CODEWITHSUNDEEP
phpspam-prevention
frapet
frapet

Reputation: 229

How to stop spammers entering http into a form to database

I have a form that sends info into a database table. I have it checked with a Javascript but what is the best way to stop spammers entering http and such into the database with PHP when Javascript is turned off?

Upvotes: 7

Views: 1966

Answers (5)

C. Ross
C. Ross

Reputation: 31878

I suggest using the htmlentities() function before doing your insert.

Obviously your insert should be done using parametrized queries to interact with the database as well. captcha is certainly an option, but it more serves to limit how often someone can post, not what they can post. Use hmtl escaping (again, the htmlentities() function) to prevent the user from inputting things you don't want.

Upvotes: 0

Neal Donnan
Neal Donnan

Reputation: 1733

You could implement a CAPTCHA on the form:

http://en.wikipedia.org/wiki/CAPTCHA

Edit: Also definitely verify form data on the server side and check for html tags etc as usual, but the CAPTCHA should help against automated spam attacks.

Upvotes: 6

Andy
Andy

Reputation: 17791

You can use CSRF protection to prevent spammers, I have found it quite effective.

What it is and how it works

Another sneaky method is to include a "honeypot" field - a hidden field that should never be submitted with content. If it's filled, you know it's spam. Neither of these methods require an annoying CAPTCHA.

Upvotes: 3

Nick
Nick

Reputation: 2744

Never trust the client. Always validate all data on server side. JavaScript for form validation can just be an additional feature. You could start with basic PHP functions to check if the content contains certain strings you don't like, eg. "http://".

if (strpos('http://', $_POST['message']) !== false) { /* refuse */ }

Upvotes: 3

Tomasz Struczyński
Tomasz Struczyński

Reputation: 3303

There are two things to consider which should be implemented in parallel (maybe there's more).

  1. Captcha (as mentioned before)
  2. Verify your data on server side! You wrote you do this by javascript. This is good, but the very same verification proccess should be written in PHP.

Well, for CAPTCHA you'll have to make it's verification on server side anyway. But even if you decide not to implement captcha, you should make data verification on server side.

Upvotes: 2

Related Questions