I tried putting a hidden field on my contact form thinking that if it was filled out the script would know it was spam and not send it through. I am still getting a lot of spam messages.
<?php
if(isset($_POST['email'])) {
// CHANGE THE TWO LINES BELOW
$email_to = "myemail@email.com ";
$email_subject = "AFE Contact Form Submission";
function died($error) {
// your error code can go here
echo "We are very sorry, but there were error(s) found with the form you submitted. ";
echo "These errors appear below.<br /><br />";
echo $error."<br /><br />";
echo "Please go back and fix these errors.<br /><br />";
die();
}
// validation expected data exists
if(!isset($_POST['full_name']) ||
!isset($_POST['company']) ||
!isset($_POST['email']) ||
!isset($_POST['telephone']) ||
!isset($_POST['website']) ||
!isset($_POST['comments'])) {
died('We are sorry, but there appears to be a problem with the form you submitted.');
}
$full_name = $_POST['full_name']; // required
$company = $_POST['company']; // required
$email_from = $_POST['email']; // required
$telephone = $_POST['telephone']; // not required
$website = $_POST['website']; // not required
$comments = $_POST['comments']; // required
$error_message = "";
$email_exp = '/^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,4}$/';
if(!preg_match($email_exp,$email_from)) {
$error_message .= 'The Email Address you entered does not appear to be valid.<br />';
}
$string_exp = "/^[A-Za-z .'-]+$/";
if(!preg_match($string_exp,$full_name)) {
$error_message .= 'The Name you entered does not appear to be valid.<br />';
}
if(!preg_match($string_exp,$company)) {
$error_message .= 'The Company you entered does not appear to be valid.<br />';
}
if(strlen($comments) < 2) {
$error_message .= 'The Comments you entered do not appear to be valid.<br />';
}
if(strlen($error_message) > 0) {
died($error_message);
}
$email_message = "Form details below.\
\
";
function clean_string($string) {
$bad = array("content-type","bcc:","to:","cc:","href");
return str_replace($bad,"",$string);
}
if(!empty($_POST['humans'])) {
// it's spam
} else {
// it's human
}
$email_message .= "Name: ".clean_string($full_name)."\
";
$email_message .= "Company: ".clean_string($company)."\
";
$email_message .= "Email: ".clean_string($email_from)."\
";
$email_message .= "Telephone: ".clean_string($telephone)."\
";
$email_message .= "Website: ".clean_string($website)."\
";
$email_message .= "Comments: ".clean_string($comments)."\
";
// create email headers
$headers = 'From: '.$email_from."\\r\
".
'Reply-To: '.$email_from."\\r\
" .
'X-Mailer: PHP/' . phpversion();
@mail($email_to, $email_subject, $email_message, $headers);
?>
<?php
}
die();
?>
Also keep in mind that this technique won’t fool every bot/spammer.
I’ve also been using the technique where if the form is submitted 3 seconds after generating the page, it doesn’t accept the submission. Normally, it takes a real human user considerably longer than 3 seconds to fill out a form.
You would need to set a session or cookie when the contact page is loaded and then check the time when the form is submitted in mail.php. If the time is less than 3 seconds you display the error and exit.
<?php
if(isset($_POST['email'])) {
// CHANGE THE TWO LINES BELOW
$email_to = "myemail@site.com ";
$email_subject = "AFE Contact Form Submission";
function died($error) {
// your error code can go here
echo "We are very sorry, but there were error(s) found with the form you submitted. ";
echo "These errors appear below.<br /><br />";
echo $error."<br /><br />";
echo "Please go back and fix these errors.<br /><br />";
die();
}
// validation expected data exists
if(!isset($_POST['full_name']) ||
!isset($_POST['company']) ||
!isset($_POST['email']) ||
!isset($_POST['telephone']) ||
!isset($_POST['website']) ||
!isset($_POST['comments'])) {
died('We are sorry, but there appears to be a problem with the form you submitted.');
}
$full_name = $_POST['full_name']; // required
$company = $_POST['company']; // required
$email_from = $_POST['email']; // required
$telephone = $_POST['telephone']; // not required
$website = $_POST['website']; // not required
$comments = $_POST['comments']; // required
$error_message = "";
$email_exp = '/^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,4}$/';
if(!preg_match($email_exp,$email_from)) {
$error_message .= 'The Email Address you entered does not appear to be valid.<br />';
}
$string_exp = "/^[A-Za-z .'-]+$/";
if(!preg_match($string_exp,$full_name)) {
$error_message .= 'The Name you entered does not appear to be valid.<br />';
}
if(!preg_match($string_exp,$company)) {
$error_message .= 'The Company you entered does not appear to be valid.<br />';
}
if(strlen($comments) < 2) {
$error_message .= 'The Comments you entered do not appear to be valid.<br />';
}
if(strlen($error_message) > 0) {
died($error_message);
}
$email_message = "Form details below.\
\
";
function clean_string($string) {
$bad = array("content-type","bcc:","to:","cc:","href");
return str_replace($bad,"",$string);
}
if(!empty($_POST['humans'])) {
echo "You failed the spam test!";
exit ();
}
$loadtime = $_POST['loadtime'];
$totaltime = time() - $loadtime;
if($totaltime < 7)
{
echo("You took less than 7 seconds to complete the form, Please take more time to assure information is correct.");
exit;
}
$email_message .= "Name: ".clean_string($full_name)."\
";
$email_message .= "Company: ".clean_string($company)."\
";
$email_message .= "Email: ".clean_string($email_from)."\
";
$email_message .= "Telephone: ".clean_string($telephone)."\
";
$email_message .= "Website: ".clean_string($website)."\
";
$email_message .= "Comments: ".clean_string($comments)."\
";
// create email headers
$headers = 'From: '.$email_from."\\r\
".
'Reply-To: '.$email_from."\\r\
" .
'X-Mailer: PHP/' . phpversion();
@mail($email_to, $email_subject, $email_message, $headers);
?>
{
echo("You took less than 7 seconds to complete the form, Please take more time to assure information is correct.");
exit[COLOR="#FF0000"]()[/COLOR];
}
One thing I have had success with is to create a session variable with a random string.
Then create a hidden form field with $_SESSION[‘secret’] as its value.
when the form is posted do a check,
if ($_SESSION['secret'] != $_PPOST['secret']){
// spam bot
exit();
}