SitePoint Sponsor

User Tag List

Results 1 to 13 of 13
  1. #1
    SitePoint Enthusiast
    Join Date
    Aug 2006
    Posts
    60
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question PHP to validate small gif on HTML form

    I have a simple contact HTML form which sends me an email when someone uses it.

    I want to show a little gif image that the user needs to verify, helping avoid bots and spam

    Something like reCaptha but less intrusive.

    The gif doesn't have to change, I'll just use the same one.

    Can anyone help.

  2. #2
    SitePoint Evangelist
    Join Date
    Jun 2008
    Posts
    455
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Why not put a sum in the image and then get the user to enter the value in an input field.
    You say the value isn't going to change so compare the user input against a hardcoded value.

    Hope that helps.

  3. #3
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,299
    Mentioned
    460 Post(s)
    Tagged
    8 Thread(s)
    I prefer to have a hidden field which, if filled in, aborts the form. That stops the bots in their tracks. But to make life a little better for some screen reader users etc. you could add a simple sum in words that will allow the form to submit. That is, the label says "what's two plus two?", and the form sends if either "four" or "4" are entered, but aborts if anything else is submitted. Keep it hidden with display: none so that most people—even some screen readers—won't see it.

    It's better not to make life harder for honest people.

  4. #4
    SitePoint Enthusiast
    Join Date
    Aug 2006
    Posts
    60
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think I'll try the hidden field trick.

    Let's say I add a hidden field 'validate', how do I check that is hasn't been filled in before the email is sent?

    Can some help me out?

  5. #5
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,299
    Mentioned
    460 Post(s)
    Tagged
    8 Thread(s)
    Quote Originally Posted by philb View Post
    Let's say I add a hidden field 'validate', how do I check that is hasn't been filled in before the email is sent?
    This is what I sometimes use:

    Code PHP:
    if (!empty($validate) && !($validate == "4" || $validate == "four")) {
    	echo "Crime does not pay!";
    	exit ();
    }

    So, if the filed is empty, or if it contains "4" or "four", the form sends. Otherwise, the form aborts and a message is shown.

  6. #6
    SitePoint Enthusiast
    Join Date
    Aug 2006
    Posts
    60
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok I've added the hidden field 'validate' but can't figure where to put that piece of code you gave me, I suspect it goes in the middle.

    Does the IF statement need and ELSE to go with it.

    Sorry for the questions, I'm a designer not a coder lol

    PHP Code:
    <?php

    $Name 
    $_POST['Name'];
    $EmailFrom $_POST['EmailFrom'];
    $Company $_POST['Company'];
    $Message $_POST['Message'];
    $validate $_POST['Validate'];


    $ewho="hello@#########.co.uk";
    $datesent=date("l dS of F Y h:i A");
    $ip=$_SERVER['REMOTE_ADDR'];
    $subject="Contact";
    $mailhead="From: $EmailFrom";
    $mailbody ="This email was sent via the website form" "\n\n";
    $mailbody .="Name: " "$Name"\n\n";
    $mailbody .="Email: " "$EmailFrom"\n\n";
    $mailbody .="Company: " "$Company"\n\n";
    $mailbody .="Message: " "$Message"\n\n";
    $mailbody .="DATE: " "$datesent"\n";
    $body .=stripslashes($mailbody);

    mail($ewho,$subject,$body,$mailhead);
    ?>

  7. #7
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,299
    Mentioned
    460 Post(s)
    Tagged
    8 Thread(s)
    Quote Originally Posted by philb View Post
    Ok I've added the hidden field 'validate' but can't figure where to put that piece of code you gave me, I suspect it goes in the middle.
    Yes, I suspect that will work.

    Sorry for the questions, I'm a designer not a coder
    Me too, so let's fumble together, until an expert arrves.

