Another Way to Prevent Form Spam
Prevent form spam with an invisible captcha using JavaScript. The form user isn't bothered with "prove you are human" demands.
This article assumes you have enough technical expertise to edit the form processing script your form is submitted to.
If you prefer ready-made form spam prevention, see Master Form V4 or Master Form PHP.
Here is how this form spam prevention method works:
-
JavaScript writes a hidden field into the form. The hidden field's value is the current time represented by a 13-digit number.
A spammer looking at that code can emulate the field and even have their software adjust the value to the current time whenever they spam. But the captcha is more subtle than that.
-
Next, we'll introduce a time delay. The delay should be a number of seconds less than the least amount of time a legitimate user would need to use the form. For illustration purposes, we'll assume 5 seconds.
Further down the page, somewhere below the form, is JavaScript to change the value in the hidden field. The hidden field name is obfuscated here so an automated search won't find it in the source code.
The changed value is the original value except with an "A" before the 13 digits and "Z" following them.
The time delay for changing the value of the hidden field should trip up any automated form scanning bots. Because the hidden field name is obfuscated, the bots have no reason to scan the code.
-
When the form is submitted, the form processing software checks the hidden field to see if it is present and if it contains the correctly changed value.
This article provides the JavaScript and an example form. It also contains general suggestions for modifying your form processing software to do the hidden field value check.
Here is an example form (source code further below). The hidden field's value is changed 5 seconds after the page is loaded.
If your browser has the ability to view source code modified with JavaScript after the page has loaded, wait 5 seconds and then view the source. You'll see the hidden field contains the letter "A" followed by 13 digits and the letter "Z".
Here is the source code of the form and the JavaScript. Implementation instructions follow.
<form method="post" action="script.php" onsubmit="return false;"> <script type="text/javascript"> now = new Date() document.write('<input type="hidden" id="timestampcheck" name="timestampcheck" value="' + now.getTime() + '">'); </script> <table> <tr><td>Name:</td><td><input type="text" name="name"></td></tr> <tr><td>Email:</td><td><input type="text" name="email"></td></tr> <tr><td> </td><td><input type="submit"></td></tr> </table> </form> <script type="text/javascript"> var delay = 5; // Number of seconds to delay. Decimal number is OK. function UpdateSection() { document.getElementById("tim"+"esta"+"mpche"+"ck").value = 'A' + document.getElementById("tim"+"esta"+"mpche"+"ck").value + 'Z'; } setTimeout("UpdateSection()",parseInt(delay*1000)); </script>
Implementation Instructions
Step 1 — Copy the JavaScript in blue in the above source code and pasted into your form. Put it anywhere between the <form...> and </form> tags. The JavaScript inserts the hidden field into your form.
Step 2 — Copy the Javascript in red in the above source code and and put it somewhere below the form. Immediately above the the cancel </body> tag is good. The JavaScript changes the value of the hidden field after a specified delay. Change the number 5 to your preferred number of seconds delay.
When the two are completed, the only thing left to do is modify the script that handles the form submission (the script specified in the form tag's action attribute). Some suggestions follow.
Form Handling Script Modification Suggestions
I don't know which script you are using, so I'll provide some general suggestions.
Let's assume you're using a PHP script. (If it's a Perl CGI script, a programmer needs to look at it before making modification suggestions.)
The first thing to do is make a backup copy of the script. Very important. If the edits are unsuccessful, restore the script with your backup.
You'll be inserting this line of code into your PHP script.
if( empty($_POST['timestampcheck']) or (! preg_match('/^A\d{13}Z$/',$_POST['timestampcheck'])) ) { exit; }
(If your form is method="get" instead of method="post", substitute $_GET at both instances of $_POST in the above code.)
The PHP code causes the script to exit if the hidden field's value isn't present or its value is different than it should be.
Where to put the line code is the question.
For most PHP scripts, putting the line of code near the top of the file should work, immediately below the <?php line.
If that doesn't work, try inserting the code on the line immediately above a function declaration. That would be a line beginning with the word "function" followed by a space and a function name. There would be more on the line, at least a set of parenthesis if nothing else.
If still no joy, try inserting the line immediately above the first place the script uses the variable $_POST or $_GET.
A programmer may need to look at the script if it won't work for you.
As mentioned earlier, if you prefer ready-made form spam prevention, see Master Form V4 or Master Form PHP.
Will Bontrager
