SitePoint Sponsor

User Tag List

Results 1 to 12 of 12
  1. #1
    SitePoint Guru laflair13's Avatar
    Join Date
    Nov 2004
    Location
    TN
    Posts
    619
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    contact form using hidden field is still letting spam through

    Hey all,

    I tried putting a hidden field on my contact form thinking that if it was filled out the script would know it was spam and not send it through. I am still getting a lot of spam messages.

    Any advice.

    Here are the codes I am using.

    Form code
    PHP Code:
    <!-- Form Code Start -->
    <
    form name="htmlform" id="contactus" method="post" action="mail.php">
    <
    table width="450px">
    </
    tr>
    <
    tr>
     <
    td valign="top">
      <
    label for="full_name">Full Name *</label>
     </
    td>
     <
    td valign="top">
      <
    input  type="text" name="full_name" maxlength="50" size="30">
     </
    td>
    </
    tr>
     
    <
    tr>
     <
    td valign="top">
      <
    label for="company">Company *</label>
     </
    td>
     <
    td valign="top">
      <
    input  type="text" name="company" maxlength="50" size="30">
     </
    td>
    </
    tr>
    <
    tr>
     <
    td valign="top">
      <
    label for="email">Email Address *</label>
     </
    td>
     <
    td valign="top">
      <
    input  type="text" name="email" maxlength="80" size="30">
     </
    td>
     
    </
    tr>
    <
    tr>
     <
    td valign="top">
      <
    label for="telephone">Telephone Number</label>
     </
    td>
     <
    td valign="top">
      <
    input  type="text" name="telephone" maxlength="30" size="30">
     </
    td>
    </
    tr>


    <
    tr>
     <
    td valign="top">
      <
    label for="website">Website Address</label>
     </
    td>
     <
    td valign="top">
      <
    input  type="text" name="website" maxlength="80" size="30">
     </
    td>
    </
    tr>
    <
    tr>
     <
    td valign="top">
      <
    label for="comments">Comments *</label>
     </
    td>
     <
    td valign="top">
      <
    textarea  name="comments" maxlength="1000" cols="25" rows="6"></textarea>
     </
    td>
     
    </
    tr>
    <
    tr>
     <
    td valign="top">
    <
    label><img src="captcha.php"></label>
    </
    td>
    <
    td valign="top">
    <
    input type="text" name="code"> <br />
    Please type in the numbers and click submit.
     </
    td>
     
    </
    tr>
    <
    label for="humans" class="humans">Human checkLeave this field empty</label>
    <
    input type="text" name="humans" id="humans" class="humans" />
    <
    tr>
     <
    td colspan="2" style="text-align:center">
      <
    input type="submit" value="Submit">
     </
    td>
    </
    tr>
    </
    table>
    </
    form>
                </
    div><!--Closes contact-R--> 
    mail.php

    PHP Code:
    <?php
    if(isset($_POST['email'])) {
         
        
    // CHANGE THE TWO LINES BELOW
        
    $email_to "myemail@email.com ";
         
        
    $email_subject "AFE Contact Form Submission";
         
         
        function 
    died($error) {
            
    // your error code can go here
            
    echo "We are very sorry, but there were error(s) found with the form you submitted. ";
            echo 
    "These errors appear below.<br /><br />";
            echo 
    $error."<br /><br />";
            echo 
    "Please go back and fix these errors.<br /><br />";
            die();
        }
         
        
    // validation expected data exists
        
    if(!isset($_POST['full_name']) ||
            !isset(
    $_POST['company']) ||
            !isset(
    $_POST['email']) ||
            !isset(
    $_POST['telephone']) ||
            !isset(
    $_POST['website']) ||
            !isset(
    $_POST['comments'])) {
            
    died('We are sorry, but there appears to be a problem with the form you submitted.');      
        }
         
        
    $full_name $_POST['full_name']; // required
        
    $company $_POST['company']; // required
        
    $email_from $_POST['email']; // required
        
    $telephone $_POST['telephone']; // not required
        
    $website $_POST['website']; // not required
        
    $comments $_POST['comments']; // required
         
        
    $error_message "";
        
    $email_exp '/^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}$/';
      if(!
    preg_match($email_exp,$email_from)) {
        
