Securing a Form with PHP

Forum Moderators: coopster

Message Too Old, No Replies

Securing a Form with PHP

andrewsmd

8:27 pm on Dec 16, 2008 (gmt 0)

I was just wondering if anyone has any good ideas on making sure a human is entering data into your form and not a script/bot. I already implement a CAPTCHA script and check submissions based on IP address and time i.e. 10 submissions from the same IP in a few seconds. However, I know these can all be hacked. I have read some about putting in a hidden field in my form but have seen mixed reviews. Does anyone have a pseudo example of how they implement a hidden field. Also, any other just general ideas for security would be much appreciated. Thanks

eelixduppy

10:13 pm on Dec 16, 2008 (gmt 0)

There are some ideas through around here in this thread: [webmasterworld.com...]

The whole idea behind the text field is you hide it with CSS so that a normal human wouldn't be able to see it, but you name it something like "email" so a bot thinks to fill it with text. When you check it on the action page it should be empty for a human, and it can be both for a bot, however, odds are it will have something filled in it.

maestrodks

10:18 pm on Dec 19, 2008 (gmt 0)

I have over 20 forms out there, and believe me, the spam battle can be brutal. I use a combination of things which are, at least for the time being, quite successful.

My form handler is phpformmailer which already disallows cc, bcc and special characters. That’s really important.

Since most spam is used for link farming, I've added a bit of code to my form handler which disallows urls in the fields. This alone eliminated the majority of spam:

if (preg_match_all("/<a¦http:/i", implode($_POST), $out) > 0) {
$spam=true;
}
if ($spam==true)
{
echo "<body bgcolor=#eeeeee><font color=#25383C><center><h3></br></br></br></br></br>This message appears to be spam!</br></br></h3><h4>Use your browser's BACK Button to return to our Contact Page.</br></br>Please remove any links and URLs from the form fields and resubmit your inquiry.</font></h4>";
exit();
}

My forms have an email verification field. Instead of using email2, I've named that gender, and set the validation so that email must equal gender.

That has left email2 available to use as a juicy hidden field which a bot will most likely fill out. The label and text field are both within div tags. The label should read, “This field must be blank” or something similar. If someone is viewing the page with css turned off in their browser, they will be able to see the hidden field, so it’s important to give them this instruction.

There are two reasons not to use <div visibility="hidden>. For one, the more sophisticated bots understand it. Secondly, although the field is not visible, the space it occupies is, and therefore, disrupts the visual flow of the form. Instead, I've created a class in my css which is applied to the div tags surrounding the label and the text field:

.special {
display: none
}

In my form handler, email2 is defined as follows:

$email2 = stripslashes($_POST["email2"]);
if (!empty($email2)) {
header("location: url of a fake thank you page");
exit();
}

The fake thank you page appears to be live text, but it is actually a graphic which warns a human non-css viewer who has inadvertently typed in the hidden field that their inquiry appears to be spam, and instructs them to browse back to the form and remove any information from the field labeled, “This field must be blank.”

As I said before, disallowing urls eliminated the majority of spam; but adding the hidden field knocked it down to zero. Bots are getting better all the time, so I’m sure future modifications will be necessary; but for now, this combination seems to work really well.

Good luck!

andrewsmd

1:15 pm on Dec 22, 2008 (gmt 0)

I don't hide the hidden fields with the div tag "hidden" I have always loaded them off of the page, i.e. a position of like -9999px; How would that view for a user without CSS on?