[PHP] Spamschutz aber wie?

A

Actros

Well-known member
ID: 139393
L
3 Mai 2006
61
3
Hallo,

ich habe das problem das über meine anmeldeseite spam verschickt wird.nun will ich es schützen und da ist mir pregmatch ins auge gefallen. nun meine frage, ich übergeben die variablen per POST. reicht es da wenn ich die variablen checke die ich in der anmeldemail brauche ( username, passwort, emailadresse) oder sollte ich auch die daten kontrolieren die ich in die datenbank schreibe wie strasse, ort usw. normal sollte es doch reichen die variabeln zu checken welche in der mail() funktion gebraucht werden???

was reicht zum spamschutz ,damit keine spammails über meinen server geschickt werden?

gruss
 
betreibst du einen Mailserver? Versteh grade nicht ganz wie man ein Anmeldeformular zum versenden von Spam missbrauchen kann?
 
Goltergaul schrieb:
betreibst du einen Mailserver? Versteh grade nicht ganz wie man ein Anmeldeformular zum versenden von Spam missbrauchen kann?
Zum Vergrößern anklicken....


nein meine seite hat ein mitgliederbereich wo man nur reinkommt wenn man sich angemeldet hat. der angemeldete bekommt eine anmeldebestätigung und über die anmeldeseite wurde spam verschickt warscheinlich von einem bot weil der user $mangos$@$mangos heist
 
Goltergaul schrieb:
und wie kann man über dein Script spam verschicken? Poste es doch mal, dann kann man dir besser weiterhelfen
Zum Vergrößern anklicken....

PHP: 
<?php
if ( !defined( 'SMARTY_DIR' ) ) {
	include_once( 'init.php' );
}


$_SESSION['firstname'] = $firstname = trim($_POST[ 'txtfirstname' ]);

$_SESSION['lastname'] = $lastname = trim($_POST[ 'txtlastname' ]);

$_SESSION['username'] = $username = trim($_POST[ 'txtusername' ]);

$password = trim($_POST[ 'txtpassword' ]);

$password2 = trim($_POST[ 'txtpassword2' ]);

$_SESSION['password'] = $password;

$_SESSION['password2'] = $password2;

$_SESSION['email'] = $email = trim($_POST[ 'txtemail' ]);

$_SESSION['gender'] = $gender = trim($_POST[ 'txtgender' ]);

$birthmonth = trim($_POST[ 'txtbirthMonth' ]);

$birthday = trim($_POST[ 'txtbirthDay' ]);

$birthyear = trim($_POST[ 'txtbirthYear' ]);

$birthdate = $birthyear.'-'.$birthmonth.'-'.$birthday;

$_SESSION['selectedtime'] = @strtotime($birthdate);

$_SESSION['timezone'] = $timezone = trim($_POST[ 'txttimezone' ]);

$_SESSION['lookgender'] = $lookgender = trim($_POST[ 'txtlookgender' ]);

// note: this is named txtlook.. to avoid conflict with the lookagestart and lookageend from init.php

$_SESSION['txtlookagestart'] = $lookagestart = trim($_POST[ 'txtlookagestart' ]);
$_SESSION['txtlookageend'] = $lookageend = trim($_POST[ 'txtlookageend' ]);

$_SESSION['from'] = $from = trim($_POST[ 'txtfrom' ]);

$_SESSION['address1'] = $address1 = trim($_POST['txtaddress1' ]);

$_SESSION['address2'] = $address2 = trim($_POST['txtaddress2' ]);

$_SESSION['stateprovince'] = $stateprovince = (trim($_POST[ 'txtstateprovince' ])=='-1')?'AA':trim($_POST[ 'txtstateprovince' ]);

$_SESSION['countycode'] = $county = (trim($_POST[ 'txtcounty' ])=='-1')?'AA':trim($_POST[ 'txtcounty' ]);

$_SESSION['citycode'] = $city = (trim($_POST[ 'txtcity' ])=='-1')?'AA':trim($_POST[ 'txtcity' ]);

$_SESSION['zip'] = $zip = trim($_POST[ 'txtzip' ]);

$_SESSION['lookfrom'] = $lookfrom = trim($_POST[ 'txtlookfrom' ]);

