Sponsor
Now Playing
- Alix Perez – I'm Free 3 hours ago
- Alix Perez – Intersections 3 hours ago
- Alix Perez – Forsaken 3 hours ago
- Glen E Ston – Ouroboros (Original Mix) 3 hours ago
- Black Sun Empire – Everything 3 hours ago
Ultimate Guestbook Tutorial: How to build a Guestbook with a honeypot, error checking, IP banning, pagination, e-mail notification and smilies with PHP and mySQL
April 26, 2008,
47,482 views
Lets get going on making our honeypot. Before i start with the programming let me introduce to you what a honeypot is. You probably know about spam e-mails; well spam is on websites too. These devils scrape across the internet looking for our webforms and post up their advertisements on just about anything and everything. This is all automated for the spammers, they just hit a button and let their spam dog loose on the internet; which is where we win!
A honeypot is like a trap. We make a hidden text field in our form so that us humans can’t see it in the browser. What good is this you ask? Well the spam bots see everything! They see it as just another spot for them to enter in their advertisements and in thinking so, fill out the field, even though it is graphically hidden. All we then need to do is check if that field was filled in and then handle the request as if it was a spam bot!
What i could do here is make a new table in our database and call it spam bots. Then insert every ip address that gets trapped in this honey pot. Using this method we could then hide the guestbook form from the spammer so that they can never again see the guestbook with their ip address. And when i think of it, i will do this!
But first lets set up our honey pot. Open up form.php.
Find:
<input type="submit" name="submit" value="Sign Guestbook" />
Before it add:
<input type="text" name="message2" />
This is our honeypot! Looks tasty, pity we can’t see it in the browser. Oh well, the spambots will enjoy their feast. Next open up index.php and:
Find:
if(isset($_POST['submit'])){
Replace with:
if(isset($_POST['submit']) && strlen($_POST['message2']) == 0){
This basically checks to see if the honeypot is empty. If it is then there is no spambot, but if there is text in the honeypot then it won’t execute the proper code. So what does it execute? Well nothing. So lets get going on our IP banning solution. We need to make a new table in our database to store the naughty IP addresses:
CREATE TABLE `spam` ( `id` int(8) NOT NULL auto_increment, `ip` varchar(15) collate latin1_general_ci NOT NULL, PRIMARY KEY (`id`), KEY `ip` (`ip`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_general_ci;
Execute that sql in your database, like you did before. So we have two columns, an ip address column (which will store the banned ip addresses (derrrrrr)) and a unique identifier column, which would be useful if we wanted to extend the functions of the code.
So before we can ban the spammers, we need to store their details. So lets get going on inserting their IP into the new table in our database.
Open up index.php and find the last curly bracket:
}
After it add:
else if(isset($_POST['submit']) && strlen($_POST['message2']) > 0){
$postentry = @mysql_query("INSERT INTO `spam` (ip) VALUES ('".$_SERVER['REMOTE_ADDR']."')");
}
So if a spammer comes along and fills in that field we made, aka honeypot, then their ip gets listed into the database. So lets now use this list of IP’s and block any previous spammers!
