Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

HoneyPot Captcha


Jack_mcs

Recommended Posts

50 minutes ago, dfr717 said:

I believe the previous fix just resolved the 'Parse error' but the function itself doesn't actually work. I set the time to 60 seconds and I was able to make two accounts in less than 30 seconds, the second account shouldn't have been able to be created since the form was submitted twice from the same ip, correct?

No, that's not correct. There are two settings regarding the time.

The "Create Account Period" control how many minutes between create accounts are possible. So if you have it set to 30, it means that a second account cannot be created until 30 minutes after the first one was created.

The "Verify Time to Submit" setting looks at the number of seconds between account creations. So if it is set to 4 and you create a second account in 3 seconds, it will block you. When spammers create accounts, they may use a script to do so. And if the script is set to create multiple accounts, it will just take a few seconds for them to do that. A person, on the other hand, cannot create an second account in a matter of seconds so this setting won't affect them. If a spammer is filling out the form manually, then this option won't affect him either. It would only catch scripts that can quickly create accounts.

With that said, the code for that option will not work. To fix it, find the following in the includes/functions/honeypot.php file

        } else { //an entry for this IP doesn't exist so add one
            WriteToLog(sprintf(TEXT_CREATE_ACCOUNT_NEW_ACCOUNT, $cust)); 

and change it to

        } else { //an entry for this IP doesn't exist so add one
            if (defined('MODULE_HEADER_TAGS_HONEYPOT_VERIFY_TIME_TO_SUBMIT') && tep_not_null(MODULE_HEADER_TAGS_HONEYPOT_VERIFY_TIME_TO_SUBMIT)) {
                if (! tep_session_is_registered('time_check')) {
                    $time_check = time(); 
                    tep_session_register('time_check');   
                }    
            }
            
            WriteToLog(sprintf(TEXT_CREATE_ACCOUNT_NEW_ACCOUNT, $cust)); 

Then replace this

function CheckTimeToSubmit() {
    if (! empty(MODULE_HEADER_TAGS_HONEYPOT_VERIFY_TIME_TO_SUBMIT)) {
        $diff = ((time() - $_SESSION['time_check']) / 3660) * 1000;               
        
        if ($diff < MODULE_HEADER_TAGS_HONEYPOT_VERIFY_TIME_TO_SUBMIT) {
            return true;
        }  
        unset($_SESSION['time_check']);        
    }
    
    return false;    
}

with this

function CheckTimeToSubmit() {
    if (defined('MODULE_HEADER_TAGS_HONEYPOT_VERIFY_TIME_TO_SUBMIT') && tep_not_null(MODULE_HEADER_TAGS_HONEYPOT_VERIFY_TIME_TO_SUBMIT)) {
        if (tep_session_is_registered('time_check')) {
            $diff = ((time() - $time_check) / 3660) * 1000;               
            
            if ($diff < MODULE_HEADER_TAGS_HONEYPOT_VERIFY_TIME_TO_SUBMIT) {
                $time_check = time(); //keep active in case script continues
                return true;
            } else {
                tep_session_unregister('time_check');
            }              
        }
    }
    
    return false;    
}

 

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Hello @Jack_mcs

I have Honeypot set up to disallow URLs in the Contact Us form, and it seems to work on my end.  If I try to send one, I get this:

email.JPG.da9dd91d59aec779abfae33e25918ef4.JPG

However, I am still getting emails thru Contact Us with urls inserted.  The last one was just moments ago, lots of text in another language (Russian?) and it ends with this:

Всю статью читайте здесь: http://www.xxxx.blo.com/2019/11/force.html

I've edited the URL, so...not valid, but you get the idea.

How is that possible? 

- Andrea

 

Link to comment
Share on other sites

2 hours ago, puggybelle said:

How is that possible? 

Assuming you had HP installed previously, please verify the code near the top of the contact us page that calls the verify file is calling verify_general and not verify_contact_us.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

2 hours ago, Jack_mcs said:

Assuming you had HP installed previously, please verify the code near the top of the contact us page that calls the verify file is calling verify_general and not verify_contact_us.

Yep.  I had not changed the call from verify_contact_us to verify_general in contact_us.php

So excited to try the new HP I must have raced past that part.  Sorry!

- Andrea

Link to comment
Share on other sites

13 hours ago, puggybelle said:

Yep.  I had not changed the call from verify_contact_us to verify_general in contact_us.php

I was just notified that I failed to change the install instructions and they still mention the wrong module. So everyone should check their contact_us.php file and make sure they have honeypot_verify_general.php, not honeypot_contact_us.php. My apologies to anyone affected.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

  • 4 weeks later...

