Yep. That part of the code isn't visible to anyone requesting the page. So, you *can* feel free to include emails or other sorts of passwords into places like that and nobody can see it unless oyu get access to your origional source files. And if they can get to those you might have other problems to worry about first. :)

Just to be complete, although your e-mail address is indeed invisible to spammer robots, this code does not protect your page from being used by spammers, who commonly "hijack" unprotected forms to send their mass mailings. I've seen that happen - all of a sudden, you see your form page get 250,000 hits in a day.

To avoid this, you have to check your e-mailing script to be sure it's being called by your own form:

<?php
// Stop the form being used from an external URL
// Get the referring URL
$referer = $_SERVER['HTTP_REFERER'];
// Get the URL of this page
$this_url = "http://".$_SERVER['HTTP_HOST'].$_SERVER["REQUEST_URI"];
// If the referring URL and the URL of this page match and if there's data coming from a form then do the mailing
if ($_POST & ($referer == $this_url)) {
your e-mailing scripting here
}
else {
your form here
}
?>

After taking all my email links off the web site and using a similar form above, the amount of SPAM has dropped dramtically.

Email links are dead the only issue we have with php forms is wether the user types their own email address correctly.

In my confirmation result page after the form is submitted I display the email address in large characters also in Red which asks the user, was their email address correct?if not they can go back to change the email address without filling the rest of the form.

Would be nice to check if the email address exsists before they submit :)

I keep e-mail links on my sites, I just disguise them from spammer bots with javascript:

<script language=javascript>
<!--
var email = "contact";
var emailHost = "domain-name.com";
document.write("<a href=" + "mail" + "to:" + email + "@" + emailHost+ " class=link>" + email + "@" +emailHost + "</a>");
//-->
</script>

>> HTTP_REFERER

Referrers can be spoofed very easily, though, so check the IP as well: $_SERVER["REMOTE_ADDR"]

Some things I do:
- no mailto hrefs, just forms (as above).
- different email addy in the whois records (it gets mined).
- use a different address when registering for anything online.
- for personal email addy's don't use common terms like 'info', 'support', 'webmaster', 'ebmaster', etc. ;)
- no catch-alls

Thanks to above tips I've reduced the time I spend deleting spam to under two hours a day. :p

check the IP as well: $_SERVER["REMOTE_ADDR"]

Thanks - could you give a little more detail on how to perform this check?

jamesa,

<Referrers can be spoofed very easily>

But the referer will only be spoofed if the "attacker" suspects you're using that method to protect your script. Since they can't see your code, they have know way of knowing for sure, and you could code your script in such a way that it *appears* everything works normally, but the message is never sent on the backend. They'd have no reason to try and spoof the referer.

>> will only be spoofed if the "attacker" suspects

Good reason not to spit out an error that spills the beans like formmail does/did. :)

louponne, scratch that. $_SERVER["REMOTE_ADDR"] won't help here. Lack of sleep, wasn't thinking straight :).

>> does not protect your page from being used by spammers, who commonly "hijack" unprotected forms to send their mass mailings.

That will be the case where the sendTo email address is set via a hidden form variable, like formmail used to do. Then a spammer could just create their own forms using whatever email address(es) they want (and if you referrer check they'd spoof that to get around it). But if the email address is hardcoded in the script then the form is pretty much worthless to the spammer (since the form only sent to the email address hardcoded in the script no matter how the form fields are altered).

Doing the referrer check is still a good idea, though. Easy to implement, added protection.

I tried to implement a referer check on one of my forms today. It seemed to work great but then I tested it with opera (referer logging off) and of course nothing. In theory, it seems like a good security precaution, but in practice it's a little too exclusive for me.

I'm interested in making my forms as secure as possible and I'd love to hear any other techniques or how to refine this one... but my sites are small and my chances of getting hacked fairly slim so I'd really hate to lose real potential customers because of my security measures.

Many thanks, jamesa, for the additional explanations.

if the email address is hardcoded in the script then the form is pretty much worthless to the spammer

Good point.

then I tested it with opera (referer logging off) and of course nothing.

hm- do you really think that's any sort of percentage of users at all?

but my sites are small and my chances of getting hacked fairly slim.

don't believe that - the sites I manage that were hacked run at about 40-50 visits/day.

Your right, besides myself, probably 1.2 opera users/million years come to my site. But since there are legitimate non-hacker user agents with masked or altered referers (I think some firewalls might change the referer), I'm going to take my chances on that one.

Adam