Are you getting a lot of spam, or junk messages sent via your Joomla site?
I know certain components of Joomla let you put banned words but I know of even more that don't. If you find all your forms need extra plugins and captchas (such as JezRecaptcha), then the website security isn't amazing. I used to have Captcha on my K2 by Joomlaworks but if you did the sound version, it didn't work properly. I found that sometimes the captcha wouldn't even match what you typed and what it displayed!!!
I have written this article to be another one of those programmer's tweaks. This is quite a simple fix and I will hopefully be able to keep it simple for non-programmers. The tweak below will stop any of your pages submitting content containing your banned words.
We're going to modify a file containing 2 lines of code by default. The file is index2.php in your Joomla root folder. Make a copy of it, back it up or do whatever you usually do when you modify a server-side file... ahem...
The code by to look for (joomla default) should be as follows:
$_REQUEST['tmpl'] = 'component';
include('index.php');
- $_REQUEST['tmpl'] = 'component';
- include('index.php');
There is some more text but it's in /* lines */ which means these are comments.
The quick solution is:
$_REQUEST['tmpl'] = 'component';
$offensive_words=array("viagra","cialis","[url=","porn","pfizer");
if (is_array($_GET)) $GotVars.=implode(",", $_GET).",";
if (is_array($_POST)) $GotVars.=implode(",", $_POST).",";
for($i=0;$i<count($offensive_words);$i++) { if (stripos($GotVars, $offensive_words[$i])) $offense=true; }
if (!$offense) include('index.php');
- $_REQUEST['tmpl'] = 'component';
- $offensive_words=array("viagra","cialis","[url=","porn","pfizer");
- if (is_array($_GET)) $GotVars.=implode(",", $_GET).",";
- if (is_array($_POST)) $GotVars.=implode(",", $_POST).",";
- for($i=0;$i<count($offensive_words);$i++) { if (stripos($GotVars, $offensive_words[$i])) $offense=true; }
- if (!$offense) include('index.php');
The reporting solution (which tells your visitor what word caused an offense) is:
# CREATE AN ARRAY OF BANNED WORDS
$offensive_words=array();
$offensive_words[]="viagra";
$offensive_words[]="cialis";
$offensive_words[]="[url=";
$errors="";
# CONVERT THE SUBMITTED DATA INTO STRING(S)
$GotVars="";
if (is_array($_GET)) $GotVars.=strtolower(implode(",", $_GET).",");
if (is_array($_POST)) $GotVars.=strtolower(implode(",", $_POST).",");
# NOW CHECK EACH BANNED WORD DOES NOT EXIST IN THE STRING
for ($i=0; $i<count($offensive_words); $i++) {
$offensive_string.=(stripos($GotVars, $offensive_words[$i])!==false)?"- ".$offensive_words[$i].", ":"";
}
# IF THE OFFENSIVE STRING WAS POPULATED (=FOUND BANNED WORDS) THEN CREATE A MESSAGE
$errors.=(trim($offensive_string)!="")?"You have submitted word(s) that the website administrator has banned:".$offensive_string.". Please try again without the banned words.":"";
# IF THE ERRORS STRING IS EMPTY PROCEED AS NORMAL, IF NOT THEN DISPLAY MESSAGE
if (trim($offensive_string)=="") {
include('index.php');
} else {
echo $errors;
}
- # CREATE AN ARRAY OF BANNED WORDS
- $offensive_words=array();
- $offensive_words[]="viagra";
- $offensive_words[]="cialis";
- $offensive_words[]="[url=";
- $errors="";
- # CONVERT THE SUBMITTED DATA INTO STRING(S)
- $GotVars="";
- if (is_array($_GET)) $GotVars.=strtolower(implode(",", $_GET).",");
- if (is_array($_POST)) $GotVars.=strtolower(implode(",", $_POST).",");
- # NOW CHECK EACH BANNED WORD DOES NOT EXIST IN THE STRING
- for ($i=0; $i<count($offensive_words); $i++) {
- $offensive_string.=(stripos($GotVars, $offensive_words[$i])!==false)?"- ".$offensive_words[$i].", ":"";
- }
- # if THE OFFENSIVE STRING WAS POPULATED (=FOUND BANNED WORDS) THEN CREATE A MESSAGE
- $errors.=(trim($offensive_string)!="")?"You have submitted word(s) that the website administrator has banned:".$offensive_string.". Please try again without the banned words.":"";
- # if THE ERRORS STRING IS EMPTY PROCEED as NORMAL, if NOT THEN DISPLAY MESSAGE
- if (trim($offensive_string)=="") {
- include('index.php');
- } else {
- echo $errors;
- }
My comments in the code above are prefixed with #. As you can see I actually tell the user what word they've used that's been banned. You could easily not do this by replacing echo $errors="" with the word Return in the second to last line.
To sum up: my code does the following:
- Add words to the "offensive_words" array
- Joins any submitted data into 1 long string
- Tries to find each "offensive word" (case-insensitive) in the submitted data
- Creates a message if there was a banned word found
- If no message created, it proceeds as per usual; if not, it does not submit the form
To add more banned words, simply keep adding lines using the following syntax
# CREATE AN ARRAY OF BANNED WORDS $offensive_words=array(); $offensive_words[]="viagra"; $offensive_words[]="cialis"; $offensive_words[]="[url="; $offensive_words[]="porn"; $offensive_words[]="a banned phrase"; #...
- # CREATE AN ARRAY OF BANNED WORDS
- $offensive_words=array();
- $offensive_words[]="viagra";
- $offensive_words[]="cialis";
- $offensive_words[]="[url=";
- $offensive_words[]="porn";
- $offensive_words[]="a banned phrase";
- #...
or
# CREATE AN ARRAY OF BANNED WORDS
$offensive_words=array("viagra","cialis","[url=","porn","a banned phrase");
#...
- # CREATE AN ARRAY OF BANNED WORDS
- $offensive_words=array("viagra","cialis","[url=","porn","a banned phrase");
- #...
Additional Information: The Open Web Application Security Project (OWASP)
Add comment