HI Jack:

Thanks for the information. I had hoped that would fix the problem I am having. With Create Account Check set to false all is good. As soon as create account check is set to true the website gives a 500 error. As noted I have made the above correction, which I found when comparing files in distribution to my server and noticed that the verify create accounts file was missing; which brought me here to check. I am running Phoenix 1.0.4.0 with HP 1.9.

Ron

Link to comment
Share on other sites

44 minutes ago, RonCain said:

As soon as create account check is set to true the website gives a 500 error.

If this is the case, meaning you cannot even load the home page of the shop, then the problem is with the honeypot module. Most likely one of the files it needs is missing. If you mean the site won't load on just the create account page, then it is most likely a change that was made to that file. You can compare your file to the included one, or just use the included one for a quick test.

If the above doesn't help, you will need to find out what the actual error is. See if there is an error_log file in your shops root or check your hosts error log in your control panel if there isn't or ask your host to determine the error (some will, some won't).

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Hi Jack:

Besides a bunch of undefined constant warnings, here is the only different error I get when account check is set to true:

PHP Fatal error:  Cannot redeclare AddIpEntry() (previously declared in .../includes/functions/honeypot.php:5) in .../includes/functions/honeypot.php on line 13

Hope this helps it is the only error in the log.

Ron

Link to comment
Share on other sites

1 hour ago, RonCain said:

Besides a bunch of undefined constant warnings, here is the only different error I get when account check is set to true:

Please provide one of the undefined constant warnings. I have HP installed in the latest Phoenix running 7.3 with full error reporting and no warnings appear.

For the create account page, did you make the changes manually or did you use the included file? If you used the included file, it may not be compatible with your shop, though it should work to test with. Have you tried doing that?

1 hour ago, RonCain said:

PHP Fatal error:  Cannot redeclare AddIpEntry() (previously declared in

Is it possible you have some other addon installed that does something with IP's? That is the only thing I can think of that would cause this.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Something that would cause both undefined constant warnings and a redeclaring error would be copying the wrong file.  For example, if a file that is supposed to include another file is saved where a language file should be.  So the function gets defined twice and the language defines are missing. 

Always back up before making changes.

Link to comment
Share on other sites

Here are 4 errors I pulled the first is very frequent the other three are only occasional, although it is not related to honeypot:

PHP Warning:  Use of undefined constant MODULE_BOXES_MANUFACTURERS_MAX_LIST - assumed 'MODULE_BOXES_MANUFACTURERS_MAX_LIST' (this will throw an Error in a future version of PHP) in .../includes/modules/boxes/bm_manufacturers.php on line 40

PHP Warning:  Use of undefined constant MODULE_BOXES_PRODUCT_NOTIFICATIONS_VIEW - assumed 'MODULE_BOXES_PRODUCT_NOTIFICATIONS_VIEW' (this will throw an Error in a future version of PHP) in .../includes/modules/boxes/templates/tpl_bm_product_notifications.php on line 6

PHP Warning:  Use of undefined constant MODULE_HEADER_TAGS_HONEYPOT_TITLE - assumed 'MODULE_HEADER_TAGS_HONEYPOT_TITLE' (this will throw an Error in a future version of PHP) in .../includes/modules/header_tags/ht_honeypot.php on line 22

PHP Warning:  Use of undefined constant MODULE_HEADER_TAGS_HONEYPOT_DESCRIPTION - assumed 'MODULE_HEADER_TAGS_HONEYPOT_DESCRIPTION' (this will throw an Error in a future version of PHP) in .../includes/modules/header_tags/ht_honeypot.php on line 23

Also I do not have any other addons currently. The only alterations since installation are Phoenix version updates.

Ron

Quote

 

 

Link to comment
Share on other sites

The two HP definitions are in the language file for this addon. So the file is not being loaded for some reason. The first one is a database entry so my guess is that a mistake was made in the update to the version of oscommerce you did. Try installing a clean version of the latest Phoenix with its own database and verify there are not any warnings (there shouldn't be). Then install HP in that shop and check again. Once you verify it is all working correctly, you can compare the files to your main shop using a compare program like Winmerge.

I know that is a lot of unwanted work but if you have problem in the shop, which you do, you need to fix them now or they will cause you problems later on.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

The problem from the HP warnings are due to the language file not being seen for some reason. The non-HP warning, at least the first one, is a database problem. Most, if not all, of the Phoenix updates make changes to the database. You may have missed some. You should ask in the update thread for Phoenix as to why that warning is showing.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Jack

I hate to bother you but I have a small issue that I am certain is a setting.

