Jump to content

Recommended Posts

Testing Version 1.6 on my PHP 7.2  XAMPP test site and get this error when attempting to create a legitimate account.

1048 - Column 'ip_number' cannot be null

insert into honeypot_track set count = '1', ip_number = INET_ATON( '::1' ), last_date = now()

[TEP STOP]

Edited by mhsuffolk

OsC 2.3.4.1 CE Frozen   PHP 7.2   MySQL 10.1.36-MariaDB-cll-lve

Share this post


Link to post
Share on other sites

It's failing because you have the option to use the IPV6 format enabled. I may put a check in for what type of IP it is but I don't know that I will be changing the code to accept them. IPV6 IP's are still not used much so I don't find it worthwhile, time-wise, to code for them.

Share this post


Link to post
Share on other sites

I was not aware of that. Is that in PHP 7.2 or is it in the XAMPP set up? I cannot see a setting for it.


OsC 2.3.4.1 CE Frozen   PHP 7.2   MySQL 10.1.36-MariaDB-cll-lve

Share this post


Link to post
Share on other sites

All of the wamp packages come with IPV6 set to on, at least the newer ones do. As far as I know, no host enables that as the default (we don't, at least). To turn it off, open the http.conf file and search for Listen. The lines should look like this to turn IPV6 off:

Listen 0.0.0.0:80
#Listen [::0]:80

 

Share this post


Link to post
Share on other sites

You might want to read this article on CAPTCHAs: https://www.theverge.com/2019/2/1/18205610/google-captcha-ai-robot-human-difficult-artificial-intelligence . It states that AI is expected to improve to the point that it will solve any CAPTCHA puzzle much better than humans can. It's just about there, already. The emphasis will have to shift from how perfectly the "user" can solve a problem to watching how very human imperfections and randomness in the interaction betray who is human. Also, rather than relying on a one-time hard-shell defense against bots, we will have to watch users in their interactions with a site and see if they're doing bot-like things. Big Brother, anyone? The article points out that Third World CAPTCHA farms use people to sign up for forums and blogs, etc., which then can be handed over to bots to do the spamming. This would require monitoring of the user interactions beyond just the signup, such as an occasional CAPTCHA challenge from time to time. If most spammers crap on your forum just once (or use your tell-a-friend function for one mass mailing) and then never come back, that may be more annoying than useful.

The comments are rather interesting too. Several people pointed out that the reCAPTCHA emphasis on traffic lights and street signs and vehicle recognition suggests that we are being used to train Google's self-driving cars -- for free.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozenpatches or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

@MrPhilThanks for the link. It finally offers a reasonable explanation as to why fake accounts are becoming a common thing. I don't think there is any code that can stop all of them unless some check is added and that is a bother to real customers.

But for this addon, their scripts can't get by the contact us and create account pages because those checks are done in php. Although for the create account page, if the settings are strict, like one account allowed, then it might affect legitimate customers. 

Share this post


Link to post
Share on other sites

Just installed this on my two responsive bootstrap sites and it's working great. Thanks a million for all your work, Jack!

Share this post


Link to post
Share on other sites

Hi Jack,

Just attempting a new install of v1.6 on a CE store. Forgive me if i'm having a blond moment. I notice some discrepancies between instructions 3 & 4 in the ReadMe.txt and the files in "v234\ChangedFiles". There are additional bits of code in the files not in the ReadMe.txt.

One example is in the contact_us.php file, on line 24 to 34:

/*** BEGIN HONEYPOT ***/
    if (MODULE_HEADER_TAGS_HONEYPOT_ALLOW_EMAIL == 'False' || MODULE_HEADER_TAGS_HONEYPOT_ALLOW_URLS == 'False') {
        include('includes/functions/honeypot.php'); 
        if (($reslt = InvalidText($enquiry)) != 'good') {
            if ($reslt != 'failed') {
                $messageStack->add('contact', $reslt);
            }    
            $error = true;
        } 
    }
    /*** END HONEYPOT ***/  

This part of code is not mentioned in the ReadMe.txt.