Keep index.php open and do:
Below:
include('includes/config.php');
Add:
$query = mysql_query("SELECT * FROM `spam` WHERE `ip`='".$_SERVER['REMOTE_ADDR']."' LIMIT 1");
$spamip = mysql_num_rows($query);
if($spamip == 0){
Again find the last curly bracket in index.php:
Find:
}
And after it add:
} else {
$error['spam'] = 'Your IP: '.$_SERVER['REMOTE_ADDR'].' is banned!';
}
So that your index.php looks like:
<?php
include('includes/config.php');
$query = mysql_query("SELECT * FROM `spam` WHERE `ip`='".$_SERVER['REMOTE_ADDR']."' LIMIT 1");
$spamip = mysql_num_rows($query);
if($spamip == 0){
if(isset($_POST['submit']) && strlen($_POST['message2']) > 0){
if(strlen($_POST['name']) == 0){
$error['name'] = 'Please enter your name';
}
if(strlen($_POST['email']) == 0){
$error['email'] = 'Please enter an e-mail address';
} else {
if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $_POST['email'])){
$error['email'] = 'Please enter a correct e-mail address';
}
}
if(strlen($_POST['message']) < 2){
$error['message'] = 'Please enter a message';
}
if(!isset($error)){
$postentry = @mysql_query("INSERT INTO `entries` (name, email, website, message, date, ip) VALUES ('".addslashes($_POST['name'])."', '".addslashes($_POST['email'])."', '".addslashes($_POST['website'])."', '".addslashes($_POST['message'])."', now(), '".$_SERVER['REMOTE_ADDR']."')");
if($postentry == true){
unset($_POST);
}
}
} else if(isset($_POST['submit']) && strlen($_POST['message2']) == 0){
$spamentry = @mysql_query("INSERT INTO `spam` (ip) VALUES ('".$_SERVER['REMOTE_ADDR']."')");
}
} else {
$error['spam'] = 'Your IP: '.$_SERVER['REMOTE_ADDR'].' is banned!';
}
include('templates/skin.php');
?>
If you read the code you would understand that the form is dead, php will not handle any of the requests in terms of error checking or inserting the entry into the database. Exactly what we wanted! We added the error text into our $error array, which will be automatically displayed! Simple.
Alright that’s our honeypot and ipbanning completed. Let’s get going on showing the guestbook entries! finally!
Posted by VoiDeT –
60 Comments
Hello VOIDET
I spent last night going through this tutorial and it was great and informative.
One question I have is that I see your guestbook example has had some spambot action. Is this because there are new techniques that your tutorial doesn’t cover? I’d like to keep this kind of crap off my guest book if possible.
Thanks for your great tutorial and your feedback.
Best,
CGar
Hey Cgar,
This is both true and unfortunate.
I only taught one spam catching technique.
However more can be applied if need be. Generating a captcha form, or having an ip-ban with 30 day cool off period. Running known ip blocking from black lists.
The honey pot technique is just one! Surprisingly, it rejects quite alot!
Let me know if i can help you out further!
VoiDeT
Hi there,
A great tut! Im trying to put it on my site.
But there is one little problem. The honeypot.. when is add this link:
a new text field appears on my guestbook, while you where saying that it was hidden?
How is that possible?
Dennis
Hi there. Thanks for the great tut. Sorry…forgot to read the last side, as I didn’t used all of the tut for my guestbook at the moment. So I implemented the guestbook in my website without asking you first. And…I’m not completly ready, still working on some things as the honeypot and the pagination.
Hello VOIDET,
This is the best tutorial on the internet so far!
I’m stuck at stage 7 – 10,
it looked fine until stage 7 then the succes-message never showed up.
The IP thing didin’t work for me :/ so I jumped that part and now I’m trying to get the entries to work out, but it show me this message:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in C:\xampp\htdocs\guestbook\templates\entries.php on line 6
do you have a idea of what’s wrong?
I would be happy for any help, just contact my email!
Regards Zime
@Zime:
Thanks a lot for the kind words.
That’s a shame that you can’t get the guestbook working. It looks as though your data isn’t being insert correctly. What you can do however is check your database for any records. If they aren’t in there then check what’s going on with data you’re inserting, and the insert commands.
If you do see the data in there, then check what’s happening when you try and retrieve the records.
I’m thinking i might rewrite this tutorial to use OOP with PHP5.
Or maybe save that for a whole new tutorial.
Hi
First great thanks to the author of this tutorial/workshop
Its working great. But there is only a single problem with the website links in the db entrys they re not working.
The link includes the hole file path i.e.(http://htdocs/mywebsite/www.pcsh.it) whats wrong?
thx in advance and best regards
Oli
THX a lot
love this tut
hey, where can i find the turtorial?
greetings
Dude, many thanks for this nice and clean tutorial. Took me about an hour to read it all up and add own commands.