As you are aware (from our private messages) I recently moved over to a newly updated store. In the OLD store Honeypot was sending emails to the store owner (me).  Since I switched over those emails have stopped.

The Honeypot log is being updated as shown in this excerpt

176.114.153.23 01-02-2020: URL's are not allowed in the message.This IP has 2 violations.
185.220.100.252 01-02-2020: URL's are not allowed in the message.This IP has 1 violations.
173.249.33.205 01-02-2020: Denied due to a country - state mismatch.This IP has 1 violations.
173.249.33.205 01-02-2020: URL's are not allowed in the message.This IP has 2 violations.

 The settings from the header tag (setup file settings) are
Log Tracker
Both

Emails from the store are working and being sent. 

There is nothing showing up in the php_errors.log nor is anything showing in the domain error logs either

Can you point me in the right direction?  Or at least give me a starting place?  

BJ

Link to comment
Share on other sites

The code uses the error_log command to record or email the error. Since the file option is working, that means that error logging is enabled. The only difference between the two commands is that one uses the email address. The address it uses is the shops so maybe you forgot to enter an email address in that setting?

If that isn't it, it might be the formatting of the message is causing the email code to fail. To test that, change this line in the functions file

error_log($text, 1, STORE_OWNER_EMAIL_ADDRESS);

to

error_log('hello', 1, STORE_OWNER_EMAIL_ADDRESS);

Then cause an error and see if you get the email. If not, you could also try change the STORE_OWNER_EMAIL_ADDRESS to '[email protected]', where that is a known working email address not on your server.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Jack as per your instructions I have tried the various combinations to no avail.

            error_log($text, 1, STORE_OWNER_EMAIL_ADDRESS);
//            error_log('hello', 1, STORE_OWNER_EMAIL_ADDRESS);
//            error_log($text, 1, '[email protected]');
//            error_log($text, 1, '[email protected]');


WWW.XXX.YY.ZZZ  01-02-2020: Denied due to numbers in a nameThis IP has 2 violations.
WWW.XXX.YY.ZZZ  01-02-2020: Denied due to letters in phone or fax fields.This IP has 3 violations.
WWW.XXX.YY.ZZZ  01-02-2020: Denied due to numbers in a nameThis IP has 4 violations.
WWW.XXX.YY.ZZZ  01-02-2020: Denied due to being too soon by testing testing.This IP has 5 violations.

The interesting part is that the View Counter email works (see post here https://www.oscommerce.com/forums/topic/392949-view-counter/?page=21)  
With that working - it is obvious that the store's email is correctly configured.  

This is off the wall BUT it is possible that the code inserted in the create_account.php for View Counter could be conflicting somehow?  I ask since the only difference between the OLD version store and the NEW version store - View Counter was NOT installed into the create_account.php file.

I will attempt to restore the create_account.php WITHOUT the View Counter code and check.

Link to comment
Share on other sites

32 minutes ago, Chadduck said:

Jack as per your instructions I have tried the various combinations to no avail.

Try replacing that line with this one

tep_mail('to me', STORE_OWNER_EMAIL_ADDRESS, 'honey pot failure', $text, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

 

33 minutes ago, Chadduck said:

This is off the wall BUT it is possible that the code inserted in the create_account.php for View Counter could be conflicting somehow?

No, there shouldn't be any conflict. I use both on my site without any problems.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

6 minutes ago, Jack_mcs said:

Try replacing that line with this one


tep_mail('to me', STORE_OWNER_EMAIL_ADDRESS, 'honey pot failure', $text, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

 

THAT WORKED... Email arrived

Subj: honey pot failure

WWW.XXX.YY.ZZZ 01-03-2020: Denied due to numbers in a nameThis IP has 2 violations.

 

Link to comment
Share on other sites

Jack

Thank you for the assist.  A follow on question

Since that solved the NO EMAIL issue what do I need to do to STOP emails that are for valid accounts?  Since I have emails working now I have received two separate ones like this for VALID accounts

WWW.XXX.YYY.Z 01-03-2020: A new account was created by by Jane Doe.This IP has 1 violations.
WWW.XXX.YYY.Z 01-03-2020: A new account was created by Frank Smith.This IP has 1 violations

I know they are valid accounts since orders were placed by the individuals creating the accounts.

Also, can this code

tep_mail('to me', STORE_OWNER_EMAIL_ADDRESS, 'honey pot failure', $text, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

be changed in any manner to indicate what the violations were?  Just asking because right now I am ecstatic to be getting the emails.

THANKS AGAIN!?!?!

BJ

Edited by Chadduck
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...