When I have a form like this that could be abused I implement a moderating process. When someone submits data I receive an email with the post/comment and a couple links that I can click on to approve/reject the comment/message. It works nice and isn't too much work because I just have to click one of the two links and the script takes care of the rest.

If you are using form method="GET" they are able to enter form data without loading the form by just accessing the right url. In that case use method="POST"

Also include a hidden field with a random number and on receiving the form submit data check the random number to see if the data comes from the form.

That random number idea is a good one. I have not heard of doing it that way before but I think i'll implement that on some of my forms.

My form uses the POST method. The link to it is located on the footer of my site so basically everyone can fill it out. It's intended to be a "Contact the webmaster" form. I save the data in the database just for archiving purpose.

I didn't expect that people would abuse the form like they have. And I never thought of validating the form inputs because it's just too broad.

Sounds like it's been crawled and being autosubmitted

And I never thought of validating the form inputs because it's just too broad.

Well, you should ALL the time validate the input and make a moderating-like system.

VALIDATE
I am sure you have a bunch of functions like this one.

// ALLOW A-Z, a-z, 0-9, space and _
// ********************************
function check_field2($var){if(!preg_match("/[^A-Za-z0-9_ ]/",$var)) {return TRUE;} else {return FALSE;}}

If yes, always validate the input before entering the data (this will remove all the junk posts which use fun symbol)

MODERATE
Add a field 'auth' in your database.
NULL - rejected
0 - awaiting authorisation
1 - authorised.

Receive an email when a comment has been sent with a direct link to your administrative pages where post awaiting authorisation are listed. Fast and efficient.
Make few buttons/boxes (Reject and BAN, Reject, Authorised).
Also, do not forget to make you "ban" database where banned IP can be stored (you should catch the IP in a hidden field).

if it's been crawled and being autosubmitted.

wouldn't I be able to put some code in the metadata of that page to disallow all crawlings?

Well the good bots probably wouldn't be autosubmitting, and the bad bots would probably ignore any meta data or robots.txt entries, so probably not.

you could implement this little freebie, i think: [junkeater.com...]

None of the solutions presented would solve your problem if its a bot. Use a capthca image to ensure its a human.

actually.. the solution right before that post would solve your problem.. as that's www.junkeater.com uses a capthca image. ;)

If you are using form method="GET" they are able to enter form data without loading the form by just accessing the right url. In that case use method="POST"

That's not true. Any form can be reproduced. If the browser can submit it, what stops another program to do the same?

It's no more than 10 lines of Perl code to submit the POST form.

To stop this you have several options:

• Moderation
  
• CAPTCHA (image, word, a short problem (e.g. What is 17 + 23)
  
• Rename the form field names to something ambiguous. Don't call them anything that is very obvious and easy for spammers to guess. (E.g. "comment", "url", "email", etc...)
  
• Filter by common keywords. Here is a simple, quick algo: Parse the input text. Find all URLs with a regular expression. Check if the URL contains anything suspicious like poker, gambling, viagra, etc...
  

Remember, spammers are not specifically after your site. They are after 1000s of websites and submit the spam automatically with specially designed programs and scripts. If you make it hard for them, it's not going to be worth the effort, and they just won't bother.

Could you apend a string of charicters to each value in the form itself and then filter for that string of char. so that if someone enters Jane the value postd might be "9A Jane" then is the $_POST value does not have ^9A it is ignored?

I don't know how you would add that to the value. might have to use client side scripting for it unless you could do it with plain html.
this might help prevent posts coming in from other places then the form.

A PHP class for generating CAPTCHA images:

[phpsector.com...]

-Lucifer

=== Could you apend a string of charicters to each value in the form itself and then filter for that string of char. so that if someone enters Jane the value postd might be "9A Jane" then is the $_POST value does not have ^9A it is ignored?===

I don't know of any bots that parse javascript well enough to solve something like that. So yes I suppose that would work if you used javascript.

breezeman said:

include a hidden field with a random number and on receiving the form submit data check the random number to see if the data comes from the form

Personally I like this one the best for stopping bots. A variation of this would be to save the random number in a cookie or session. I don't think most bots are smart enough to use cookies, especially if you set the cookie using some javascript.