http://www.purebasic.com
https://www.purebasic.fr/english/
Dang! I had my itchy trigger finger on the Report Button...Cage wrote:I guess I am one of those who haven't posted before.
That will work for a while, since the bots can already get past the CAPTCHA in most forums, they just have to add CAPTCHA handling to the message posting code.greyhoundcode wrote:Another forum I frequent, also powered by phpBB, have applied a modification that requires users with < 10 posts to complete a CAPTCHA validation. Seems to have had quite some success in reducing automated spam.
I was surprised too when we deleted our zero post accounts, there was over 300 of them.flaith wrote:Wow at least 800 (iirc) members less, that's what i call "a cleaning"
In practice all we can do is reduce, not eliminate. A free service like ReCAPTCHA is easily used in place of some of the weaker GD lib generated CAPTCHAs out there - I find it pretty effective. A hard target is never hit as many times as a soft one.GWarner wrote:That will work for a while, since the bots can already get past the CAPTCHA in most forums, they just have to add CAPTCHA handling to the message posting code.
Code: Select all
<?php
function protectform(){
//phpinfo();die();
if($_SERVER["REQUEST_METHOD"]!='GET'){
$servername=$_SERVER["SERVER_NAME"];
$noterror=true;
if (isset($_SERVER["HTTP_REFERER"]))
$gethost=Parse_url($_SERVER["HTTP_REFERER"]);
else
$noterror=false;
$pimp=false;
if (!$noterror )
$pimp=true;
if(isset($gethost))
if ($gethost['host']!==$servername)
$pimp=true;
if ($pimp){
//print_r($gethost);
die('ciao!');
}
}
}
protectform();
?>PHP Manual wrote:HTTP_REFERER:
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
Code: Select all
if ($gethost['host']!==$servername)
$pimp=true;
Code: Select all
<?php
function protectform(){
//phpinfo();die();
if($_SERVER["REQUEST_METHOD"]!='GET'){
$servername=$_SERVER["SERVER_NAME"];
$noterror=true;
if (isset($_SERVER["HTTP_REFERER"]))
$gethost=Parse_url($_SERVER["HTTP_REFERER"]);
else
$noterror=false;
$pimp=false;
if (!$noterror )
$pimp=true;
if(isset($gethost))
if ($gethost['host']!==$servername)
$pimp=true;
if ($pimp){
//print_r($gethost);
die('ciao!');
}
}
}
protectform();
phpinfo();
?>Code: Select all
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html>
<head>
<title></title>
<style></style>
</head>
<body>
<form method=post action="http://www.yourhost.com/post.php" name="">
<input type="text" name="sdasdasds"><input type="submit" value="asdsad" name="asdsadsads">
</form>
</body></html>I don't generally have any problems in terms of my reading ability, but thanks for asking all the same.freepurebasic wrote:are you read carefully ?
My point was that you can't trust the HTTP_REFERER field, hence my previous quote from the PHP manual. Let's look at your code.freepurebasic wrote: well you wrong.
if i use a php browser on other server and i try to post headers from that server i will be pimp.
try to set up a php browser to post datas to this sctipt with any referer value you want.
and show us a screen about what you got
Code: Select all
// First you are checking if the referrer header has been sent
if (isset($_SERVER["HTTP_REFERER"]))
// Then you are parsing it for further testing later in the code
$gethost=Parse_url($_SERVER["HTTP_REFERER"]);
All I need to do (if post.php is located on yourhost.com) is set my CURL options appropriately, in fact most of my referrer string can be complete gibberish because you are only testing against one part of it (the host name).freepurebasic wrote:try to read this
Code: Select all
if ($gethost['host']!==$servername) $pimp=true;