$_SESSION['lookstateprovince'] = $lookstateprovince = (trim($_POST[ 'txtlookstateprovince' ])=='-1')?'AA':trim($_POST[ 'txtlookstateprovince' ]);

$_SESSION['lookcounty'] = $lookcounty = (trim($_POST[ 'txtlookcounty' ])=='-1')?'AA':trim($_POST[ 'txtlookcounty' ]);

$_SESSION['lookcity'] = $lookcity = (trim($_POST[ 'txtlookcity' ])=='-1')?'AA':trim($_POST[ 'txtlookcity' ]);

$_SESSION['lookzip'] = $lookzip = trim($_POST[ 'txtlookzip' ]);

$_SESSION['lookradius'] = $lookradius = trim($_POST[ 'lookradius' ]);

$_SESSION['radiustype'] = $radiustype = trim($_POST[ 'radiustype' ]);

$_SESSION['viewonline'] = $viewonline = trim($_POST[ 'txtviewonline' ]);

/*
if (  $_POST['chgcntry'] == '1'   ) {
	header ( "location: signup.php" );
	exit();
}
*/

//Check for duplicate user
$sqlc = 'SELECT count(*) as aacount from ! where username = ?';

$rowc = $db->getRow( $sqlc, array( USER_TABLE, $username ) );

$rowd = $db->getRow( $sqlc, array( ADMIN_TABLE, $username )  );

$rowf = $db->getRow( $sqlc, array( 'phpbb_users', $username )  );

//Check for duplicate email
$sqle = "SELECT count(*) as aacount from ! where email = ?";


$rowe = $db->getRow( $sqle, array( USER_TABLE, $email ) );

$err =0;


if ( $rowc['aacount'] > 0  or $rowd['aacount'] > 0 or $rowf['aacount'] > 0 ) {

	$err = USERNAME_EXISTS;

} elseif ( $rowe['aacount'] > 0 ) {

	$err = EMAIL_EXISTS;

// nickpage START
} elseif ( !preg_match('/^[a-zA-Z0-9\-_]+$/', $_SESSION['username']) ) {
	$err = NICKPAGE_USERNAME;
// nickpage END

} elseif ( ! checkdate( $birthmonth, $birthday, $birthyear ) ) {

	$err = INVALID_BIRTHDATE;

} elseif ( $firstname == '' ) {

	$err = FIRSTNAME_REQUIRED;

} elseif ( $lastname == '' ) {

	$err = LASTNAME_REQUIRED;

} elseif ( $email == '' ) {

	$err = EMAIL_REQUIRED;

} elseif ( $stateprovince == '' && $config['state_mandatory'] == 'Y') {

	$err = STATEPROVINCE_NEEDED;

} elseif ( $county == ''  && $config['county_mandatory'] == 'Y') {

	$err = COUNTY_REQUIRED;

} elseif ( $city == ''  && $config['city_mandatory'] == 'Y') {

	$err = CITY_REQUIRED;

} elseif ( $zip == ''  && $config['zipcode_mandatory'] == 'Y') {

	$err = ZIP_REQUIRED;

} elseif ( strlen( $firstname ) > 50 ) {

	$err = FIRSTNAME_LENGTH;

} elseif ( strlen( $lastname ) > 50 ) {

	$err = LASTNAME_LENGTH;

} elseif ( strlen( $email ) > 255 ) {

	$err = EMAIL_LENGTH;

} elseif ( strlen( $city ) > 255 ) {

	$err = CITY_LENGTH;

} elseif ( $lookageend < $lookagestart ) {

	$err = BIGGER_STARTAGE;

} elseif ($timezone == '-25' ) {

	$err = INVALID_TIMEZONE;
}

if (  $err > 0 ) {

	header ( "location: signup.php?errid=$err" );
	exit();
}

$active =  0;

$lastvisit = $regdate = time();

$level = ($config['default_user_level']!='')? $config['default_user_level']:4;

$activedays = $db->getOne('select activedays from ! where roleid = ?', array( MEMBERSHIP_TABLE, $level ) );

// $levelend = strtotime("+$activedays day",time());
/* Modified to rectify the issue of active days getting added twice  */