    $error_message .= 'The Email Address you entered does not appear to be valid.<br />';
      }
        
    $string_exp "/^[A-Za-z .'-]+$/";
      if(!
    preg_match($string_exp,$full_name)) {
        
    $error_message .= 'The Name you entered does not appear to be valid.<br />';
      }
      if(!
    preg_match($string_exp,$company)) {
        
    $error_message .= 'The Company you entered does not appear to be valid.<br />';
      }
      if(
    strlen($comments) < 2) {
        
    $error_message .= 'The Comments you entered do not appear to be valid.<br />';
      }
      if(
    strlen($error_message) > 0) {
        
    died($error_message);
      }
        
    $email_message "Form details below.\n\n";
         
        function 
    clean_string($string) {
          
    $bad = array("content-type","bcc:","to:","cc:","href");
          return 
    str_replace($bad,"",$string);
        }
        
        if(!empty(
    $_POST['humans'])) {
        
    // it's spam
    } else {
        
    // it's human
    }
         
        
    $email_message .= "Name: ".clean_string($full_name)."\n";
        
    $email_message .= "Company: ".clean_string($company)."\n";
        
    $email_message .= "Email: ".clean_string($email_from)."\n";
        
    $email_message .= "Telephone: ".clean_string($telephone)."\n";
        
    $email_message .= "Website: ".clean_string($website)."\n";
        
    $email_message .= "Comments: ".clean_string($comments)."\n";
         
         
    // create email headers
    $headers 'From: '.$email_from."\r\n".
    'Reply-To: '.$email_from."\r\n" .
    'X-Mailer: PHP/' phpversion();
    @
    mail($email_to$email_subject$email_message$headers); 
    ?>
     


    <?php
    }
    die();
    ?>
    Thanks In Advance

    David

  2. #2
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,117
    Mentioned
    448 Post(s)
    Tagged
    8 Thread(s)
    Your check on the 'humans' field doesn't actually do anything:

    Code:
    if(!empty($_POST['humans'])) { 
        // it's spam 
    } else { 
        // it's human 
    }
    Instead, you could do something like this:

    Code:
    if(!empty($_POST['humans'])) { 
        	echo "You failed the spam test!";
    	exit ();
    }
    The exit() part aborts the form sending
    Facebook | Google+ | Twitter | Web Design Tips | Free Contact Form

    Forum Usage: Tips on posting code samples, images and more

    Forrest Gump: "IE is like a box of chocolates: you never know what you're gonna get."

  3. #3
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,606
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    Also keep in mind that this technique won't fool every bot/spammer.

    I've also been using the technique where if the form is submitted 3 seconds after generating the page, it doesn't accept the submission. Normally, it takes a real human user considerably longer than 3 seconds to fill out a form.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  4. #4
    SitePoint Guru laflair13's Avatar
    Join Date
    Nov 2004
    Location
    TN
    Posts
    619
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have tried the new code and I am still getting spam. How would I set it to be more than 3 seconds?
    Thanks In Advance

    David

  5. #5
    SitePoint Mentor silver trophy
    Rubble's Avatar
    Join Date
    Dec 2005
    Location
    Cambridge, England
    Posts
    2,367
    Mentioned
    80 Post(s)
    Tagged
    3 Thread(s)
    You would need to set a session or cookie when the contact page is loaded and then check the time when the form is submitted in mail.php. If the time is less than 3 seconds you display the error and exit.

  6. #6
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,117
    Mentioned
    448 Post(s)
    Tagged
    8 Thread(s)
    There's a discussion about setting a timer here: http://www.sitepoint.com/forums/show...=1#post5144556

    That thread inspired me to try out this method, and it works well for me. I wrote a bit more about it here.
    Facebook | Google+ | Twitter | Web Design Tips | Free Contact Form

    Forum Usage: Tips on posting code samples, images and more

    Forrest Gump: "IE is like a box of chocolates: you never know what you're gonna get."

  7. #7
    SitePoint Guru laflair13's Avatar
    Join Date
    Nov 2004
    Location
    TN
    Posts
    619
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    After reading the replies and following the other page. Here is what I have. I hope this works.


