homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

How do I stop the spam on a form coded in PHP?

 8:27 am on Jan 12, 2012 (gmt 0)

I just took over a site coded in PHP. I simply needed to do some easy updates to a form and upload the site to the owner's own hosting account.

Since the owner sent out an email announcing that the form was going live on the site, they have received many bogus form submissions. What coding can I add to the form that will prevent this from happening. There have been some double submissions, so I'm guessing the spammers are using software to do this.

Will reCaptcha work? I checked the installation instructions, and it looks like you need to know a bit of PHP to do it (I normally just install reCaptcha on the Wordpress sites that I create as a plugin, which is a very easy three step process).

Any suggestions or a step by step instruction on how to stop the spam?




 1:34 pm on Jan 12, 2012 (gmt 0)

>> Will reCaptcha work?

Sure. Here's a guide to get you started...



 3:15 pm on Jan 12, 2012 (gmt 0)

one thing that you could try is to include an extra text box, and then hide it with CSS. a human wont see it, so it will be empty, but a bot will most likely fill it in. so if that field returns some content, you can just reject the submission straight away.


 4:38 pm on Jan 12, 2012 (gmt 0)

First you should try and halt it on the back end; captchas and front end challenge boxes are a workaround and create one more challenge to your legitimate users. I was asked yesterday to add a captcha to a Wordpress site. The spam kept a comin' . . .

One thread [webmasterworld.com] on filtering cleansed data server side with PHP. I'm presuming like most form spam, it's a link dropping scheme - the second post in that thread shows one decent way to slow it down.

Another thread [webmasterworld.com] discussing form abuse prevention in general. Front end challenge/responses are discussed deeply in this thread ("What is the sum of five plus seven?")


 8:57 am on Jan 13, 2012 (gmt 0)

Thanks, eelixduppy. I saw that. I'm new to PHP, so I figured I would ask for a more step-by-step instruction.

That sounds like a good idea, londrum. What would be the coding for that?

Thanks, rocknbil. I'll try your fix as well.


 1:14 pm on Jan 13, 2012 (gmt 0)

for a hidden input field, you'll only have to do something like this:

In your stylesheet:
input.invis {

in your HTML form:
<input type="text" name="spamtest" class="invis">

in the PHP script that processes the form:
something like:
if(isSet($_POST['spamtest']) && $_POST['spamtest'] !== "") {
exit("Please dont spam me");

Good luck


 1:41 pm on Jan 13, 2012 (gmt 0)

I posted a solution that uses a little javascript and PHP to solve the problem toward the end of the thread linked below. The code checks for keystrokes in the browser. No keystrokes, no humans, therefore post can be discarded and automated spam is whacked.


Simple, effective, been working for me for years.



 2:12 pm on Jan 13, 2012 (gmt 0)

a more step-by-step instruction

I'm afraid that is a pretty straightforward tutorial on how to add reCAPTCHA to a website. Anything additional would have to require detailed knowledge of the actual scripts on your website. Probably shouldn't take more than 30 mins of fiddling to get it working just right. Perhaps it would be better to take a step back and learn some basics about PHP before diving in. Here [w3schools.com...] and here [php.net...]

But as you can see, there are many ways to thwart form spam. The truth is that it really is specific to your website and how it is being abused, and how you want your user experience to be. For example, incrediBILL's solution 1) requires JavaScript enabled for your users and 2) assumes that someone isn't specifically writing a script to hack your form. In the latter case, it would take no more than 30 seconds of looking at the source code to bypass this mechanism. If you are experiencing very basic attacks against your form then this will likely suffice, but again this is a case-by-case thing -- results may vary.

It's best to try to identify how your form is being taken advantage of (e.g. what if it were just actual humans submitting content? extreme, but possible) in order to figure out what solution will suit you best. Experimentation is also a must


 3:15 pm on Jan 13, 2012 (gmt 0)

it would take no more than 30 seconds of looking at the source code to bypass this mechanism.

The simple version I posted, true. But as I stated, it takes about 5 seconds to change the values by adding a multiplier or some other fudge factor and the spammer's code won't work again. I was getting 100s of spams per day, had someone from Romania actively hacking at my forms (I was watching them test it) and they gave up quickly after just a little cat and mouse with this code.

I didn't post all my secrets to thwarting the spammers, but if you insist...

As a matter of fact, you can randomly edit my javascript from the PHP server side and put a completely random fudge factor into the code each time you display the page, so unless they read and parse your source every single time, it won't work.

Basically that session ties a specific value to a specific page being rendered, which is where the hash value also comes into play on my site, the Romanian dude never got past it and he tried for hours :)

Besides, almost every site uses javascript these days in the page layouts, nav menus, and Ajax everywhere. The internet it almost unusable if you don't have it enabled, which is why I don't have any problem using it but the bots sure do!

FYI, people that tried my code have said it stopped the problem dead in it's tracks without all the craziness involved with the majorly complicated solutions everyone else peddles. Sometimes simplicity and obscurity are all you need to kick spam to the curb.


 4:03 pm on Jan 13, 2012 (gmt 0)

you can drop a cookie on their system with javascript as well, and then check if they have the cookie before you submit server-side.
then they will have to allow both cookies and javascript, and hardly any of the easy bots will get past that.

i put a time on my cookie too, and then check how long they took to fill in the form. if its just a matter of seconds then you can disallow it straight away.


 4:14 pm on Jan 13, 2012 (gmt 0)

check if they have the cookie before you submit server-side

This should probably be checked server-side, not via javascript, for it to work best. Otherwise, also a good idea.


 4:29 pm on Jan 13, 2012 (gmt 0)

Also, spam bots are automated programs and use curl (or a curl-like mechanism) and the truly motivated can spoof user agents and set and read cookies.

There is no sales pitch in cleansing and filtering input server side. :-)


 11:22 pm on Jan 14, 2012 (gmt 0)

Thanks, lostdreamer. Can I use that code verbatim, or are there some values that need to be customized?

Thanks, incrediBILL. Looks like a great solution as well. Is that the exact code I can use, or will I need to customize it for the form in question? Also, you mentioned that in order to make it really secure, a multiplier would need to be added. Care to give step-by-step instructions for that?

And I assume that I put the HTML form code either above or below the current form code. Is that right? If not, what is the correct placement?

eelixduppy, I figured that might be the case. Google usually makes things as simple as possible. I might take your advice and become more familiar with PHP via your links. Thanks.

With regard to the server side solution, could you possibly give step-by-step instructions? Thanks.


 9:31 pm on Jan 17, 2012 (gmt 0)

I use the form name, and two hidden fields. One is a time stamp and the other is an md5 hash of the form name, time stamp and another variable like a secret phrase. The md5 cannot be created independently because of the secret phrase which is not part of the form. It verifies that the time stamp and form name or valid and I set a 15 minute time limit on the validity of the form.

That should give the user enough time to fill out the form and the md5 value can't be used past the 15 minute window.

Haven't had a problem with spam since I implemented this.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved