Preventing Spam

An email contains two parts: a header and a body. The header includes such information as the to and from addresses, the subject, the date, and more. each item in the header is on its own line, in the format name: value. The body of the email is exactly the message body.

A person sends spam by entring the spam message into the comments section of the form.

The presence of any of these character strings in a form submission is a likely indicator that someone is trying to send spam through your site. The last four are all different ways of creating newlines. 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="EN" lang="EN">
<head>
<title>Preventing Spam</title>
<meta Name="Author" Content="Hann So">
</head>
<body>
<p>
<?php

if (isset($_POST['submit'])) {
		process_form();
	}
	else {
		display_form();// display form for the first time
	}

function display_form() {
	echo <<<HTML
	<h2>Feedback Form</h2>
	<form action = "$_SERVER[SCRIPT_NAME]" method="post">
	Name:
	<input type="text" name="name" size="40" maxlength="60" value="Hann" />
	<br />
	Email:
	<input type="text" name="email" size="40" maxlength="80" value="hso@voyager.fhda.edu" />
	<br />
	Comments:
	<textarea name="comments" rows="5" cols="40">testing
	content-type:
	mime-version:
	multipart-mixed:
	content-transfer-encoding:
	bcc:
	cc:
	to:
	\r
	\n
	%0a
	%0d
	end
	</textarea>
	<br />
	<input type="submit" name="submit" value="Submit" />
	</form>
HTML;
}

function process_form() {

	// The function returns a clean version of the string either empty or all newline characters removed
	function spam_scrubber($value) {
		// list of very bad values
		$very_bad = array('to:','cc:', 'bcc:', 'content-type:', 'mime-version:', 'multipart-mixed:', 'content-transfer-encoding:');
		// if any of the very bad strings are in the submitted value, return an empty string.
		foreach ($very_bad as $bad) {
			if (strpos($value, $bad) !== false)
				return "";
		}
		// replace any newline characters with spaces:
		$value = str_replace(array("\r", "\n", "%0a", "%0d"), '', $value);
		// return the value
		return trim($value);
	}

	//display to see what we got from the form for the comments
	echo "{$_POST['comments']}<br />";

	// clean the form data by using array_map which has 2 arguments.
	// the first is the name of the function to call
	// the second is an array
	// array_map() calls the named function once for each array element
	$scrubbed = array_map("spam_scrubber", $_POST);

	// display to see the results from the spam_scrubber()
	foreach ($scrubbed as $key => $val) {
		echo "$key => $val<br />";
	}

	// minimal form validation
	if (!empty($scrubbed['name']) && !empty($scrubbed['email']) && !empty($scrubbed['comments'])) {
		// create the body
		$body = "Name: {$scrubbed['name']}\n\nComments: {$scrubbed['comments']}";
		$body = wordwrap($body, 70);
		// send the email
		mail('hso@voyager.deanza.edu', 'Contact Form Submission', $body, "From: {$scrubbed['email']}");
		//print a message
		echo "<p>Thank you for your feedback</p>";
		// clear $_POST
		$_POST = array();
	}
	else {
		echo "<p>Please fill out the form completely.</p>";
	}

	echo "<p><a href=\"$_SERVER[SCRIPT_NAME]\">Try again?</a></p>";

}
?>
</p>
</body>
</html>

View the effect


Security | Introduction | Preventing Spam | Validating Data by Type | Preventing XSS Attacks | Preventing SQL Injection | Database Encryption
© 2008: Hann So
email: hso@voyager.deanza.edu