Why not put a sum in the image and then get the user to enter the value in an input field.
You say the value isn’t going to change so compare the user input against a hardcoded value.
I prefer to have a hidden field which, if filled in, aborts the form. That stops the bots in their tracks. But to make life a little better for some screen reader users etc. you could add a simple sum in words that will allow the form to submit. That is, the label says “what’s two plus two?”, and the form sends if either “four” or “4” are entered, but aborts if anything else is submitted. Keep it hidden with display: none so that most people—even some screen readers—won’t see it.
It’s better not to make life harder for honest people.
It would also be a good idea to run the other fields through validation, though, as a lot of damage could be done by allowing anything in those fields. Best to lock down each input. That means checking what’s typed into each field and displaying an error message if the rules aren’t followed. At the moment, the email field could be uses for a mass spam attack (as I understand it). So you can include something like this as well (although this is more complex than just aborting the form, as we did above):
if (empty($EmailFrom) || !preg_match("/^[^0-9][A-z0-9_]+([.][A-z0-9_]+)*[@][A-z0-9_]+([.][A-z0-9_]+)*[.][A-z]{2,4}$/", $EmailFrom)) {
$error_msg[]="Your email must have a valid format";
}
You also need a way to display the error messages etc., so this starts to get more complex. But the form as is is open to serious spam injections, I believe. (As I said, though, I’m no expert.)
You can never stop an actual person using a form for no good, but I’d say the thing to avoid is bots. I guess if an individual takes the trouble to study your code and then set up a bot to do its work, that’s a pain, but I doubt that happens often. And it would be easy to change your hidden form question once a month or so to foil the bots anyhow.
In the case of the OP’s question, we are really just taking about a simple contact form that won’t involve a database.
The more pressing issue, I think, is to tighten security on the form to prevent header injections and the like.
Using hidden fields is ok as long as you are aware that it will only stop “nuisance” attempts to use your form for sending spam and not someone who is determined and knows what they are doing by easily bypassing the hidden field attempt to stop spamming and protect your database.
All someone would need to do is view your html and css to see it is a hidden field and so anyone with at least half a brain would tweak pretty quickly that the field is not meant to be filled in. They can then use your form to potentially fill your database with garbage or do other potential damage and/or spamming.
Also, asking questions is also a weak captcha. You would just need to load the form manually a few times to get all or at least the majority of questions. Then the bot just needs to be programmed to give the correct answer for the question it is given.
Again, asking questions will at most stop “nuisance” attempts but not someone who knows what they are doing.
There’s no database involved but I’ll look at adding some more security.
I don’t want to spend hours researching php code for a simple contact form that just emails myself, especially when it seems, no matter you do there’s always a way the spammers can get around it.