Webforumz Newsletter - February 2008

Tutorials

Protecting your PHP forms from Spam

We all know that, in the world of the web, Spam is a big problem. If you want to use a contact form for your website, without protection you will, eventually, receive a lot of Spam. In this tutorial I'm going to go through 2 methods which are very easy for you to implement, and the user to understand.

Spam-bots detect and fill in all the form boxes on a webpage. We can actually use this to our advantage to stop them. We can create a hidden form by using the following code:

<input type="hidden" name="hidden"> 

The user will obviously not see this form, and therefore will not fill it in, yet the Spambots will. So, in our PHP code, we need to check if the hidden form is filled in. If it is, then we need to reject the submission. If it is not, we can accept it.

Firstly, I've set up a simple HTML form:

<form method="post" action="form_send.php">
Name: <input type="text" value="name" name="name" /><br />  
Email: <input type="text" value="email" name="email" /><br />
Password: <input type="text" value="password" name="password" /><br />
<input type="hidden" name="hidden" /><br />
<input type="submit" value="Submit" />
</form>

All the work will be done in the file form_send.php. Firstly, we need to get the values from the form.

$name = $_POST['name'];
$email = $_POST['email'];
$password = $_POST['password'];
$hidden = $_POST['hidden'];

We assign each of the form fields a variable name, for easy referral later in our script. Now, we check to see if our hidden form is not filled in.

if ($hidden == '') {
//all your things here, e.g. add data to database, email, etc
} else {
echo '<p>SPAMMER!</p>';
}

The above script in simple form, says: If the form with the value hidden is empty, then process the form data, email someone the data, etc. If it is not empty, then we have a go at the Spam-bot, and, most importantly, DO NOT process the form.

That's it! That is a simple way of protecting your forms.

HINT: If you want to test the form, then change the 'hidden' form to 'text' and try entering data into that field. It should give an error.

In this one, which is a bit more complex but still should be understandable, we will ask the user to add together 2 randomly generated numbers, which will be between 0 and 10. Here is the form, which this time contains a bit of PHP:

<?php
$rand_1 =  rand(0, 10);
$rand_2 =  rand(0, 10);
?>
<form method="post" action="form_send.php">
Name: <input type="text" value="name" name="name" /><br />  
Email: <input type="text" value="email" name="email" /><br />
Password: <input type="text" value="password" name="password" /><br />
Please answer the following question: 
What is <input type="text" value="<?php echo $rand_1; ?>" name="rand1" /> 
add 
<input type="text" value="<?php echo $rand_2; ?>" name="rand2" /><br />
The answer is <input type="text" name="answer" /><br />
<input type="submit" value="Submit" />
</form>

The PHP assigns a random number to 2 variables, and puts them into the form. If you preview this, you will see what is happening. If you then refresh the page, you should get different numbers.

The processing PHP page is still very similar to our previous one, instead of checking that the hidden form is empty, we are checking that the user's answer matches the correct one. Firstly, we get the values:

$name = $_POST['name'];
$email = $_POST['email'];
$password = $_POST['password'];
$answer = $_POST['answer'];
$rand1 = $_POST['rand1'];
$rand2 = $_POST['rand2'];

$correct_answer = $rand1 + $rand2;

The correct_answer variable contains the correct answer. We now compare this to the answer of the user.

if ($correct_answer == $answer) {
//process your form, etc
Echo '<p>Form being processed</p>';
} else {
echo '<p>Check your maths</p>';
}

This IF statement says: "If the correct answer is the same as the one the user has entered, then process the form and do the stuff. If it doesn't, then do not and display an error."

That's that. Upload it and try entering the wrong answer, refreshing and entering the correct answer. You should be able to see the correct message.

That brings this tutorial to an end. I've presented two methods to you, because it's personal preference which one you use. I would suggest the second one, as it's not going to be that much time before Spam-bots will avoid hidden forms, but even longer before they start doing mathematics!

About the author!

Jack is 15 years old and lives happily in Cornwall, England. Web Design is his passion and he works using xHTML, CSS and PHP to code his websites. He runs his own CSS tutorial site, CSS Trickery and can be contacted via his online portfolio. He is currently developing a new CMS, Penguin. In his spare time, Jack enjoys playing Football, rugby, tennis and snooker (but not all at the same time).

More Tutorials?

• Copyrighting your images
• Pimping A PHP Login/Registration System With AJAX

Advertising

If you are interested in advertising in future editions of Creative Coding, email us at admin@webforumz.com