Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Can I limit the number of words entered in account creation?


Guest

Recommended Posts

I'm using 2.3.4.1 CE with PHP 7.0

Recently, I'm seeing an increasing number of fake accounts created with long sentences for First and Last Name, like the latest one:

customers.JPG.862f36e31227c44ae1e436aa4ea099e8.JPG

The second name is a real account created with a first and last name (erased).  The first one speaks for itself.

I'm sure there's a way to limit the number of characters in the input fields, but...what about the number of words?

Like...one word for first name (maybe two max?) and one for last name.  I'm seeing more and more of this lately. 

Nothing urgent...just asking!  Thanks!

- Andrea

Link to comment
Share on other sites

I think limiting the length of names is not going to do much in stopping people from creating fake accounts. These people will still hack the system with short names.

Best is install captchas. 

Link to comment
Share on other sites

@kgtee

Hi!  I expect you're right.  I do have Honeypot Captcha installed, nothing more.

Most of the fake accounts are a little more promotional text oriented....lots of references to invest-in-Bitcoin lately.

Big long sprawling text for the first and last name which ends up looking like an advertisement or something.  The one I posted was pretty slack, really.

The IP addresses are mostly coming from Ukraine.  Stuff like this is never-ending, it seems!

Thanks for replying to my post, I appreciate it!

- Andrea

Link to comment
Share on other sites

7 hours ago, kgtee said:

Hi @puggybelle

There is an extensive discussion here.

 

The conclusion sounds like Google Recaptcha-2 is the most effective captcha to stop those fake accounts. Give that a try! Cheers!

 

Same issue here but not so intensive as other users are describing it.

Using Recaptcha in create_account

In admin/customers.php i have modified the search
Mostly the spammers uses companies like google - easier to track down and deleted many - hth

<?php
    $search = '';
    if (isset($_GET['search']) && tep_not_null($_GET['search'])) {
      $keywords = tep_db_input(tep_db_prepare_input($_GET['search']));
      $search = "where c.customers_lastname like '%" . $keywords . "%' or c.customers_firstname like '%" . $keywords . "%' or c.customers_email_address like '%" . $keywords . "%' or a.entry_company like '%" . $keywords . "%' or c.customers_telephone like '%" . $keywords . "%'";
    }

Getting the Phoenix off the ground

Link to comment
Share on other sites

I've been getting hit all day long with fake accounts like this (and the following was all inserted in the first name field only!)

"Exactly how would certainly you utilize $87264 to make even more cash: https://get-xxx-xxx-xxxx.blogspot.nl

And then even more to follow in the last name field in create_account.php

I think it's ridiculous that those fields are even set up to allow that many characters to start with...255?  That's nuts!

I put a little maxlength="16" in those forms to act as a deterrent.  No sooner than you start typing away...it's over.  Your cursor just gets stuck in place.

I have to think fake accounts like this are done with the hope of me visiting their urls, well...gosh, what a shame if you can't complete them anymore.

Have a nice day!

- Andrea

 

Link to comment
Share on other sites

On ‎10‎/‎22‎/‎2019 at 10:42 PM, puggybelle said:

Recently, I'm seeing an increasing number of fake accounts created with long sentences for First and Last Name, like the latest one:

The latest version of Honey Pot has an option for this, as well as several other new options. I will try to get it uploaded this weekend.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

If my database entries in the customers table look like this:

database.JPG.663704246bf0ccc5467166b5cef8babc.JPG

Does the number 16 mean that is the maximum number of characters that can be stored when creating an account?

Because I woke up to this today:

halloween.JPG.199a148dd0087ede4985f31900f1078c.JPG

And plenty more to follow those.  How is that possible?

Just trying to learn and understand what is happening.  My remedies to stop it are obviously not working.

- Andrea

Link to comment
Share on other sites

11 minutes ago, puggybelle said:

Just trying to learn and understand what is happening.  My remedies to stop it are obviously not working. 