    Form code.
    PHP Code:
    <form name="htmlform" id="contactus" method="post" action="mail.php">
    <
    table width="450px">
    </
    tr>
    <
    tr>
     <
    td valign="top">
      <
    label for="full_name">Full Name *</label>
     </
    td>
     <
    td valign="top">
      <
    input  type="text" name="full_name" maxlength="50" size="30">
     </
    td>
    </
    tr>
     
    <
    tr>
     <
    td valign="top">
      <
    label for="company">Company *</label>
     </
    td>
     <
    td valign="top">
      <
    input  type="text" name="company" maxlength="50" size="30">
     </
    td>
    </
    tr>
    <
    tr>
     <
    td valign="top">
      <
    label for="email">Email Address *</label>
     </
    td>
     <
    td valign="top">
      <
    input  type="text" name="email" maxlength="80" size="30">
     </
    td>
     
    </
    tr>
    <
    tr>
     <
    td valign="top">
      <
    label for="telephone">Telephone Number</label>
     </
    td>
     <
    td valign="top">
      <
    input  type="text" name="telephone" maxlength="30" size="30">
     </
    td>
    </
    tr>


    <
    tr>
     <
    td valign="top">
      <
    label for="website">Website Address</label>
     </
    td>
     <
    td valign="top">
      <
    input  type="text" name="website" maxlength="80" size="30">
     </
    td>
    </
    tr>
    <
    tr>
     <
    td valign="top">
      <
    label for="comments">Comments *</label>
     </
    td>
     <
    td valign="top">
      <
    textarea  name="comments" maxlength="1000" cols="25" rows="6"></textarea>
     </
    td>
     
    </
    tr>
    <
    tr>
     <
    td valign="top">
    <
    label><img src="captcha.php"></label>
    </
    td>
    <
    td valign="top">
    <
    input type="text" name="code"> <br />
    Please type in the numbers and click submit.
     </
    td>
     
    </
    tr>
    <
    label for="humans" class="humans">Human checkLeave this field empty</label>
    <
    input type="text" name="humans" id="humans" class="humans" />

    <
    input type="hidden" name="loadtime" value="time();" />

    <
    tr>

     <
    td colspan="2" style="text-align:center">
      <
    input type="submit" value="Submit">
     </
    td>
    </
    tr>
    </
    table>
    </
    form

    mail.php code
    PHP Code:
    <?php
    if(isset($_POST['email'])) {
         
        
    // CHANGE THE TWO LINES BELOW
        
    $email_to "myemail@site.com ";
         
        
    $email_subject "AFE Contact Form Submission";
         
         
        function 
    died($error) {
            
    // your error code can go here
            
    echo "We are very sorry, but there were error(s) found with the form you submitted. ";
            echo 
    "These errors appear below.<br /><br />";
            echo 
    $error."<br /><br />";
            echo 
    "Please go back and fix these errors.<br /><br />";
            die();
        }
         
        
    // validation expected data exists
        
    if(!isset($_POST['full_name']) ||
            !isset(
    $_POST['company']) ||
            !isset(
    $_POST['email']) ||
            !isset(
    $_POST['telephone']) ||
            !isset(
    $_POST['website']) ||
            !isset(
    $_POST['comments'])) {
            
    died('We are sorry, but there appears to be a problem with the form you submitted.');      
        }
         
        
    $full_name $_POST['full_name']; // required
        
    $company $_POST['company']; // required
        
    $email_from $_POST['email']; // required
        
    $telephone $_POST['telephone']; // not required
        
    $website $_POST['website']; // not required
        
    $comments $_POST['comments']; // required
         
        
    $error_message "";
        
    $email_exp '/^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}$/';
      if(!
    preg_match($email_exp,$email_from)) {
        
    $error_message .= 'The Email Address you entered does not appear to be valid.<br />';
      }
        
    $string_exp "/^[A-Za-z .'-]+$/";
      if(!
    preg_match($string_exp,$full_name)) {
        
    $error_message .= 'The Name you entered does not appear to be valid.<br />';
      }
      if(!
    preg_match($string_exp,$company)) {
        
    $error_message .= 'The Company you entered does not appear to be valid.<br />';
      }
      if(
    strlen($comments) < 2) {
        
