an array called $badwords and then, via:
have deleted most of the offensive words from the string.
What I'd like to do is just not send the mail if one of the offensive words is found in the comments field. I'm guessing the way to do this would be to have the part of the script that builds and submits the mail inside an if..then conditional - in pseudocode terms something like this:
As regards the first stage, what's the best way of comparing the contents of $_POST['comments'] to my $badwords array? I looked through the php.net string functions documentation and one of my PHP reference books and couldn't find anything obvious that appeared built specifically for that purpose, although that's not to say it doesn't!
As regards the ((do nothing)) bit, could I omit the 'else' bit altogether or would it be better to return the sender to the page with the form on it? Presumably that wouldn't cause problems with infinite loops etc. if he was using some sort of bot to abuse my form as I've heard some of these people do? Ideally I wouldn't want to do anything that would give this little oik any clues that his junk has been filtered out and hence not encourage him to experiment with other porn-related terms.
Apologies for all the rambling or stating of the obvious above - if there's a better solution to the one I've outlined then I'd welcome any suggestions. Just in case it's relevant, the site is currently on a server running PHP4, but is soon to be moved to a server running PHP5.
Some little toerag - Russian, if the email address that appears with the submission is in any way genuine - is inserting text and hyperlinks to various porn sites into the comments field of my form and then submitting it.
As a short term measure, I've run the strip_tags() function on the string stored in the $_POST array which at least means that there are no clickable links in what's sent to the recipient. In addition, I've created an array called $badwords and then, via:
Code:
str_replace($badwords, "", $_POST['comments'])have deleted most of the offensive words from the string.
What I'd like to do is just not send the mail if one of the offensive words is found in the comments field. I'm guessing the way to do this would be to have the part of the script that builds and submits the mail inside an if..then conditional - in pseudocode terms something like this:
Code:
if ((string doesn't contain any banned words)) {
((build and submit mail in the normal way))
} else {
((do nothing))
}As regards the first stage, what's the best way of comparing the contents of $_POST['comments'] to my $badwords array? I looked through the php.net string functions documentation and one of my PHP reference books and couldn't find anything obvious that appeared built specifically for that purpose, although that's not to say it doesn't!
As regards the ((do nothing)) bit, could I omit the 'else' bit altogether or would it be better to return the sender to the page with the form on it? Presumably that wouldn't cause problems with infinite loops etc. if he was using some sort of bot to abuse my form as I've heard some of these people do? Ideally I wouldn't want to do anything that would give this little oik any clues that his junk has been filtered out and hence not encourage him to experiment with other porn-related terms.
Apologies for all the rambling or stating of the obvious above - if there's a better solution to the one I've outlined then I'd welcome any suggestions. Just in case it's relevant, the site is currently on a server running PHP4, but is soon to be moved to a server running PHP5.
