« Part 1: Neat Little Snippets of Code That Are Useful for WordPress
Part 3: Neat Little Snippets of Code That Are Useful for WordPress »

Part 2: Neat Little Snippets of Code That Are Useful for WordPress

Ahhhhh…. ye olde “Send to a Friend”. One of my recent clients really wanted this sucker for every single post on their site - all you needed to do was put in your email address, your friend’s email address, maybe write a little personal note and send it on it’s merry way.

The problem with “Send to a Friend” scripts is the abuse factor. Basically, you’re leaving your server wide open for some POS to some along and use your server as a mass spam machine. They can send to as many people as they want, and when the crap hits the fan, you are the one that gets blamed for it all, and you are the one who pays the price.

God, I hate spammers.


Well, the way around this issue is basically to check the end user’s input. So what I did was basically convert my own simple form into a send to friend script. It was surprisingly easy. I’ve never made my own form use only one single file, though - so that part was hard for me - but once I had it down, I’ve had all kinds of other uses for this easy idea.

But anyway, so here we go. You need a form with five fields - names, to, from and personal message. You need to check the end user’s input. Frankly, because the form is basically meant only to send a link to the post in question, then there’s no need to allow anything but text and numbers in the “message” field. The script handles the rest. Being so strict about this is a bit more safe for you, because people can only enter in correct information. There is a chance that some spammer could use the form to send out spam, but with the heavy restrictions, the most they can do is send your post to a single user as a spam attempt. Not very user-friendly for the spammer!

A side note, although I only made the script for use in WordPress, I cannot imagine you wouldn’t be able to use it in something else. So if you want to take it to Joomla, Movable Type - whatever, it shouldn’t be too hard to convert it.

In the code, you may note a small input box there, right before the “send” button, called “surprise”. Now, I detest captchas. They’re javascript-based (usually) and easy to get around, and on top of that (whether javascript-based or not) they are pretty inaccessible to users. Plus, they’re just downright annoying. I can’t stand them. They’re seriously a pet-peeve of mine, like “no right click” scripts, and background music that you can’t shut off. Just thinking about them irritates me - like chewing aluminum foil, or running your fingernails down a chalkboard. Ugh.

So the “surprise” is this: it prevents automated spambots from filling in your form, while a real person would get through just fine. How? Although it’s a regular text field that can accept input, you render it invisible with CSS. (For those that have CSS disabled or are using a screen-reader, there’s a label notification that, if you are a real person, you should NEVER fill in this field.) An automated spammer wouldn’t notice (or care) about this notification, and will try to fill it with input. The script detects this, and if any input is placed in that field, the form will not send. Simple, but brilliant (and I have the WDG List to thank for that little nugget of code!)

So, now on to the script itself. What you need to do is basically check the input - just like any other form you would use. I’m a little more strict on this than I am anywhere else I’d use a form, simply because of the massive abuse-factor (and we do want to keep this in check), so I get down and dirty with specifics.

The name field will accept only English characters (sorry guys - I haven’t figured out the whole Spanish/Japanese/Russian/Swedish/etc character thing for the regex yet. If I knew how to do that, I’d be adding that capability as well, but you’re stuck with plain ol’ English for now. But if anyone would like to assist me with that type of translation, I’d love to hear from you!) - that’s my only limitation. It’ll allow capital and lowercase letters, apostrophes, hyphens and spaces. So you can enter in “Shelly”, but if you’re Irish, “Shelly O’Brien” will work too. If you hung onto your maiden name when you got married *and* you’re Irish, “Shelly Smith-O’Brien” will also be accepted.

Email is your regular “check for proper email formatting” check (and yes, “co.uk” will work as well as “.com” at the end). Then the message is checked for any scripting attempts. For the record, if anyone does try to insert a script, my script will recognize the attempt. It will still allow the message to go through, but all actual script running is disabled. It’ll just pass it through as straight text. I haven’t quite gotten it down pat yet as to where, if it detects an XSS attempt, it’ll just return an error, but at least it cleans it up so it’s text-only and no harm is done (and if you’re the recipient, you’ll see what was attempted, so hopefully the recipient will send it back to you so you can see what they tried to do with the script - it may help a little bit with things to see what they were trying to do - but I do know that’s a bit annoying in the end). That’s another thing I need to work on with this.

Anyway. So that’s pretty much it. Although I’d normally plunk in all the code here within my post, for such a small thing it *is* a lot of code, so I thought I’d be nice and make it easier to read for you. Instead, I’m providing a links for you to use: you can go straight to the code and copy/paste it into a text editor (no, I haven’t turned it into a plugin yet - I’m not THAT good) and be sure you follow the instructions at the top so you know where to put it.

Up Next: “Content Scraper

Posted by admin
December 3rd, 2007

Comments

Trackbacks & Pingbacks

[...] « So many tutorials, so little time… Part 2: Neat Little Snippets of Code That Are Useful for WordPress [...]

Pingback by Aneko Studios
December 3, 2007 @ 2:16 pm

Leave a Reply