Contact form using hidden field is still letting spam through

Hey all,

I tried putting a hidden field on my contact form thinking that if it was filled out the script would know it was spam and not send it through. I am still getting a lot of spam messages.

Any advice.

Here are the codes I am using.

Form code

<!-- Form Code Start -->
<form name="htmlform" id="contactus" method="post" action="mail.php">
<table width="450px">
</tr>
<tr>
 <td valign="top">
  <label for="full_name">Full Name *</label>
 </td>
 <td valign="top">
  <input  type="text" name="full_name" maxlength="50" size="30">
 </td>
</tr>

<tr>
 <td valign="top">
  <label for="company">Company *</label>
 </td>
 <td valign="top">
  <input  type="text" name="company" maxlength="50" size="30">
 </td>
</tr>
<tr>
 <td valign="top">
  <label for="email">Email Address *</label>
 </td>
 <td valign="top">
  <input  type="text" name="email" maxlength="80" size="30">
 </td>

</tr>
<tr>
 <td valign="top">
  <label for="telephone">Telephone Number</label>
 </td>
 <td valign="top">
  <input  type="text" name="telephone" maxlength="30" size="30">
 </td>
</tr>


<tr>
 <td valign="top">
  <label for="website">Website Address</label>
 </td>
 <td valign="top">
  <input  type="text" name="website" maxlength="80" size="30">
 </td>
</tr>
<tr>
 <td valign="top">
  <label for="comments">Comments *</label>
 </td>
 <td valign="top">
  <textarea  name="comments" maxlength="1000" cols="25" rows="6"></textarea>
 </td>

</tr>
<tr>
 <td valign="top">
<label><img src="captcha.php"></label>
</td>
<td valign="top">
<input type="text" name="code"> <br />
Please type in the numbers and click submit.
 </td>

</tr>
<label for="humans" class="humans">Human check: Leave this field empty</label>
<input type="text" name="humans" id="humans" class="humans" />
<tr>
 <td colspan="2" style="text-align:center">
  <input type="submit" value="Submit">
 </td>
</tr>
</table>
</form>
            </div><!--Closes contact-R-->

mail.php

<?php
if(isset($_POST['email'])) {

    // CHANGE THE TWO LINES BELOW
    $email_to = "myemail@email.com ";

    $email_subject = "AFE Contact Form Submission";


    function died($error) {
        // your error code can go here
        echo "We are very sorry, but there were error(s) found with the form you submitted. ";
        echo "These errors appear below.<br /><br />";
        echo $error."<br /><br />";
        echo "Please go back and fix these errors.<br /><br />";
        die();
    }

    // validation expected data exists
    if(!isset($_POST['full_name']) ||
        !isset($_POST['company']) ||
        !isset($_POST['email']) ||
        !isset($_POST['telephone']) ||
		!isset($_POST['website']) ||
        !isset($_POST['comments'])) {
        died('We are sorry, but there appears to be a problem with the form you submitted.');
    }

    $full_name = $_POST['full_name']; // required
    $company = $_POST['company']; // required
    $email_from = $_POST['email']; // required
    $telephone = $_POST['telephone']; // not required
	$website = $_POST['website']; // not required
    $comments = $_POST['comments']; // required

    $error_message = "";
    $email_exp = '/^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,4}$/';
  if(!preg_match($email_exp,$email_from)) {
    $error_message .= 'The Email Address you entered does not appear to be valid.<br />';
  }
    $string_exp = "/^[A-Za-z .'-]+$/";
  if(!preg_match($string_exp,$full_name)) {
    $error_message .= 'The Name you entered does not appear to be valid.<br />';
  }
  if(!preg_match($string_exp,$company)) {
    $error_message .= 'The Company you entered does not appear to be valid.<br />';
  }
  if(strlen($comments) < 2) {
    $error_message .= 'The Comments you entered do not appear to be valid.<br />';
  }
  if(strlen($error_message) > 0) {
    died($error_message);
  }
    $email_message = "Form details below.\
\
";

    function clean_string($string) {
      $bad = array("content-type","bcc:","to:","cc:","href");
      return str_replace($bad,"",$string);
    }

    if(!empty($_POST['humans'])) {
	// it's spam
} else {
	// it's human
}

    $email_message .= "Name: ".clean_string($full_name)."\
";
    $email_message .= "Company: ".clean_string($company)."\
";
    $email_message .= "Email: ".clean_string($email_from)."\
";
    $email_message .= "Telephone: ".clean_string($telephone)."\
";
	$email_message .= "Website: ".clean_string($website)."\
";
    $email_message .= "Comments: ".clean_string($comments)."\
";


// create email headers
$headers = 'From: '.$email_from."\\r\
".
'Reply-To: '.$email_from."\\r\
" .
'X-Mailer: PHP/' . phpversion();
@mail($email_to, $email_subject, $email_message, $headers);
?>



<?php
}
die();
?>

Your check on the ‘humans’ field doesn’t actually do anything:

if(!empty($_POST['humans'])) { 
    // it's spam 
} else { 
    // it's human 
} 

Instead, you could do something like this:

if(!empty($_POST['humans'])) { 
    	echo "You failed the spam test!";
	exit ();
} 

The exit() part aborts the form sending

Also keep in mind that this technique won’t fool every bot/spammer.

I’ve also been using the technique where if the form is submitted 3 seconds after generating the page, it doesn’t accept the submission. Normally, it takes a real human user considerably longer than 3 seconds to fill out a form.

I have tried the new code and I am still getting spam. How would I set it to be more than 3 seconds?

You would need to set a session or cookie when the contact page is loaded and then check the time when the form is submitted in mail.php. If the time is less than 3 seconds you display the error and exit.

There’s a discussion about setting a timer here: http://www.sitepoint.com/forums/showthread.php?861648-Captcha-To-Use-Or-Not-To-Use&p=5144556&viewfull=1#post5144556

That thread inspired me to try out this method, and it works well for me. I wrote a bit more about it here.

After reading the replies and following the other page. Here is what I have. I hope this works.

Form code.

<form name="htmlform" id="contactus" method="post" action="mail.php">
<table width="450px">
</tr>
<tr>
 <td valign="top">
  <label for="full_name">Full Name *</label>
 </td>
 <td valign="top">
  <input  type="text" name="full_name" maxlength="50" size="30">
 </td>
</tr>
 
<tr>
 <td valign="top">
  <label for="company">Company *</label>
 </td>
 <td valign="top">
  <input  type="text" name="company" maxlength="50" size="30">
 </td>
</tr>
<tr>
 <td valign="top">
  <label for="email">Email Address *</label>
 </td>
 <td valign="top">
  <input  type="text" name="email" maxlength="80" size="30">
 </td>
 
</tr>
<tr>
 <td valign="top">
  <label for="telephone">Telephone Number</label>
 </td>
 <td valign="top">
  <input  type="text" name="telephone" maxlength="30" size="30">
 </td>
</tr>


<tr>
 <td valign="top">
  <label for="website">Website Address</label>
 </td>
 <td valign="top">
  <input  type="text" name="website" maxlength="80" size="30">
 </td>
</tr>
<tr>
 <td valign="top">
  <label for="comments">Comments *</label>
 </td>
 <td valign="top">
  <textarea  name="comments" maxlength="1000" cols="25" rows="6"></textarea>
 </td>
 
</tr>
<tr>
 <td valign="top">
<label><img src="captcha.php"></label>
</td>
<td valign="top">
<input type="text" name="code"> <br />
Please type in the numbers and click submit.
 </td>
 
</tr>
<label for="humans" class="humans">Human check: Leave this field empty</label>
<input type="text" name="humans" id="humans" class="humans" />

<input type="hidden" name="loadtime" value="time();" />

<tr>

 <td colspan="2" style="text-align:center">
  <input type="submit" value="Submit">
 </td>
</tr>
</table>
</form>

mail.php code

<?php
if(isset($_POST['email'])) {
     
    // CHANGE THE TWO LINES BELOW
    $email_to = "myemail@site.com ";
     
    $email_subject = "AFE Contact Form Submission";
     
     
    function died($error) {
        // your error code can go here
        echo "We are very sorry, but there were error(s) found with the form you submitted. ";
        echo "These errors appear below.<br /><br />";
        echo $error."<br /><br />";
        echo "Please go back and fix these errors.<br /><br />";
        die();
    }
     
    // validation expected data exists
    if(!isset($_POST['full_name']) ||
        !isset($_POST['company']) ||
        !isset($_POST['email']) ||
        !isset($_POST['telephone']) ||
		!isset($_POST['website']) ||
        !isset($_POST['comments'])) {
        died('We are sorry, but there appears to be a problem with the form you submitted.');      
    }
     
    $full_name = $_POST['full_name']; // required
    $company = $_POST['company']; // required
    $email_from = $_POST['email']; // required
    $telephone = $_POST['telephone']; // not required
	$website = $_POST['website']; // not required
    $comments = $_POST['comments']; // required
     
    $error_message = "";
    $email_exp = '/^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,4}$/';
  if(!preg_match($email_exp,$email_from)) {
    $error_message .= 'The Email Address you entered does not appear to be valid.<br />';
  }
    $string_exp = "/^[A-Za-z .'-]+$/";
  if(!preg_match($string_exp,$full_name)) {
    $error_message .= 'The Name you entered does not appear to be valid.<br />';
  }
  if(!preg_match($string_exp,$company)) {
    $error_message .= 'The Company you entered does not appear to be valid.<br />';
  }
  if(strlen($comments) < 2) {
    $error_message .= 'The Comments you entered do not appear to be valid.<br />';
  }
  if(strlen($error_message) > 0) {
    died($error_message);
  }
    $email_message = "Form details below.\
\
";
     
    function clean_string($string) {
      $bad = array("content-type","bcc:","to:","cc:","href");
      return str_replace($bad,"",$string);
    }
    
if(!empty($_POST['humans'])) { 
    	echo "You failed the spam test!";
	exit ();
}

$loadtime = $_POST['loadtime'];

$totaltime = time() - $loadtime;

if($totaltime < 7)
{
   echo("You took less than 7 seconds to complete the form, Please take more time to assure information is correct.");
   exit;
}
     
    $email_message .= "Name: ".clean_string($full_name)."\
";
    $email_message .= "Company: ".clean_string($company)."\
";
    $email_message .= "Email: ".clean_string($email_from)."\
";
    $email_message .= "Telephone: ".clean_string($telephone)."\
";
	$email_message .= "Website: ".clean_string($website)."\
";
    $email_message .= "Comments: ".clean_string($comments)."\
";
     
     
// create email headers
$headers = 'From: '.$email_from."\\r\
".
'Reply-To: '.$email_from."\\r\
" .
'X-Mailer: PHP/' . phpversion();
@mail($email_to, $email_subject, $email_message, $headers); 
?>

Hehe, let us know.

Make sure to add the () after exit, though.

{
   echo("You took less than 7 seconds to complete the form, Please take more time to assure information is correct.");
   exit[COLOR="#FF0000"]()[/COLOR];
}

One thing I have had success with is to create a session variable with a random string.
Then create a hidden form field with $_SESSION[‘secret’] as its value.
when the form is posted do a check,

if ($_SESSION['secret']  != $_PPOST['secret']){
// spam bot
exit();
}

@ralph.m, ever since the beginning I have never used () after exit.
I just went to php.net and sure enough they are called for.
Then I got curious as to why it works without them and gives no error.
Googled and found this.
http://stackoverflow.com/questions/3819774/why-does-exit-require-parentheses

exit is a function and surprised it worked now.

Hm, interesting! I only know very little PHP, so was wondering if I was off the mark. Seems like I sort of was and sort of wasn’t.

exit is a language construct, and can be called without parenthesis if no status is passed with it. exit(); is equivalent to exit; and to exit(0);

I like it!