Are you getting a lot of spam, or junk messages sent via your Joomla site?
I know certain components of Joomla let you put banned words but I know of even more that don't. If you find all your forms need extra plugins and captchas (such as JezRecaptcha), then the website security isn't amazing. I used to have Captcha on my K2 by Joomlaworks but if you did the sound version, it didn't work properly. I found that sometimes the captcha wouldn't even match what you typed and what it displayed!!!
I have written this article to be another one of those programmer's tweaks. This is quite a simple fix and I will hopefully be able to keep it simple for non-programmers. The tweak below will stop any of your pages submitting content containing your banned words.
We're going to modify a file containing 2 lines of code by default. The file is index2.php in your Joomla root folder. Make a copy of it, back it up or do whatever you usually do when you modify a server-side file... ahem...
The code by to look for (joomla default) should be as follows:
$_REQUEST['tmpl'] = 'component'; include('index.php');
- $_REQUEST['tmpl'] = 'component';
- include('index.php');
There is some more text but it's in /* lines */ which means these are comments.
The quick solution is:
$_REQUEST['tmpl'] = 'component'; $offensive_words=array("viagra","cialis","[url=","porn","pfizer"); if (is_array($_GET)) $GotVars.=implode(",", $_GET).","; if (is_array($_POST)) $GotVars.=implode(",", $_POST).","; for($i=0;$i<count($offensive_words);$i++) { if (stripos($GotVars, $offensive_words[$i])) $offense=true; } if (!$offense) include('index.php');
- $_REQUEST['tmpl'] = 'component';
- $offensive_words=array("viagra","cialis","[url=","porn","pfizer");
- if (is_array($_GET)) $GotVars.=implode(",", $_GET).",";
- if (is_array($_POST)) $GotVars.=implode(",", $_POST).",";
- for($i=0;$i<count($offensive_words);$i++) { if (stripos($GotVars, $offensive_words[$i])) $offense=true; }
- if (!$offense) include('index.php');
The reporting solution (which tells your visitor what word caused an offense) is:
# CREATE AN ARRAY OF BANNED WORDS $offensive_words=array(); $offensive_words[]="viagra"; $offensive_words[]="cialis"; $offensive_words[]="[url="; $errors=""; # CONVERT THE SUBMITTED DATA INTO STRING(S) $GotVars=""; if (is_array($_GET)) $GotVars.=strtolower(implode(",", $_GET).","); if (is_array($_POST)) $GotVars.=strtolower(implode(",", $_POST).","); # NOW CHECK EACH BANNED WORD DOES NOT EXIST IN THE STRING for ($i=0; $i<count($offensive_words); $i++) { $offensive_string.=(stripos($GotVars, $offensive_words[$i])!==false)?"- ".$offensive_words[$i].", ":""; } # IF THE OFFENSIVE STRING WAS POPULATED (=FOUND BANNED WORDS) THEN CREATE A MESSAGE $errors.=(trim($offensive_string)!="")?"You have submitted word(s) that the website administrator has banned:".$offensive_string.". Please try again without the banned words.":""; # IF THE ERRORS STRING IS EMPTY PROCEED AS NORMAL, IF NOT THEN DISPLAY MESSAGE if (trim($offensive_string)=="") { include('index.php'); } else { echo $errors; }
- # CREATE AN ARRAY OF BANNED WORDS
- $offensive_words=array();
- $offensive_words[]="viagra";
- $offensive_words[]="cialis";
- $offensive_words[]="[url=";
- $errors="";
- # CONVERT THE SUBMITTED DATA INTO STRING(S)
- $GotVars="";
- if (is_array($_GET)) $GotVars.=strtolower(implode(",", $_GET).",");
- if (is_array($_POST)) $GotVars.=strtolower(implode(",", $_POST).",");
- # NOW CHECK EACH BANNED WORD DOES NOT EXIST IN THE STRING
- for ($i=0; $i<count($offensive_words); $i++) {
- $offensive_string.=(stripos($GotVars, $offensive_words[$i])!==false)?"- ".$offensive_words[$i].", ":"";
- }
- # IF THE OFFENSIVE STRING WAS POPULATED (=FOUND BANNED WORDS) THEN CREATE A MESSAGE
- $errors.=(trim($offensive_string)!="")?"You have submitted word(s) that the website administrator has banned:".$offensive_string.". Please try again without the banned words.":"";
- # IF THE ERRORS STRING IS EMPTY PROCEED AS NORMAL, IF NOT THEN DISPLAY MESSAGE
- if (trim($offensive_string)=="") {
- include('index.php');
- } else {
- echo $errors;
- }
My comments in the code above are prefixed with #. As you can see I actually tell the user what word they've used that's been banned. You could easily not do this by replacing echo $errors="" with the word Return in the second to last line.
To sum up: my code does the following:
- Add words to the "offensive_words" array
- Joins any submitted data into 1 long string
- Tries to find each "offensive word" (case-insensitive) in the submitted data
- Creates a message if there was a banned word found
- If no message created, it proceeds as per usual; if not, it does not submit the form
To add more banned words, simply keep adding lines using the following syntax
# CREATE AN ARRAY OF BANNED WORDS $offensive_words=array(); $offensive_words[]="viagra"; $offensive_words[]="cialis"; $offensive_words[]="[url="; $offensive_words[]="porn"; $offensive_words[]="a banned phrase"; #...
- # CREATE AN ARRAY OF BANNED WORDS
- $offensive_words=array();
- $offensive_words[]="viagra";
- $offensive_words[]="cialis";
- $offensive_words[]="[url=";
- $offensive_words[]="porn";
- $offensive_words[]="a banned phrase";
- #...
or
# CREATE AN ARRAY OF BANNED WORDS $offensive_words=array("viagra","cialis","[url=","porn","a banned phrase"); #...
- # CREATE AN ARRAY OF BANNED WORDS
- $offensive_words=array("viagra","cialis","[url=","porn","a banned phrase");
- #...
Additional Information: The Open Web Application Security Project (OWASP)