php-general Digest 21 Oct 2009 14:25:37 -0000 Issue 6402
Topics (messages 299150 through 299156):
Re: Spam opinions please
299150 by: Peter van der Does
299154 by: Ashley Sheridan
Re: Sanitizing potential MySQL strings with no database connection
299151 by: Dotan Cohen
299153 by: John Black
299155 by: Andrea Giammarchi
299156 by: Jim Lucas
Re: How to pronounce PHP code over the phone?
299152 by: Dotan Cohen
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
On Tue, 20 Oct 2009 14:31:53 -0400
"Gary" <[email protected]> wrote:
> I have several sites that are getting hit with form spam. I have the
> script set up to capture the IP address so I know from where they
> come. I found a short script that is supposed to stop these IP
> addresses from accessing the form page, it redirects the spammer to
> another page (I was going to redirect to a page that has lots of
> pop-ups, scantily clad men and offers of joy beyond imagination), but
> someone suggested I redirect to the Federal Trade Commission or
> perhpas the FBI.
>
> Any thoughts on the script and its effectivness?
>
> <?php
> $deny = array("111.111.111", "222.222.222", "333.333.333");
> if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
> header("location: http://www.google.com/";);
> exit();
> } ?>Gary
>
>
There are several options to stop spammers, although none of them will
completely eliminate all spam. For a forum I prefer the .htaccess
method.
There is a website dedicated to keeping track of forum spammers,
http://stopforumspam.com and depending on your forum you could add an
anti-spam mod that will query their database. On the site they have
mods for phpbb, vBulletin and SMF.
I wrote a Python script that uses a Python Library that's also posted
on their site. The Python program basically use an Apache log file for
the IP's checks them at Stop Forum Spam and adds spam IP in
the .htaccess file. I have it set up in cron to run daily.
For a little bit more detailed description and the program itself:
http://blog.avirtualhome.com/2009/10/08/stop-spammers-in-your-htaccess/
--
Peter van der Does
GPG key: E77E8E98
IRC: Ganseki on irc.freenode.net
Twitter: @petervanderdoes
WordPress Plugin Developer
Blog: http://blog.avirtualhome.com
Forums: http://forums.avirtualhome.com
Twitter: @avhsoftware
--- End Message ---
--- Begin Message ---
On Tue, 2009-10-20 at 23:41 +0200, Kim Madsen wrote:
> Gary wrote on 2009-10-20 22:55:
> > I like that idea,so in other words they have to get to the form from
> > another
> > page on the site, and you set a time limit for a minimum amount of time
> > they
> > spend on the page(5-10 seconds)?
>
> I don't set any time, just the session to prevent direct hits from a
> spam script. But if you wanna improve the solution using a time check
> you could save a microtime() value in the session and the test it
> against current time on the form page and the have a min. threshold that
> is accepted.
>
> --
> Kind regards
> Kim Emax - masterminds.dk
>
Almost all of the suggestions so far have been to prevent bots, which is
great, but the op has mentioned a few times that it's human spammers
that are the problem.
Have you considered using some sort of language analysis algorithm on
the text to determine if it is spam or not, in a way similar to email
spam detection. Do a search for 'php spam filters' and there are quite a
few different possible options.
Thanks,
Ash
http://www.ashleysheridan.co.uk
--- End Message ---
--- Begin Message ---
> So, actually taking a minute to read up on addcslashes(), it is a rather handy
> little function.
>
> Taking the list of characters that mysql_real_escape_string() says it escapes:
>
> http://us3.php.net/mysql_real_escape_string
>
> Which it lists: \x00, \n, \r, \, ', " and \x1a
>
> \0 = \x0
> \10 = \n
> \13 = \r
> \92 = \
> \44 = '
> \34 = "
> \26 = \x1a
>
> You could do something like this.
>
> function cleaner($input) {
> return addcslashes($input, "\0\10\13\92\44\34\26");
> }
>
> Maybe this will help...
>
> Jim
>
So far as I understand mysql_real_escape_string() was invented because
addslashes() is not adequate.
--
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
--- End Message ---
--- Begin Message ---
Dotan Cohen wrote:
So far as I understand mysql_real_escape_string() was invented because
addslashes() is not adequate.
Correct, addslashes() works fine for latin1 (single byte encoding) but
does not work properly when used with a multibyte encoded string.
That is most likely the reason why mysql_real_escape_string() checks the
encoding before escaping so it can do the right thing for the used encoding.
Here is a quote from the description of a forum SQL injection exploit:
"Addslashes simply adds a backslash (0x5c) before single quote ('),
double quote ("), backslash (\) and NUL (the NULL byte), without
checking if the added blackslash creates another char.
Bytes in Input 0xa327
Addslashes(Bytes in Input) 0xa35c27
In big5, but also in other multibyte charsets, 0xa35c is a valid char:
0x27 (') is left alone."
--
John
No Victim, No Crime
--- End Message ---
--- Begin Message ---
I so much avoid the silent char that sometimes I even forget this exists.
I guess it is worth it for this case.
Regards
> Date: Tue, 20 Oct 2009 21:28:06 +0200
> From: [email protected]
> To: [email protected]
> CC: [email protected]; [email protected]
> Subject: Re: [PHP] Sanitizing potential MySQL strings with no database
> connection
>
> > if(@mysql_real_escape_string($variable) === false)
> >
>
> Perfect! The @ symbol suppresses the error and I can structure the
> code according to whether or not there is a connection.
>
> Thank you!
>
> --
> Dotan Cohen
>
> http://what-is-what.com
> http://gibberish.co.il
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
_________________________________________________________________
Keep your friends updated—even when you’re not signed in.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010
--- End Message ---
--- Begin Message ---
Dotan Cohen wrote:
So, actually taking a minute to read up on addcslashes(), it is a rather handy
little function.
Taking the list of characters that mysql_real_escape_string() says it escapes:
http://us3.php.net/mysql_real_escape_string
Which it lists: \x00, \n, \r, \, ', " and \x1a
\0 = \x0
\10 = \n
\13 = \r
\92 = \
\44 = '
\34 = "
\26 = \x1a
You could do something like this.
function cleaner($input) {
return addcslashes($input, "\0\10\13\92\44\34\26");
}
Maybe this will help...
Jim
So far as I understand mysql_real_escape_string() was invented because
addslashes() is not adequate.
If you look a little closer, you will see that I am not using addslashes(). Rather, I am using
addcslashes(). This allows to specify the characters that I want escaped, instead of the default
assumed characters from addslashes().
--
Jim Lucas
"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."
Twelfth Night, Act II, Scene V
by William Shakespeare
--- End Message ---
--- Begin Message ---
> Open paren. Dollar-sign "item" de-ref getServiceID method. Question mark.
> Dollar-sign "item" de-ref getServiceID method again. Colon.
> Dollar-sign "item" de-ref getID method. Close up matching parenthesis.
>
> http://en.wikipedia.org/wiki/Reference_%28computer_science%29
>
Thanks. The word Reference was what was missing, as was the term "de-ref".
> I would also suggest s/he and I use a tool such as:
>
> http://snipt.org/oGg
> http://pastebin.com/m5b1d82b2
> http://pastie.org/662703
> http://gist.github.com/214652
>
> For more real-time collaboration and sharing of code fragments.
>
Widely used, but sometimes unavailable due to technological limitations.
> Daevid.
Is your name related to "David"? I have never seen this spelling, and
my interest in etymology is overwhelming. What is the origin of this
name or spelling? Thanks!
--
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
--- End Message ---
