Ultimate Guestbook Tutorial: How to build a Guestbook with a honeypot, error checking, IP banning, pagination, e-mail notification and smilies with PHP and mySQL

April 26th, 2008 by | Posted in PHP | With 0 views | Word Count: 545 |

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13

Lets get going on making our honeypot. Before i start with the programming let me introduce to you what a honeypot is. You probably know about spam e-mails; well spam is on websites too. These devils scrape across the internet looking for our webforms and post up their advertisements on just about anything and everything. This is all automated for the spammers, they just hit a button and let their spam dog loose on the internet; which is where we win!

A honeypot is like a trap. We make a hidden text field in our form so that us humans can't see it in the browser. What good is this you ask? Well the spam bots see everything! They see it as just another spot for them to enter in their advertisements and in thinking so, fill out the field, even though it is graphically hidden. All we then need to do is check if that field was filled in and then handle the request as if it was a spam bot!

What i could do here is make a new table in our database and call it spam bots. Then insert every ip address that gets trapped in this honey pot. Using this method we could then hide the guestbook form from the spammer so that they can never again see the guestbook with their ip address. And when i think of it, i will do this!

But first lets set up our honey pot. Open up form.php.

Find:

  1. <input type="submit" name="submit" value="Sign Guestbook" />

Before it add:

  1. <input type="text" name="message2" />

This is our honeypot! Looks tasty, pity we can't see it in the browser. Oh well, the spambots will enjoy their feast. Next open up index.php and:

Find:

  1. if(isset($_POST['submit'])){

Replace with:

  1. if(isset($_POST['submit']) && strlen($_POST['message2']) == 0){

This basically checks to see if the honeypot is empty. If it is then there is no spambot, but if there is text in the honeypot then it won't execute the proper code. So what does it execute? Well nothing. So lets get going on our IP banning solution. We need to make a new table in our database to store the naughty IP addresses:

  1. CREATE TABLE `spam` (
  2.   `id` int(8) NOT NULL AUTO_INCREMENT,
  3.   `ip` varchar(15) collate latin1_general_ci NOT NULL,
  4.   PRIMARY KEY  (`id`),
  5.   KEY `ip` (`ip`)
  6. ) ENGINE=MyISAM  DEFAULT CHARSET=latin1 COLLATE=latin1_general_ci;

Execute that sql in your database, like you did before. So we have two columns, an ip address column (which will store the banned ip addresses (derrrrrr)) and a unique identifier column, which would be useful if we wanted to extend the functions of the code.

So before we can ban the spammers, we need to store their details. So lets get going on inserting their IP into the new table in our database.

Open up index.php and find the last curly bracket:

  1. }

After it add:

  1. else if(isset($_POST['submit']) && strlen($_POST['message2']) > 0){
  2.     $postentry = @mysql_query("INSERT INTO `spam` (ip) VALUES ('".$_SERVER['REMOTE_ADDR']."')");
  3.   }

So if a spammer comes along and fills in that field we made, aka honeypot, then their ip gets listed into the database. So lets now use this list of IP's and block any previous spammers!

Keep index.php open and do:

Below:

  1. include('includes/config.php');

Add:

  1. $query = mysql_query("SELECT * FROM `spam` WHERE `ip`='".$_SERVER['REMOTE_ADDR']."' LIMIT 1");
  2.   $spamip = mysql_num_rows($query);
  3.  
  4.   if($spamip == 0){

Again find the last curly bracket in index.php:

Find:

  1. }

And after it add:

  1. } else {
  2.     $error['spam'] = 'Your IP: '.$_SERVER['REMOTE_ADDR'].' is banned!';
  3.   }

So that your index.php looks like:

  1. <?php
  2.  
  3.   include('includes/config.php');
  4.  
  5.   $query = mysql_query("SELECT * FROM `spam` WHERE `ip`='".$_SERVER['REMOTE_ADDR']."' LIMIT 1");
  6.   $spamip = mysql_num_rows($query);
  7.  
  8.   if($spamip == 0){
  9.     if(isset($_POST['submit']) && strlen($_POST['message2']) > 0){
  10.      
  11.       if(strlen($_POST['name']) == 0){
  12.         $error['name'] = 'Please enter your name';
  13.       }
  14.      
  15.       if(strlen($_POST['email']) == 0){
  16.         $error['email'] = 'Please enter an e-mail address';
  17.       } else {
  18.         if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $_POST['email'])){
  19.           $error['email'] = 'Please enter a correct e-mail address';
  20.         }
  21.       }
  22.      
  23.       if(strlen($_POST['message']) < 2){
  24.         $error['message'] = 'Please enter a message';
  25.       } 
  26.      
  27.       if(!isset($error)){
  28.         $postentry = @mysql_query("INSERT INTO `entries` (name, email, website, message, date, ip) VALUES ('".addslashes($_POST['name'])."', '".addslashes($_POST['email'])."', '".addslashes($_POST['website'])."', '".addslashes($_POST['message'])."', now(), '".$_SERVER['REMOTE_ADDR']."')");
  29.         if($postentry == true){
  30.           unset($_POST);
  31.         }
  32.       }
  33.      
  34.     } else if(isset($_POST['submit']) && strlen($_POST['message2']) == 0){
  35.       $spamentry = @mysql_query("INSERT INTO `spam` (ip) VALUES ('".$_SERVER['REMOTE_ADDR']."')");
  36.     }
  37.   } else {
  38.     $error['spam'] = 'Your IP: '.$_SERVER['REMOTE_ADDR'].' is banned!';
  39.   }
  40.    
  41.   include('templates/skin.php');
  42. ?>

If you read the code you would understand that the form is dead, php will not handle any of the requests in terms of error checking or inserting the entry into the database. Exactly what we wanted! We added the error text into our $error array, which will be automatically displayed! Simple.

Alright that's our honeypot and ipbanning completed. Let's get going on showing the guestbook entries! finally!

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13

Tags
, , , , , , , ,

Post a Comment