Page 1 of 1

How to prevent contact form spam How to check if user who fills form is human Rate Topic: -----

#1 aniri   User is offline

  • D.I.C Addict
  • member icon

Reputation: 54
  • View blog
  • Posts: 657
  • Joined: 24-November 09

Posted 15 July 2010 - 08:05 AM

Yes, you can also get spammed through the contact form on your site! How can you prevent that? It’s pretty easy! Add a method of checking if the form is filled by one of your site’s visitors and not by a bot.

There are more ways of doing this. One of them is to use a captcha (a small text shown in an image that the user has to fill in the form). Here’s a tutorial on how to use one of these.

I will show you another way of doing this: having the user fill in the result of a mathematical operation. If the correct result is filled in, the form is sent to you.

You can see a demo of this on my website.

Here’s how we’ll do this:

Suppose we have the following contact form (in the file named contact.php):

<form action="send.php" id="contact" name="contact" method="post”
<table align=left>
		<td><input type="text" id="name" name="name"></td>
		<td><input type="text" id="email" name="email"></td>
		<td><textarea rows="5" cols="40"  id = 'message' name = 'message'></textarea></td>
		<td><input type="submit" value="Send message"></td>

When the user presses the submit button, the send.php script will be called. This script sends an email with the info that was filled in the form.

We will have to add the part to verify the user.

We will ask the user to fill in the result of a mathematical operation. The user will have to add the randomly generated numbers between 1 and 15.

Here’s the code to generate the two numbers and compute the correct sum:

	$nr1 = (rand()%14)+1;
	$nr2 = (rand()%14)+1;
	$sum = $nr1 + $nr2;

We will now display the numbers to the user and ask him/her to fill in the result in a new input field.

We’ll add a new row in the table which holds the form:

	<td>Are you human?<br/>What is the result of <?php echo $nr1;?>+<?php echo $nr2;?>?</td>
	<td><input type="text" id="nr" name="nr"></td>

We’ll also add a hidden field to the form to hold the correct sum.

<input name="sum" id="sum" type="hidden" value="<?php echo $sum;?>"/>

These are all the changes we have to make to the contact form.

We’ll also have to modify the send.php script to check the sum before sending the email:

$nr = $_POST[nr];
$sum = $_POST[sum];

if ($nr != $sum)
	header('Location: contact.php?msg=wrong');
	// add code to send the mail with the form data

If the sum from the hidden field is equal to the one filled in by the user, the email is sent. If not, the user is redirected to the contact.php page and an error message is shown. Here’s what we’ll have to add to the contact.php file to show the error message:

	if ($_GET['msg'] == 'wrong')
		echo "<p> <font color=red>The result you entered is wrong!</font>";

And that’s it!

Let me know if you have questions or comments!

Is This A Good Question/Topic? 0
  • +

Replies To: How to prevent contact form spam

#2 JITHU   User is offline

  • D.I.C Head
  • member icon

Reputation: 62
  • View blog
  • Posts: 201
  • Joined: 02-July 07

Posted 17 July 2010 - 04:06 PM

I think that the captcha system is far more secure than letting the user to fill out the result of a simple mathematical operation like addition, because you're outputting the math problem as simple html, so bots can parse it easily and find out those two numbers and the operation between them.
Was This Post Helpful? 0
  • +
  • -

#3 ahmad_511   User is offline

  • MSX
  • member icon

Reputation: 132
  • View blog
  • Posts: 722
  • Joined: 28-April 07

Posted 18 July 2010 - 06:31 PM

what about asking "in written words" about the number on the left side of the formula (for example), or the one that comes before the equal sign or one of the operators?
I think it needs more smarter Bots to understand that :)
Was This Post Helpful? 0
  • +
  • -

#4 oneal.michaels   User is offline

  • D.I.C Head
  • member icon

Reputation: 4
  • View blog
  • Posts: 116
  • Joined: 25-June 10

Posted 19 July 2010 - 02:59 PM

if the result is stored in a hidden field then couldnt someone just type in some javascript in their toolbar as

document.getElementById("nr").value = document.getElementById("sum").value;
document.getElementById("name") = "name";
document.getElementById("email") = "email";
document.getElementById("message") = "message";

and then they could easily spam you over and over with a simple javascript function, i think that the captcha is a much more secure soloution!
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1