This is a bone of contention amongst programmers; captcha doesn't always work, yes it helps, but captcha is useless if the bot/spammer/hacker goes via the command line, and totally circumvents the form itself.
Realistically, you need to code the form properly, and make sure that you have relevant measures in place that filter out user input, then if this isn't met, redirect to the firm with the errors that are caught.
ABOVE all make sure that the email headers can't be manipulated, as one email could turn into thousands.
Though if you do want captcha, just google it, there are loads of tutorials out there that can help you.
Agrees. Just say no to CAPTCHA. IMO it's a patch to solve a problem not fully understood by many programmers. I have never needed to use one.
Scratch that - I needed it once. A second programmer was brought in on a project and convinced the client we needed a captcha. I said we didn't. Suddenly we got *one* spam that got through my filters. One, and it never came back. He'd gone in and looked at my code, figured out how to pass a rare pattern through it, loggedin via proxy to a hacked Asian server, and submitted it to prove who is the BMOC. I couldn't prove it, so now the site has an unnecessary user barrier. LOL
We have a parallel conversation [webmasterworld.com] going on that will be of use to you, see comments and links in that thread.
>>I said we didn't. Suddenly we got *one* spam that got through my filters
I would love to know what that was...
Haha, I have to admit, I have a captcha script that I cobbled together one afternoon to see if there was any difference in having it there as an option, then I got a few people at work saying, I can't get past that dang picture - "Well how secure do you want this" was my reply, my point is, captcha's can be too difficult to read, at least choose a font & background distractions that don't make the actual chars difficult to read!
And secondly, you will never please all of the people all of the time :)