    $error_message .= 'The Comments you entered do not appear to be valid.<br />';
      }
      if(
    strlen($error_message) > 0) {
        
    died($error_message);
      }
        
    $email_message "Form details below.\n\n";
         
        function 
    clean_string($string) {
          
    $bad = array("content-type","bcc:","to:","cc:","href");
          return 
    str_replace($bad,"",$string);
        }
        
    if(!empty(
    $_POST['humans'])) { 
            echo 
    "You failed the spam test!";
        exit ();
    }

    $loadtime $_POST['loadtime'];

    $totaltime time() - $loadtime;

    if(
    $totaltime 7)
    {
       echo(
    "You took less than 7 seconds to complete the form, Please take more time to assure information is correct.");
       exit;
    }
         
        
    $email_message .= "Name: ".clean_string($full_name)."\n";
        
    $email_message .= "Company: ".clean_string($company)."\n";
        
    $email_message .= "Email: ".clean_string($email_from)."\n";
        
    $email_message .= "Telephone: ".clean_string($telephone)."\n";
        
    $email_message .= "Website: ".clean_string($website)."\n";
        
    $email_message .= "Comments: ".clean_string($comments)."\n";
         
         
    // create email headers
    $headers 'From: '.$email_from."\r\n".
    'Reply-To: '.$email_from."\r\n" .
    'X-Mailer: PHP/' phpversion();
    @
    mail($email_to$email_subject$email_message$headers); 
    ?>
    Thanks In Advance

    David

  8. #8
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,117
    Mentioned
    448 Post(s)
    Tagged
    8 Thread(s)
    Quote Originally Posted by laflair13 View Post
    I hope this works.
    Hehe, let us know.

    Make sure to add the () after exit, though.

    Code:
    {
       echo("You took less than 7 seconds to complete the form, Please take more time to assure information is correct.");
       exit();
    }
    Facebook | Google+ | Twitter | Web Design Tips | Free Contact Form

    Forum Usage: Tips on posting code samples, images and more

    Forrest Gump: "IE is like a box of chocolates: you never know what you're gonna get."

  9. #9
    SitePoint Wizard lorenw's Avatar
    Join Date
    Feb 2005
    Location
    was rainy Oregon now sunny Florida
    Posts
    1,098
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    One thing I have had success with is to create a session variable with a random string.
    Then create a hidden form field with $_SESSION['secret'] as its value.
    when the form is posted do a check,
    PHP Code:
    if ($_SESSION['secret']  != $_PPOST['secret']){
    // spam bot
    exit();

    @ralph.m, ever since the beginning I have never used () after exit.
    I just went to php.net and sure enough they are called for.
    Then I got curious as to why it works without them and gives no error.
    Googled and found this.
    http://stackoverflow.com/questions/3...re-parentheses

    exit is a function and surprised it worked now.
    What I lack in acuracy I make up for in misteaks

  10. #10
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,117
    Mentioned
    448 Post(s)
    Tagged
    8 Thread(s)
    Quote Originally Posted by lorenw View Post
    @ralph.m, ever since the beginning I have never used () after exit.
    I just went to php.net and sure enough they are called for.
    Then I got curious as to why it works without them and gives no error.
    Googled and found this.
    http://stackoverflow.com/questions/3...re-parentheses
    Hm, interesting! I only know very little PHP, so was wondering if I was off the mark. Seems like I sort of was and sort of wasn't.
    Facebook | Google+ | Twitter | Web Design Tips | Free Contact Form

    Forum Usage: Tips on posting code samples, images and more

    Forrest Gump: "IE is like a box of chocolates: you never know what you're gonna get."

  11. #11
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    69 Post(s)
    Tagged
    0 Thread(s)
    exit is a language construct, and can be called without parenthesis if no status is passed with it. exit(); is equivalent to exit; and to exit(0);
    Never grow up. The instant you do, you lose all ability to imagine great things, for fear of reality crashing in.

  12. #12
    Always A Novice bronze trophy
    K. Wolfe's Avatar
    Join Date
    Nov 2003
    Location
    Columbus, OH
    Posts
    2,178
    Mentioned
    63 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by Force Flow View Post
    Also keep in mind that this technique won't fool every bot/spammer.

    I've also been using the technique where if the form is submitted 3 seconds after generating the page, it doesn't accept the submission. Normally, it takes a real human user considerably longer than 3 seconds to fill out a form.
    I like it!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •