5 Ways To Catch And Prevent Website Form Spam - Part 1 5种方法渔获物和防止垃圾邮件的网站形式-第1部分

I used to get so much spam in my mailbox everyday that I was spending more time deleting it then I was adding new content, maintaining sites, or starting new sites combined (typical story right).我曾经获得这么多的垃圾邮件在我的信箱每天，我是花更多的时间删除然后我增加了新的内容，维护网站，或开始新的网站合并（典型故事右） 。 Some of your website spam is not preventable, or, it is preventable, but at the cost of usability and/or good information getting caught in the “bad stuff” as well.一些网站的垃圾邮件是不能预防的，或者，它是可以预防的，但代价是可用性和/或良好的信息困住的“坏东西” ，以及。

No doubt, if you’re serious about web development you’re going to be creating and interacting with forms on a regular basis.毫无疑问，如果你认真对待网络开发你要创造和互动的形式定期通报。 Especially with this new web 2.0 attitude every has…gee wiz, what’s that?尤其是在这个新的Web 2.0的态度都已经wiz ...哎呀，那是什么？

CAPTCHA CAPTCHA
CAPTCHA is the number one method most people are using to prevent spam today. CAPTCHA是最重要的方法大多数人正在使用，以防止垃圾邮件的今天。 What is it?它是什么？

“A CAPTCHA is a challenge response test used on computers to check if the user is human. “一个CAPTCHA是一个挑战的反应测试使用的电脑上检查，如果用户是人类。 A common kind of CAPTCHA that is used on websites requires that the visitor type the letters and numbers of a distorted image.一个共同的CAPTCHA ，用来在网站上要求访问者输入的字母和数字的扭曲的形象。 This method is based on the fact that is difficult for computers to extract the text from the image while it is very easy for humans.” - captchacreator.com这种方法是基于这一事实是困难的电脑中提取文字的形象，而这是很容易的人。 “ -c aptchacreator.com

Here’sa few resources to scripts so you’ll be able to implement that functionality into your own forms:以下几个资源，以文字，以便使您可以执行该功能集成到自己的形式：

• captchacreator.com captchacreator.com
• white-hat-web-design.co.uk 白色的帽子，网上design.co.uk
• puremango.co.uk puremango.co.uk

Escape Data - Prevent SQL Injections 逃亡数据-防止S QL注入
Capcha is usless if you’re leaving your form unprotected from attack. Capcha是usless如果您离开您的形式未受保护免受攻击。 Remember to filter post strings with addslashes() or mysql_real_escape_string() .请记住，筛选后与字符串和addslashes （ ）或mysql_real_escape_string （ ） 。

Also take a look at these functions for other similar kind of checks that might be useful:也来看看这些职能为其他类似的检查，可能是有用的：

• htmlspecialchars() - Escapes the following characters: &,’,”,>,< ...that is the ampersand, single quote, double quote, less than, and greater than symbols. htmlspecialchars （ ） -逍遥游以下字符： & ,',",>,<. ..这是符号，单引号，双引号，小于和大于符号。
• strip_tags() - Strips out all HTML and PHP code from the given string. strip_tags （ ） -剔除所有的H TML和P HP代码从特定的字串。
• htmlentities() - Converts ALL characters to their HTML entities equivalent (this is a more catch all version of htmlspecialchars). htmlentities （ ） -转换所有字符的H TML实体当量（这是一个更赶上所有版本的h tmlspecialchars） 。
• urlencode() - Encodes the URL to pass strings on a GET method. urlencode （ ） -编码的U RL字符串通过对G ET方法。 As I mentioned, don’t use GET with forms.正如我前面提到，不使用的GET与形式。 This is useful when you’re passing user input variables for other reasons.这是非常有用当你通过用户输入的变量的其他原因。

Remember, once you convert data like this using one of the above functions, you can undo it for readability and output by using its reverse function. urlencode() for example has urldecode() to undo its actions so you can begin using the string as you would have before the encode.请记住，一旦你的数据转换这样一个使用上述职责时，您可以撤消它的可读性和输出利用其反向功能。 urlencode （ ）举例来说urldecode （ ）撤消其行动，因此您可以开始使用字符串您将收到的编码。

Check Request Method 检查请求方法
Throw an if statement around your existing form processor that checks to see if data is coming from the globals post variable.抛出一个声明，如果在你现有的形式处理器，检查是否数据是来自后的全局变量。 If not, then the user is not accessing your form the way you designed it to be used.如果没有，那么用户不使用您形式的方式来设计的使用。

1. <?php
2. if ( $_SERVER [ ‘REQUEST_METHOD’ ] == ‘POST’ ) {
3. //typical form processes
4. } else {
5. echo "The form can not be used like that" ;
6. }
7. ?>
8. Download this code: 0305spamrequestmethod.txt 下载此代码： 0305spamrequestmethod.txt

Change this to GET if you’re using that instead.改变这种获取如果您使用的不是。 However, I would high recommend you never use that method as it is more insecure.不过，我想你高度建议从来没有使用这种方法，因为它是更不安全。

Check Request Source 检查请求源
You should also check to see if the request is originating from your own server.您也应该检查，看看是否要求是来自您自己的服务器。 This is a very common method of form abuse which doesn’t necessarily mean you’ll be receiving spam.这是一种非常常见的方法，形式虐待并不一定意味着您将收到垃圾邮件。 If you’re server is getting a lot of bounced emails to its default email you may have someone abusing your site in this manner.如果您的服务器正在大量的反弹，电子邮件，其默认的电子邮件您可能有人滥用您的网站以这种方式。

1. <?php
2. $source = $_SERVER [ ‘HTTP_HOST’ ] ;
3. //or if you want to detect just the domain you can use a regular expression to filter it.
4. $source = ereg_replace ( "^(www.)?([^.] ).[^.] $" , " \\ 2" , $_SERVER [ ‘HTTP_HOST’ ] ) ;
5. if ( $source !== "robmalon.com" ) {
6. echo "you are illegally accessing this script" ;
7. } else {
8. //typical form processes
9. }
11. //The referrer should also be from your own domain…Likewise, if there is no referral then the user obviously isnt using your form correctly (so we dont have to check for that).
12. //Note: stristr() searches for the first occurrence of a string inside another string.
13. if ( stristr ( getenv ( "HTTP_REFERER" ) , $source ) ) {
14. //typical form processes
15. } else {
16. echo "you are illegally accessing this script" ;
17. }
18. ?>
19. Download this code: 0305spamhostsource.txt 下载此代码： 0305spamhostsource.txt

Using Regular Expressions For Data Validation 使用正则表达式的数据验证
I like to check data using preg_match (or any of the regular expression functions).我喜欢来检查数据的使用preg_match （或任何正则表达式函数） 。 This method kills a lot of birds with one stone.这种方法杀死了很多鸟一石。 Why write separate functions to check if a string is empty, then another if it allows numbers, and another if it allows alpha characters, and another to specific field length, and another…you get the point.为什么写各自的职责，以检查是否一个字符串是空的，然后又如果它允许数字，如果它再允许字母字符，另一个领域的具体长度，还有...你这一点。

if (!preg_match(”/^[A-z0-9]{5,15}$/”, $name)) $error .= “<li class=\”errors\”>The Name field can only contain letters and numbers (no spaces) and can only be up to 15 characters long.</li>”;如果（ ！ preg_match ("/^[一个z0 - 9 ] （ 5,15 }$/", $名称） ） $错误.= “ <li class=\"errors\">的名称字段只能包含字母和人数（不含空格） ，只能为15字符长。 “ /丽” “ ;

In the preg_match I am checking that the name field only contains alphanumeric values (case insensitive) and needs to be at least 5 to 15 characters in length.在preg_match我检查外地的名称只包含字母数字值（区分大小写） ，并需要至少5至15个字符的长度。 If you don’t meet that specification appropriate text is added to $error.如果你没有满足这一规格适当的文字加元的错误。

Using “[variable] [dot][equals] [text]” in this fashion allows me to keep an ongoing variable that I’m adding to.用“ [变数] [斑点] [等于] [文] ”这种方式让我继续不断变，我加入。 I can then check to see if $error contains any data before my script does any significant queries.我可以然后检查，看看是否$错误包含任何数据之前，我的脚本任何重大查询。 If there are errors you can spit them out by echoing $error and ask the user to correct them.如果有错误，您可以吐痰他们的呼应$错误，并要求用户予以纠正。 I then use CSS to style my errors which you can see with class=\”errors\”.然后我使用CSS来样式我的错误，您可以看到阶级= \ “错误\ ” 。

Regular expressions defiantly have a learning curve on them but they are one of the best tools that can help simplify your life in a variety of situations.正则表达式目空一切有一个学习曲线对他们但他们的最佳工具，可以帮助简化您的生活中的各种情况。 I’ll go into more detail about them down the road but for now you may want to buy a book or do some Googling.我去到更多的详细介绍他们的道路，但现在你可能想购买一本书或做一些在Google上搜寻。

The Non-Technical Recap 非技术回顾
-Implement a CAPTCHA script. ，实现一个CAPTCHA脚本。
-Escape slashes (and other bad characters). -逃逸斜线（和其他坏字符） 。
-Check to see if data is coming to your form using the correct method.检查，看看是否是未来的数据给您的使用正确的方法。
-Check to see if the request is originating from your own server.检查，看看是否要求是来自您自己的服务器。
-Check data using a regular expression.检查数据使用正则表达式。

This is just the tip of the iceberg for what I can tell you about spam.这仅仅是冰山的一角为我可以告诉你如何处理垃圾邮件。 Thats why I’ve decided to make a mini series of it.多数民众赞成，为什么我已经决定，使一个小型的一系列它。 Over the next couple weeks I will be bringing you more detailed ways I deal with spam.在接下来的几个星期我将会为您带来更详细的方式我处理垃圾邮件。 Comment below or email me about your own spam preventative methods.评论低于或电子邮件谈谈您自己的垃圾邮件的预防方法。 If it is a new or unique technique I will post it in a future blog along with a link back to your blog.如果它是一个新的或独特的技术后我将在未来的博客连同一个链接回到您的博客。 Just write in the comments below and include your URL in the website field.只写在下面的意见，包括您的网址在外地的网站。

Posted by: Rob 发布者：罗布
Category: Coding , Web Design 类别： 编码， 网页设计
Tags: CSS , Design , MySQL , PHP , Spam 标签： 的CSS ，设计， MySQL和PHP中， 垃圾邮件
Respond: Leave A Comment | Trackback URL 回应： 发表评论 | 引用网址