Please can you confirm, am i ok to go with the instructions in the ReadMe.txt and ignore the changed files?

 

Share this post


Link to post
Share on other sites
3 hours ago, Pritchard78 said:

Please can you confirm, am i ok to go with the instructions in the ReadMe.txt and ignore the changed files?

I apologize for the confusion this caused. Yes, that file change is needed. The changed files will always be correct. I try to supply installation instructions but they don't always match. Here are the instructions from the, unreleased, next version:

3) In the contact_us.php file,

FIND:

    if (!tep_validate_email($email_address)) {

ADD ABOVE:

    /*** BEGIN HONEYPOT ***/
    if (MODULE_HEADER_TAGS_HONEYPOT_ALLOW_EMAIL == 'False' || MODULE_HEADER_TAGS_HONEYPOT_ALLOW_URLS == 'False') {
        include('includes/functions/honeypot.php');
        if (($reslt = InvalidText($enquiry)) != 'good') {
            if ($reslt != 'failed') {
                $messageStack->add('contact', $reslt);
            }
            $error = true;
        }
    }
    /*** END HONEYPOT ***/

FIND:

<?php echo tep_draw_form('contact_us', tep_href_link('contact_us.php', 'action=send'), 'post', 'class="form-horizontal"', true); ?>

REPLACE WITH:

<?php //BEGIN HONEYPOT ?>
<?php echo tep_draw_form('contact_us', tep_href_link('contact_us.php', 'action=send'), 'post', ' onsubmit="return validateMyForm();" class="form-horizontal"', true); ?>
<?php //END HONEYPOT ?>

FIND:

  <div class="buttonSet">

ADD ABOVE IT:

  <?php //BEGIN HONEYPOT ?>
  <div style="display:none;">
    <label>Keep this field blank</label>
    <input type="text" name="honeypot" id="honeypot" />
  </div>
  <?php //END HONEYPOT ?>

-----------------------------------------------------------------
4) In the create_acccount.php file,

FIND:

    if ($error == false) {

ADD ABOVE:

    /***** Begin Honey Pot *****/
    if ($error == false) {
        if (defined('MODULE_HEADER_TAGS_HONEYPOT_CREATE_ACCOUNT_CHECK') && MODULE_HEADER_TAGS_HONEYPOT_CREATE_ACCOUNT_CHECK == 'True') {
            include('includes/languages/' . $language . '/modules/header_tags/ht_honeypot.php');
            include('includes/functions/honeypot.php');
            $cust = $firstname . ' ' . $lastname;
            $error = CheckCreateAccountHP($cust);
            if ($error) {
                $messageStack->add('create_account', MODULE_HEADER_TAGS_HONEYPOT_CREATE_ACCOUNT_TOO_SOON);
            }
        }
    }
    /***** End Honey Pot *****/

FIND:

<?php echo tep_draw_form('create_account', tep_href_link('create_account.php', '', 'SSL'), 'post', 'class="form-horizontal"', true) . tep_draw_hidden_field('action', 'process'); ?>

REPLACE WITH:

<?php //BOC Honeypot ?>
<?php echo tep_draw_form('create_account', tep_href_link('create_account.php', '', 'SSL'), 'post', 'class="form-horizontal" onSubmit="return validateMyForm(create_account);"', true) . tep_draw_hidden_field('action', 'process'); ?>
<?php //EOC Honeypot ?>

FIND:

  <div class="buttonSet">

ADD ABOVE:

<!-- BOC Honeypot -->
  <div style="display:none;">
   <label>Keep this field blank</label>
   <input type="text" name="honeypot" id="honeypot" />
  </div>
<!-- EOC Honeypot -->

 

Share this post


Link to post
Share on other sites

Hello,

I'm getting a few spams that got through with just one character and also long junk strings like this

+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%

Also what is best way to add an array of domains to block, such as domain.com, example.com, etc. 

Thank you for the help!

 

 

Share this post


Link to post
Share on other sites
24 minutes ago, mcbsolutions said:

I'm getting a few spams that got through with just one character and also long junk strings like this

That string  is trying to access your database. If it was submitted via the contact us page there's no danger from it.  But if it was sent from the create account page, it might cause problems.

