How do I stop the spam on a form coded in PHP?

I just took over a site coded in PHP. I simply needed to do some easy updates to a form and upload the site to the owner’s own hosting account.

Since the owner sent out an email announcing that the form was going live on the site, they have received many bogus form submissions. What coding can I add to the form that will prevent this from happening. There have been some double submissions, so I’m guessing the spammers are using software to do this.

Will reCaptcha work? I checked the installation instructions, and it looks like you need to know a bit of PHP to do it (I normally just install reCaptcha on the Wordpress sites that I create as a plugin, which is a very easy three step process).

Any suggestions or a step by step instruction on how to stop the spam?


Captcha and its ilk are pretty horrid things for your legitimate users, so a better option is the “honeypot” method, where you add an extra field into the form that is hidden. You set the form to abort if that filed is filled in (or, to be a bit kinder to anyone who might happen upon that field for some reason–such as CSS off–you could give a question to answer). The spam you are getting is probably from spam bots that look for unprotected forms and highjack them. This is a way to foil those bots, but you will get the occasional spammer who is manually completing your form, and you can’t do much about those creatures.

Great. Thanks. Could you give me an example of the coding for the solutions you suggested?

I’m not an expert at this, but if you have something like a text input of some kind in that form (say, for example, to collect an email address) you could duplicate everything to do with that input (HTML and PHP) and then change the values appropriately. For example, in your HTML you might have something like

<div class="hide">
	<label for="spam">What is two plus two?</label>
	<input name="spam" type="text" id="spam">

and then in the CSS

div.hide {display: none;}

Then you could create a rule in the PHP that says “abort this form if the it’s filled in and the answer is not 4”. E.g.

if (@$_POST["submitted"]) {
    $spam = $_POST["spam"];

and then the trip wire:

if (!empty($spam) && !($spam == "4" || $spam == "four")) {
	echo "No thanks!";
	exit ();

If none of that makes sense, perhaps post the form code and PHP script and someone who knows this better can deal with your actual situation.

OK. Thanks. PHP is definitely new to me. I’ll take a look at this in the morning and see if I can figure it out. If I can’t, then I may take your suggestion and post the code for the form.