$levelend = 0;

$rank = 1;

$actkey = md5( $email . time() );

$status =  get_lang('status_enum','approval') ;

$pwd = md5( $password );

$sqlins = "INSERT INTO !
				(
				active,
				username,
				password,
				lastvisit,
				regdate,
				level,
				timezone,
				allow_viewonline,
				rank,
				email,
				country,
				actkey,
				firstname,
				lastname,
				gender,
				lookgender,
				lookagestart,
				lookageend,
				lookcountry,
				address_line1,
				address_line2,
				state_province,
				county,
				city,
				zip,
				lookstate_province,
				lookcounty,
				lookcity,
				lookzip,
				lookradius,
				radiustype,
				birth_date,
				status,
				levelend)
		 VALUES (  ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";

//Insert record
//Bernd > removed the date function in SQL statement.
$result = $db->query ( $sqlins, array( USER_TABLE, $active, $username, $pwd, $lastvisit, $regdate, $level, $timezone, $viewonline, $rank, $email, $from, $actkey, $firstname, $lastname, $gender, $lookgender, $lookagestart, $lookageend, $lookfrom, $address1, $address2, $stateprovince, $county, $city, $zip, $lookstateprovince, $lookcounty, $lookcity, $lookzip, $lookradius, $radiustype, $birthdate, $status,  $levelend ) );

$lastid = getLastId( USER_TABLE );

//Store the id in session
$_SESSION['TempUserId'] = $lastid;

/* $user_ip = ( !empty($_SERVER['REMOTE_ADDR']) ) ? $_SERVER['REMOTE_ADDR'] : ( ( !empty($_ENV['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : getenv('REMOTE_ADDR') );
*/

//Create user in phpbb
if ( $config['phpbb_installed'] == 'Y' ) {

	$userid = $db->getOne('select max(user_id)+1 from !', array( 'phpbb_users' ) );

	$sql = "INSERT INTO ! ( user_id, username, user_password, user_email, user_regdate ) VALUES ( ?, ?, ?, ?,? )";

	$db->query( $sql, array( 'phpbb_users', $userid, $username, $pwd, $email, time() ) );
}

//update referals
if ( $_SESSION['ReferalId'] ) {

	$sql = "INSERT INTO ! (  affid, userid ) VALUES (  ?, ? )";

	$db->query( $sql, array( AFFILIATE_REFERALS_TABLE, $_SESSION['ReferalId'], $lastid ));

}


$body = get_lang('profile_confirmation_email', MAIL_FORMAT);

$Subject = get_lang('profile_confirmation_email_sub'). ' ' . $config['site_name'];

$From = $config['admin_email'];

$To = $firstname.' '.$lastname.'<'.$email.'>';

$body = str_replace( '#FirstName#',  $firstname , $body );

$body = str_replace( '#SiteName#',  SITENAME , $body );

$body = str_replace( '#AdminName#',  $config['admin_name'] , $body );

$body = str_replace( '#ConfCode#',  $actkey , $body );

$link = 'https://' . $_SERVER['SERVER_NAME'] . DOC_ROOT . 'completereg.php?confcode';

$siteurl = 'https://' . $_SERVER['SERVER_NAME'] . DOC_ROOT ;

$body = str_replace( '#SiteUrl#',  $siteurl , $body );

$body = str_replace( '#ConfirmationLink#',  $link , $body );

$body = str_replace( '#StrID#',  $username , $body );

$body = str_replace( '#Email#',  $email , $body );

$body = str_replace( '#Password#',  $password , $body );

mailSender($From, $To, $email, $Subject, $body);

header( 'location: confirmreg.php' );

?>
 
Also so wie ich das sehe, kann der der sich anmeldet $email selber bestimmen. Wozu ist das gut? Wenn du das im Script selbst definierst, dann hats mit dem Spamm ganz schnell ein Ende, weil es nichts mehr bringt. Denn wenn der Spammer den Inhalt der Mail nicht bestimmen kann bringts ihm ja nichts mehr.

Andernfalls empfehle ich auch ein Captcha (zahlencode zum eingeben)
 
Du musst dich einloggen oder registrieren, um hier zu antworten.
Zurück
Oben