    See if this works:

    PHP Code:
    <?php

    $Name 
    $_POST['Name'];
    $EmailFrom $_POST['EmailFrom'];
    $Company $_POST['Company'];
    $Message $_POST['Message'];
    $validate $_POST['Validate'];

    if (!empty(
    $validate) && !($validate == "4" || $validate == "four")) {
        echo 
    "Crime does not pay!";
        exit ();
    }

    $ewho="hello@#########.co.uk";
    $datesent=date("l dS of F Y h:i A");
    $ip=$_SERVER['REMOTE_ADDR'];
    $subject="Contact";
    $mailhead="From: $EmailFrom";
    $mailbody ="This email was sent via the website form" "\n\n";
    $mailbody .="Name: " "$Name"\n\n";
    $mailbody .="Email: " "$EmailFrom"\n\n";
    $mailbody .="Company: " "$Company"\n\n";
    $mailbody .="Message: " "$Message"\n\n";
    $mailbody .="DATE: " "$datesent"\n";
    $body .=stripslashes($mailbody);

    mail($ewho,$subject,$body,$mailhead);
    ?>
    Does the IF statement need and ELSE to go with it.
    No.

  8. #8
    SitePoint Enthusiast
    Join Date
    Aug 2006
    Posts
    60
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yep I got it working with that.

    I've tested it by manually entering a value in the form and it does indeed stop the code from emailing.

    Thanks, much appreciated.

    Phil

  9. #9
    SitePoint Enthusiast
    Join Date
    Aug 2006
    Posts
    60
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I haven't used the .gif but i'll leave that part of the verifying code there for future reference.

  10. #10
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,299
    Mentioned
    460 Post(s)
    Tagged
    8 Thread(s)
    Great, glad that worked.

    It would also be a good idea to run the other fields through validation, though, as a lot of damage could be done by allowing anything in those fields. Best to lock down each input. That means checking what's typed into each field and displaying an error message if the rules aren't followed. At the moment, the email field could be uses for a mass spam attack (as I understand it). So you can include something like this as well (although this is more complex than just aborting the form, as we did above):

    Code:
    if (empty($EmailFrom) || !preg_match("/^[^0-9][A-z0-9_]+([.][A-z0-9_]+)*[@][A-z0-9_]+([.][A-z0-9_]+)*[.][A-z]{2,4}$/", $EmailFrom)) { 
    $error_msg[]="Your email must have a valid format";
    }
    You also need a way to display the error messages etc., so this starts to get more complex. But the form as is is open to serious spam injections, I believe. (As I said, though, I'm no expert.)

  11. #11
    Non-Member
    Join Date
    Apr 2011
    Location
    no fixed address
    Posts
    851
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Using hidden fields is ok as long as you are aware that it will only stop "nuisance" attempts to use your form for sending spam and not someone who is determined and knows what they are doing by easily bypassing the hidden field attempt to stop spamming and protect your database.

    All someone would need to do is view your html and css to see it is a hidden field and so anyone with at least half a brain would tweak pretty quickly that the field is not meant to be filled in. They can then use your form to potentially fill your database with garbage or do other potential damage and/or spamming.

    Also, asking questions is also a weak captcha. You would just need to load the form manually a few times to get all or at least the majority of questions. Then the bot just needs to be programmed to give the correct answer for the question it is given.

    Again, asking questions will at most stop "nuisance" attempts but not someone who knows what they are doing.

  12. #12
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,299
    Mentioned
    460 Post(s)
    Tagged
    8 Thread(s)
    Quote Originally Posted by webdev1958 View Post
    Using hidden fields is ok as long as you are aware that it will only stop "nuisance" attempts to use your form for sending spam and not someone who is determined and knows what they are doing by easily bypassing the hidden field attempt to stop spamming and protect your database.
    You can never stop an actual person using a form for no good, but I'd say the thing to avoid is bots. I guess if an individual takes the trouble to study your code and then set up a bot to do its work, that's a pain, but I doubt that happens often. And it would be easy to change your hidden form question once a month or so to foil the bots anyhow.

    In the case of the OP's question, we are really just taking about a simple contact form that won't involve a database.

    The more pressing issue, I think, is to tighten security on the form to prevent header injections and the like.

  13. #13
    SitePoint Enthusiast
    Join Date
    Aug 2006
    Posts
    60
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks webdev1958

    There's no database involved but I'll look at adding some more security.

    I don't want to spend hours researching php code for a simple contact form that just emails myself, especially when it seems, no matter you do there's always a way the spammers can get around it.


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •