May

protecting web contact forms from spam bots

Posted by mahesh chari Published in PHP/mysql, javascript

Protecting web forms from spam bots using PHP

Spam bot is a program that submits the data to server by guessing form fields with html code.
For detailed article please refer my previous post.

Here some methods of preventing Spam bots that automatically submits.

Using captcha
Using random hidden field
Using hidden input text box.
Email header injecting.
Checking referrer page
Following basic rules

We can prevent the Spam bots with some basic rules
Prevent email harvesting on your web pages, see my previous post anti email harvesting.
Generally Spam bots looks for form tag and contained input, check box, radio boxes, option element (Hhhh all the form elements), fills their data with their spam data so we can take this as advantage, some spam bots stores this information and sends with proxy without resubmitting the web contact form, so we can prevent this type of technics.
Use deferent form fields than usually, like use ‘ xyz_nm’ instead ‘name’.Change the form field’s name in regular interval, like put ‘zmon_nm’ on ‘Monday’, ‘ztue_nm’ on ‘Tuesday’.
Use random named hidden input field with a default value is empty on every form submission like captcha, if the default value of the hidden field changed other than default, it is sure Spam.
Put one input text box element with random name and hide it with CSS style, since it won’t visible to general user, the default value could not changed, if any changes made to this value of input it is definitely Spam.
Don’t put email address in the form elements, instead put it in sever side variable.
Check for page referrer, however some server’s firewalls don’t allow this information, they strips the data.
Use captcha like methods or services that are available present , but this captcha has some inconvenience to the user.
Disabling or filtering HTML message in form elements, since maximum spam bots try to fill HTML data.
Make sure to access all the forms for login users and track down their messaging and ban certain user.

<?php 
#function that validate the user email
function is_valid_email($email){
$eregpat="^[A-z][A-z0-9_-]+([.]([A-z0-9_-])+)*[@][A-z0-9_]+([.][A-z0-9_]+)*[.][A-z]{2,4}$";
return eregi($eregpat,$email );
}
 
#function that validate user comments
function is_valid_comments($data){
return ($data=="");
}
#function that clean the user data againest 
#email header injection so we clean it
function safe_mail($data){
#clean non standerd alpha numeric and some special symbels
#clean email related headers like header,from,body,'cc','bcc',\r\n etc
$patterns=array('/[^a-zA-Z0-9\.-@_]/','from','header','body','CC','BCC');
return preg_replace($patterns,'',$data);
}
 
 
function send_mail($data){
#do what ever you want here with user data
#like storing into database or sending email to admin
}
 
#clean all data from user contact form and process this to store in mysql and sending email

function process_contactform(){
$data=array();
$data['name']=safe_mail($_POST['sfsf_name']);
$data['email']=safe_mail($_POST['jflsjls_email']);
$data['website']=safe_mail($_POST['kipmp_website']);
$data['comments']=safe_mail($_POST['comments_sfs']);
send_mail($data);
}
 
 
require_once('recaptchalib.php');
 
// Get a key from http://recaptcha.net/api/getkey
$publickey = "6LdVSQYAAAAAAFwb2919Sf8Uhcq3Z55bQc7d8Bx0";
$privatekey = "6LdVSQYAAAAAAIVT-VaJlea6WuOlLqJtt0UUK6xZ";
 
# the response from reCAPTCHA
$resp = null;
#error cacher
$errors = array();
 
if(isset($_POST['Submit'])){
# was there a reCAPTCHA response?
if (isset($_POST["recaptcha_response_field"])) {
        $resp = recaptcha_check_answer ($privatekey,
                                        $_SERVER["REMOTE_ADDR"],
                                        $_POST["recaptcha_challenge_field"],
                                        $_POST["recaptcha_response_field"]);
 
        if ($resp->is_valid) {
                echo "You got it!";
        } else {
                # set the error code so that we can display it
                $errors[] = $resp->error;
        }
}
 
#check the page that submits is belong to our domai or not
#remember some servers don't allow this data or don't have information
if(strpos('localhost', $_SERVER['HTTP_REFERER'])==false){
$errors[] ='This page can be prcessed from this domain only.';
}
 
#check email validation
if(isset($_POST['jflsjls_email']) and !is_valid_email($_POST['jflsjls_email'])){
$errors[]='Invalid email address.'; 
}
 
#check comment validation 
if(isset($_POST['comments_sfs']) and !is_valid_comments($_POST['comments_sfs'])){
$errors[]='Trying to email header injection.';
}
 
#check user is bot or not
if(isset($_POST['owjrj_ran']) and !$_POST['owjrj_ran']==''){
$errors[]='You are spam bot.';
}
 
#check user is bot or not
if(isset($_POST['mpmpm_rwrw']) and !$_POST['mpmpm_rwrw']==''){
$errors[]='You are spam bot.';
}
 
#check all errors and process contact form
if( isset($_POST['Submit']) and count($errors)==0){
process_contactform();
}
 
 
}
 
#if errors display
if(isset($_POST['Submit'])){
if(count($errors)>0){
echo '<ul class="errors" >';
foreach($errors as $k=>$v){
echo '<li>'.$v.'</li>';
}
echo '</ul>';
}
}
?>

HTML code

<html >
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Contact Form</title>
</head>
<body>
 
<script type="text/javascript">
 
/*
This javascript form validation only for generel users.
the spam bots don't process this type javascript validation so we have to 
validate again on server side.
*/
function validate_form(){
 
var errors='';
 
var fm=document.contactform;
 
if(fm.jflsjls_email.value==''){
errors+='Email required.\n';
}
 
if( !(/^\w+([\.-]?\w+)*@\w+([\.-]?\w+)*(\.\w{2,4})+$/.test(fm.jflsjls_email.value))){
errors+='Invalid email address.\n';
}
 
if(fm.comments_sfs==''){
errors+='Empty comments.\n';
}
 
if(errors!=""){
alert(errors);
return false;
}
return true;
}
</script>
<form action="" method="post" name="contactform" id="contactform" onsubmit="return validate_form();">
  <table width="500" border="1">
    <tr>
      <th colspan="2">Contact Me
        <script>
		//email obfuscation 
document.write("m"+"y"+"m"+"a"+"i"+"l"+" &#64;"+"y"+"o"+"u"+"d"+"o"+"m"+"a"+"i"+"n"+" &#46"+"c"+"o"+"m");
</script>      </th>
    </tr>
    <tr>
      <td width="295"> Name </td>
      <td width="288"><input name="sfsf_name" type="text" id="sfsf_name" />      </td>
    </tr>
    <tr>
      <td>Email: * </td>
      <td><input name="jflsjls_email" type="text" id="jflsjls_email" /></td>
    </tr>
    <tr>
      <td> Web Site </td>
      <td><input name="kipmp_website" type="text" id="kipmp_website" value="" /></td>
    </tr>
    <tr>
      <td colspan="2">
	  <!-- 
	  hidden field that real user can't see ,only spam bots can process
	  in some spam bots this hidden field don't change the value ,
	  they submit as it is
	   -->
	  <input name="owjrj_ran" type="hidden" id="owjrj_ran" />
	  <!--
	  to overcome we use text field that is hidden from real user.
	  but this field is precessed by spam bots.
	  it is simply .
	   -->
        <input name="mpmpm_rwrw" type="text" id="mpmpm_rwrw" style="display:none" value="" />
        Comments*</td>
    </tr>
    <tr>
      <td colspan="2"><textarea name="comments_sfs" cols="45" rows="5"></textarea></td>
    </tr>
    <tr>
      <td colspan="2" align="left">
	  <!-- 
	  recaptcha text area field
	  this is another guarented check.
	  but it is not user freindly 
	   -->
	  <?php echo recaptcha_get_html($publickey, $errors);?></td>
    </tr>
    <tr>
      <td colspan="2" align="center"><input type="submit" name="Submit" value="Submit" />
        <input type="reset" name="Submit2" value="Reset" /> 
        <small>* Required field </small></td>
    </tr>
  </table>
</form>
</body>
</html>

Download Source Code

web-contact-form-with-anti-spam-methods download link here

Share and Enjoy:

Tags: anti spam, email

php directory lister function (February 25th, 2010)
php bytes conversion (February 18th, 2010)
php cron job (February 4th, 2010)
check real url (August 20th, 2009)
check cookie enabled javascript php (July 19th, 2009)

2 users responded in this post

Subscribe to this post comment rss or trackback url

Anti E-mail harvesting or protecting E-mail Address on web pages with php, javascript from E-mail spammers | Php Developer said in May 16th, 2009 at 2:14 am

[...] Some sites request various details via forms, e.g. guest books & registrations forms. Spammers can get email addresses from those either because the form becomes available on the world wide web, or because the site sells / gives the emails list to others. some spammers use weak security web forms on certain websites to protect web form from spammers please refer my post [...]

A simple php captcha tutorial and script download | Php Development said in June 1st, 2009 at 7:11 am

[...] the image on the fly. To test this functionality we need following files.We already discussed about anti spam web contact form in my provious post.this is one of methods. Php_captcha.php :- in this file we create the captcha [...]

Twitter Updates

Hurray,My Dream Project coming to finished ,am sooooooooooooo glad. 1 day ago
Hurray!! My mail box just crossed 1 GB!! 1 week ago
Mahesh C. - php/mysql/ajax/jquery/google map/joomla/wordpress programmer - Freelance Developer, India - oDesk: http://bit.ly/clF9Oa 1 week ago
Candymath.com re worked all the games. 2 weeks ago
My first internalization module completed ,successfully on PHP 2 weeks ago

Users Online

9 Users Online

protecting web contact forms from spam bots

Protecting web forms from spam bots using PHP

Here some methods of preventing Spam bots that automatically submits.

HTML code

Download Source Code

Related Articles

2 users responded in this post

Leave A Reply

Categories

Tags

Twitter Updates

Users Online

Recent Entries

Recent Comments

Random Selection of Posts