/**
* Check the Spam Hurdles data for a posted form.
*
* When a form is posted, then this function has to be called to
* check the data that was posted.
*
* @param string $form_id
* An identifier for the current form. This must be the same form id
* as the one that was used when calling {@link spamhurdles_api_init()}.
*
* @return array
* An array, containing two elements.
* The first element is the result status of the spam hurdle check.
* This is one of SPAMHURDLES_OK, SPAMHURDLES_WARNING or SPAMHURDLES_FATAL.
* The second element is the error message or NULL if there was no error.
*/
function spamhurdles_api_check_form($form_id)
{
global $PHORUM;
$error = $PHORUM['DATA']['LANG']['mod_spamhurdles']['PostingRejected'];
$status = SPAMHURDLES_FATAL;
// Retrieve the spam hurdles data from the form.
$data = spamhurdles_api_get_formdata($form_id);
// Check if we were able to retrieve spam hurdles data from the form.
if ($data === NULL) {
spamhurdles_log("Spam Hurdles blocked post, form id \"{$form_id}\"", "The posting form was posted without or with invalid " . "Spam Hurdles data.");
return array($status, $error);
}
// Check if the id in the form data is the same as the
// id that we expect to see.
if ($data['id'] != $form_id) {
spamhurdles_log("Spam Hurdles blocked post, form id \"{$form_id}\"", "The posting form was posted with an invalid Spam Hurdles " . "form id.<br/>" . "<br/>" . "Posted form id = {$data['id']}<br/>" . "Expected form id = {$form_id}");
return array($status, $error);
}
// Check if the TTL on the data didn't expire.
if ($data['ttl'] < time()) {
// Only for 5.2. In 5.3 this was moved to formatting API functions.
if (file_exists('./include/format_functions.php')) {
require_once './include/format_functions.php';
}
spamhurdles_log("Spam Hurdles blocked post, form id \"{$form_id}\"", "The posting form was posted with valid Spam Hurdles data, " . "but the data expired at " . phorum_date($PHORUM["short_date_time"], $data['ttl']));
return array($status, $error);
}
// Let the spam hurdles check the data. If one sees a problem, then
// it can set the $data['error'] and $data['status'] elements. It can
// also add log messages to the $data['log'] array.
$data['error'] = NULL;
$data['status'] = SPAMHURDLES_OK;
$data['log'] = array();
$data = spamhurdles_hurdle_call('check_form', $data, $data['hurdles']);
$status = $data['status'];
if ($status !== SPAMHURDLES_OK) {
spamhurdles_log("Spam Hurdles blocked post, form id \"{$form_id}\"", "Block type: " . ($status === SPAMHURDLES_FATAL ? 'fatal' : 'warning') . "\n" . "Block error: \"" . $data['error'] . "\"" . (empty($data['log']) ? '' : "\n\nInfo: " . implode(' ', $data['log'])));
}
return array($data['status'], $data['error']);
}
function phorum_mod_spamhurdles_run_submitcheck($type)
{
$PHORUM = $GLOBALS["PHORUM"];
$spamhurdles = $PHORUM["SPAMHURDLES"];
$conf = $PHORUM["mod_spamhurdles"];
$do_block = FALSE;
// We should have spamhurdles information at all time. If not, then
// this probably means, somebody is trying to post data directly to
// the form or is trying to repost using an already expired/used key.
if (!isset($PHORUM["SPAMHURDLES"]["key"])) {
// If we did not enable multipost blocking, then initialize
// spamhurdles data and let the other checks do their work.
// They will automatically fail if they are enabled.
if (($spamhurdles == NULL || $spamhurdles["prev_key_expired"]) && do_spamhurdle("blockmultipost")) {
spamhurdles_log("Spam Hurdles blocked \"{$type}\" post", "The posting form was posted without or with an expired " . "Spam Hurdles key.");
$do_block = true;
// initialize spamhurdles information for all other cases.
// if other checks are enabled, they will take over.
} else {
$phorum["spamhurdles"] = phorum_mod_spamhurdles_init($type);
$spamhurdles = $phorum["spamhurdles"];
}
}
// if the type of form in the spamhurdles data does not match the
// real form type, then the key that was used for form type 1 is used
// in form type 2. this is defenitely data tampering. no friendly
// warning messages here.
if (!$do_block && $PHORUM["SPAMHURDLES"]["form_type"] !== $type) {
spamhurdles_log("Spam Hurdles blocked \"{$type}\" post", "The Spam Hurdles form type that is linked to the posting key " . "is \"{$PHORUM["SPAMHURDLES"]["form_type"]}\", but the real " . "form type is \"{$type}\".");
spamhurdles_blockerror();
}
// Check if the minimum TTL is honoured for the message posting form.
if (!$do_block && $type == "posting" && do_spamhurdle("blockquickpost")) {
$delay = $conf["key_min_ttl"] - (time() - $spamhurdles["create_time"]);
if ($delay > 0) {
spamhurdles_log("Spam Hurdles blocked \"{$type}\" post", "The TTL for the Spam Hurdles key expired.");
$do_block = TRUE;
}
}
// Check if a HTML commented form field was submitted.
if (!$do_block && do_spamhurdle("commentfieldcheck")) {
if (array_key_exists("commentname", $_POST)) {
spamhurdles_log("Spam Hurdles blocked \"{$type}\" post", "An HTML commented form field was submitted. This most " . "probably is a badly programmed posting bot.");
$do_block = TRUE;
}
}
// Check if javascript signing was done for the message posting form.
if (!$do_block && $type == "posting" && do_spamhurdle("jsmd5check")) {
$sig = md5($spamhurdles["key"] . $spamhurdles["signkey"]);
if (!isset($_POST["spamhurdles_signature"]) || $_POST["spamhurdles_signature"] != $sig) {
spamhurdles_log("Spam Hurdles blocked \"{$type}\" post", "Javascript signing is enabled, but the client either " . "did not sign the provided data or did sign it wrongly.\n\n" . "Expected signature: {$sig}\n" . "Received signature: " . (isset($_POST['spamhurdles_signature']) ? $_POST['spamhurdles_signature'] : 'n/a'));
$do_block = TRUE;
}
}
// Check if the captcha is filled in right.
if (!$do_block && isset($spamhurdles["captcha"])) {
$class = $spamhurdles["captcha_class"];
require_once "./mods/spamhurdles/captcha/class.{$class}.php";
$captcha = new $class();
$error = $captcha->check_answer($spamhurdles["captcha"]);
if ($error) {
spamhurdles_log("Spam Hurdles blocked \"{$type}\" post", "The CAPTCHA check failed: {$error}");
return $error;
}
}
// Handle default blocking case. Which method of blocking to use for
// message posting, can be configured from the module settings page.
if ($do_block) {
if ($type == "posting" && $conf["blockaction"] == "unapprove") {
phorum_mod_spamhurdles_init($type, array("unapprove" => 1));
return $PHORUM["DATA"]["LANG"]["mod_spamhurdles"]["PostingUnapproveError"];
} else {
spamhurdles_blockerror();
}
}
// All is okay!
return NULL;
}