Honeypot can't block the message because it is legitimate. There's not an option to block for specific text. You can use the account limit setting to prevent additional accounts so that will only allow one through.

I have a new version that I am going to try and get uploaded soon. It may help with emails like this.

Share this post


Link to post
Share on other sites

A new version has been uploaded with these changes.

  • Added an ignore IP setting so shop owners can create multiple accounts.
  • Added the account_pwa.php file for those with the Purchase Without Account addon installed.
  • Added code to the contact us page to check for violations of the Honey Pot form.
  • Added an option to prevent emails containing certain words.
  • Changed the notification code and option so emails can be sent for every account creation.

For shops with a previous version installed that uses the module, be sure to uninstall the module before updating to avoid database problems.

Share this post


Link to post
Share on other sites

Jack,  In 2 last lines in the SQL given gives my database an error:

insert into configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values ('Exclude IP\'s', 'MODULE_HEADER_TAGS_HONEYPOT_EXCLUDE_IPS', '', 'A comma-separated list of IP\'s that are not blocked by the create account checks.', '1', '108', now())");
insert into configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) values ('Bad Words', 'MODULE_HEADER_TAGS_HONEYPOT_BAD_WORDS', '', 'Enter a comma separated list of words that are not allowed.', '1', '109', 'tep_cfg_textarea(', now());

Syntax ?

Share this post


Link to post
Share on other sites

What is the error?

What version of oscommerce are you using?

What version of php are you using?

Share this post


Link to post
Share on other sites
8 minutes ago, Jack_mcs said:

What is the error?

What version of oscommerce are you using?

What version of php are you using?

V2.3.4    PHP 7.0

Static analysis:

3 errors were found during analysis.

 

  1. Ending quote " was expected. (near "" at position 690)
  2. Unexpected token. (near ""); insert into configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) values ('Bad Words', 'MODULE_HEADER_TAGS_HONEYPOT_BAD_WORDS', '', 'Enter a comma separated list of words that are not allowed.', '1', '109', 'tep_cfg_textarea(', now());" at position 339)
  3. Unexpected beginning of statement. (near ""); insert into configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) values ('Bad Words', 'MODULE_HEADER_TAGS_HONEYPOT_BAD_WORDS', '', 'Enter a comma separated list of words that are not allowed.', '1', '109', 'tep_cfg_textarea(', now());" at position 339)

 

SQL query:

insert into configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values ('Exclude IP\'s', 'MODULE_HEADER_TAGS_HONEYPOT_EXCLUDE_IPS', '', 'A comma-separated list of IP\'s that are not blocked by the create account checks.', '1', '108', now())"); insert into configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) values ('Bad Words', 'MODULE_HEADER_TAGS_HONEYPOT_BAD_WORDS', '', 'Enter a comma separated list of words that are not allowed.', '1', '109', 'tep_cfg_textarea(', now());

MySQL said: Documentation

#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '");
insert into configuration (configuration_title, configuration_key, configur' at line 1

 

Share this post


Link to post
Share on other sites
58 minutes ago, Boldman said:

now())"); insert

should be

now()); insert

Any idea how it got corrupted?


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozenpatches or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites
1 hour ago, Boldman said:

V2.3.4    PHP 7.0

The error is caused by a mistake in the changes for older shops that can't use modules. I don't have a V2.3.4 shop to test but I think it can use modules so you should not be using that code. But for those that have the problem, change the following. But note, if your shop uses the module, making this change will cause problems. 

insert into configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values ('Exclude IP\'s', 'MODULE_HEADER_TAGS_HONEYPOT_EXCLUDE_IPS', '', 'A comma-separated list of IP\'s that are not blocked by the create account checks.', '1', '108', now())");

to

insert into configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values ('Exclude IP\'s', 'MODULE_HEADER_TAGS_HONEYPOT_EXCLUDE_IPS', '', 'A comma-separated list of IP\'s that are not blocked by the create account checks.', '1', '108', now());

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×