PHP Form Spam Prevention
Have you been spammed with your own forms?
We'll talk about how that can happen. You'll learn about things that can be done about it.
Some site owners implement what's termed a "visual CAPTCHA," an image with characters or other visual element that must be responded to correctly to prove you are human.
There are less demeaning alternatives. Non-intrusive, silent ways exist to detect non-human users, like spammers' automated form submission robots.
There are 3 ways you can be spammed through your own forms:
-
A real person manually filling in the form and submitting it.
-
Robot assisted, where the robot grabs a bunch of forms and presents them on a person's desktop, making it a relative fast process to paste the same message into each.
-
Completely automated robot.
There is not much can be done about the person manually filling in and submitting the form. Fortunately, it takes personal time to manually load a form, fill it in, and submit it, more time than it does to send an email. So you don't see a lot of manual form submissions for spamming.
I'm seeing more and more of what appears to be the second method, a robot grabbing forms and a human manually submitting them, one by one, probably in quick succession.
It still takes personal time, so I expect this activity to level off or even drop in the near future. Labor could be expensive to hire for that, unless the response is very good.
The third method, automatic spamming of forms using a robot, is a scourge on the Internet.
Much, if not all, automatic form spamming can be eliminated. And some, if not all, of the robot-assisted form spamming, also.
Probably "eliminated" is not the right word. They will continue to try. It's just that the spam emails won't be sent.
The form spam prevention presented here assumes your form handling software is written with PHP. How it works, in a moment.
How It Works
Robots generally don't run and parse JavaScript. We take advantage of that.
-
A hidden field in the form is assigned a value.
-
Below the form, JavaScript is used to change that value.
-
When the form is submitted, the PHP form processing software checks the value to determine if it was a robot that submitted the form.
The web page with the form should print a prominent notice when it detects a browser that can't use JavaScript. JavaScript needs to be turned on to use the form.
(Alternatively, if you don't want to use PHP, Master Form V4 has auto-submission protection built it as an option to turn on when it's needed.)
How To Do It
A hidden field is added to the form and JavaScript pasted below the form. Then, the form processing script is modified to check for the special value.
Let's take this form as an example:
<form name="myantispamform" method="POST" action="formprocessor.cgi"> <input type="hidden" name="_a2a2a_" value="23"> Name: <input type="text" name="name" size="22"><br> Email: <input type="text" name="email" size="22"><br> Comments:<br> <textarea rows="6" cols="33" name="comments"></textarea><br> <input type="submit" name="submitbutton" value="Submit Form"> </form>
Note that the form has a name (assigned in the <form... tag) and that there is a hidden field. Both of those will be referred to in the JavaScript.
Here is the JavaScript:
<script type="text/javascript"> var formname = "myantispam"; var fieldname = "_a2a2a_"; var finalvalue = "4"; var soft_sell = "document."; soft_sell += formname; soft_sell += "." + fieldname + ".va"; eval(soft_sell + "lue='"+finalvalue+"'"); </script>
In the JavaScript, specify the form's name, the name of the hidden field, and the final value for that hidden field. The final value needs to be different than the value assigned to the hidden field in the form itself.
The form name, hidden field name, original hidden field value, and final hidden field value may be changed, if you wish.
Notice that the JavaScript assigning the new value to the hidden field is anything but straight-forward. The idea is to obfuscate it for future robots that might have the ability to parse JavaScript even though they don't actually run it.
Put the JavaScript somewhere below the form.
That's all that needs to be done with the form.
Now, the form handling PHP script needs to be modified. Insert one line (assumes the field name and final value as in the above example).
if( (count($_POST) > 0) and (! isset($_POST["_a2a2a_"])) and $_POST["_a2a2a_"] != "4" ) { exit; }
The line can be inserted pretty much anywhere other than in a function. Putting it as the first line of the PHP script, immediately below the <? or <?php should work just fine.
If the hidden field is different in your implementation, change all instances of "_a2a2a_" accordingly. Similarly, if the final value is not "4".
When the above changes are made correctly, the script will stop running where you inserted the line of PHP code unless the form field name and value indicate a real person used the form.
Extras
If you prefer not to modify your current form handling software, get one of these:
Master Form .PHP (PHP software)
Master Form V4 (CGI software)
Both titles have built-in form spam prevention. Simply decide which you want, PHP or CGI software.
When you read the product description pages for Master Form .PHP and Master Form V4 , you'll see the software has pretty much everything a person would want related to security and to processing form information. And we're known for the great professional support we provide for our customers.
Then, do it. Get rid of that form spam.
Will Bontrager