Changing the length input accepted will not help. Install this and you will see a 99% reduction over night. osC is beeing targeted by both spam bot's and human spamers.

reCAPTCHA-2 Form Validation for BS Edge

No easy solution to this you have to lock all forms on your site.

 

Link to comment
Share on other sites

here is why it's happening. I get offers like this everyday.

Hi! ******************
 
Have you ever heard that you can send a message through the contact form? 
These forms are located on many sites. We sent you our message in the same way, and the fact that you received and read it shows the effectiveness of this method of sending messages. 
Since people in any case will read the letter received through the contact form. 
Our database includes more than 35 million websites from all over the world. 
The price of sending one million messages 49 USD. 
There is a discount program for large orders. 
 
Free test mailing of 50,000 messages to any country of your selection. 
 
This offer is created automatically. Please use the contact details below to contact us. 
 
Contact us. 
Telegram - @Feed*****FormEU 
Skype Feed*****Form2019 
Email - *****************

 

Link to comment
Share on other sites

29 minutes ago, puggybelle said:

Does the number 16 mean that is the maximum number of characters that can be stored when creating an account?

It should, but I'm kind of suspicious that they did something funky to handle multibyte characters.  I note that your strings are still limited.  It looks like to 32 characters.  So they may have set it to handle 32 bytes on the theory that on average that will be enough to hold 16 characters.  Or they converted to UTF-16 in the storage, which can hold any value that can be represented as UTF-8 as two bytes.  Or something even funkier. 

Stack Overflow suggests that you may find names that are longer than those limits. 

Always back up before making changes.

Link to comment
Share on other sites

36 minutes ago, JcMagpie said:

Changing the length input accepted will not help.

I'm curious why you think this? I have the limit in the unreleased version of Honey Pot and it stops the account creation if names have more words than in the settings.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

10 minutes ago, puggybelle said:

Can this be used in conjunction with Honeypot Captcha?

The new version of Honey Pot has captcha as an option.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

8 minutes ago, Jack_mcs said:

I'm curious why you think this?

From my testing it made no change . I have honey pot and google recapatch running between them 99% of bot's were stopped niether stoped the human idiots, they still spam but it in much smaller numbers, Also what helped was setting the time to about 30 min before they can resubmit in admin.

Fake account down to less than 1 per week and it's clear this is human. The contact_us form ( it's the only one I have active) is still under attack but again down to a few a day now.

 

Link to comment
Share on other sites

25 minutes ago, Kevin.Dallas said:

varchar(40) utf8_unicode_ci

So 40 does not represent characters...it represents the number of words

Is that what you're saying?

Link to comment
Share on other sites

1 minute ago, JcMagpie said:

Just be carefull as if you change the length  too short could  bugger up all the data in your db.

I understand.  I really don't like messing with the database. 

Think I'll just sit and wait for Jack's new version of Honeypot. 

Link to comment
Share on other sites

2 minutes ago, puggybelle said:

I understand.  I really don't like messing with the database. 

Think I'll just sit and wait for Jack's new version of Honeypot. 

i would max set it 40 or just use the google verification code, damm spammers i hear you

Link to comment
Share on other sites

If you have first name set to sa 225 and you change it to say 12 than all first names in your db will be trimed to 12 characters ! not good :)

Only make any changes if you are sure you dont have anything in that table longer than the number you set!

My advice do not mess with the db it's no real answer to the problem, Bot's will just dump a shorter text into that section and dump longer bit's into another part.

 

Link to comment
Share on other sites

1 minute ago, JcMagpie said:

If you have first name set to sa 225 and you change it to say 12 than all first names in your db will be trimed to 12 characters ! not good

I changed it last night to 16 for both first and last name.  Total waste of time, I guess.

Mephistopheles will still fit.  🤩

Link to comment
Share on other sites

51 minutes ago, puggybelle said:

So 40 does not represent characters...it represents the number of words?

No.  Characters does not represent words.  The 16/32 issue may be a bug or just database weirdness. 

Always back up before making changes.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...