Welcome to WebmasterWorld Guest from 54.163.100.58

Forum Moderators: coopster & jatar k

How do I stop the spam on a form coded in PHP?

   
8:27 am on Jan 12, 2012 (gmt 0)

5+ Year Member



I just took over a site coded in PHP. I simply needed to do some easy updates to a form and upload the site to the owner's own hosting account.

Since the owner sent out an email announcing that the form was going live on the site, they have received many bogus form submissions. What coding can I add to the form that will prevent this from happening. There have been some double submissions, so I'm guessing the spammers are using software to do this.

Will reCaptcha work? I checked the installation instructions, and it looks like you need to know a bit of PHP to do it (I normally just install reCaptcha on the Wordpress sites that I create as a plugin, which is a very easy three step process).

Any suggestions or a step by step instruction on how to stop the spam?

Thanks.
1:34 pm on Jan 12, 2012 (gmt 0)

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 5+ Year Member



>> Will reCaptcha work?

Sure. Here's a guide to get you started...

[code.google.com...]
3:15 pm on Jan 12, 2012 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



one thing that you could try is to include an extra text box, and then hide it with CSS. a human wont see it, so it will be empty, but a bot will most likely fill it in. so if that field returns some content, you can just reject the submission straight away.
4:38 pm on Jan 12, 2012 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member



First you should try and halt it on the back end; captchas and front end challenge boxes are a workaround and create one more challenge to your legitimate users. I was asked yesterday to add a captcha to a Wordpress site. The spam kept a comin' . . .

One thread [webmasterworld.com] on filtering cleansed data server side with PHP. I'm presuming like most form spam, it's a link dropping scheme - the second post in that thread shows one decent way to slow it down.

Another thread [webmasterworld.com] discussing form abuse prevention in general. Front end challenge/responses are discussed deeply in this thread ("What is the sum of five plus seven?")
8:57 am on Jan 13, 2012 (gmt 0)

5+ Year Member



Thanks, eelixduppy. I saw that. I'm new to PHP, so I figured I would ask for a more step-by-step instruction.

That sounds like a good idea, londrum. What would be the coding for that?

Thanks, rocknbil. I'll try your fix as well.
1:14 pm on Jan 13, 2012 (gmt 0)



for a hidden input field, you'll only have to do something like this:

In your stylesheet:
_________
input.invis {
display:none;
}
_________


in your HTML form:
_________
<input type="text" name="spamtest" class="invis">
_________


in the PHP script that processes the form:
something like:
_________
<?php
if(isSet($_POST['spamtest']) && $_POST['spamtest'] !== "") {
exit("Please dont spam me");
}
?>
_________

Good luck
1:41 pm on Jan 13, 2012 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I posted a solution that uses a little javascript and PHP to solve the problem toward the end of the thread linked below. The code checks for keystrokes in the browser. No keystrokes, no humans, therefore post can be discarded and automated spam is whacked.

[webmasterworld.com...]

Simple, effective, been working for me for years.

Enjoy.
2:12 pm on Jan 13, 2012 (gmt 0)

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 5+ Year Member




a more step-by-step instruction


I'm afraid that is a pretty straightforward tutorial on how to add reCAPTCHA to a website. Anything additional would have to require detailed knowledge of the actual scripts on your website. Probably shouldn't take more than 30 mins of fiddling to get it working just right. Perhaps it would be better to take a step back and learn some basics about PHP before diving in. Here [w3schools.com...] and here [php.net...]

But as you can see, there are many ways to thwart form spam. The truth is that it really is specific to your website and how it is being abused, and how you want your user experience to be. For example, incrediBILL's solution 1) requires JavaScript enabled for your users and 2) assumes that someone isn't specifically writing a script to hack your form. In the latter case, it would take no more than 30 seconds of looking at the source code to bypass this mechanism. If you are experiencing very basic attacks against your form then this will likely suffice, but again this is a case-by-case thing -- results may vary.

It's best to try to identify how your form is being taken advantage of (e.g. what if it were just actual humans submitting content? extreme, but possible) in order to figure out what solution will suit you best. Experimentation is also a must
3:15 pm on Jan 13, 2012 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



it would take no more than 30 seconds of looking at the source code to bypass this mechanism.


The simple version I posted, true. But as I stated, it takes about 5 seconds to change the values by adding a multiplier or some other fudge factor and the spammer's code won't work again. I was getting 100s of spams per day, had someone from Romania actively hacking at my forms (I was watching them test it) and they gave up quickly after just a little cat and mouse with this code.

I didn't post all my secrets to thwarting the spammers, but if you insist...

As a matter of fact, you can randomly edit my javascript from the PHP server side and put a completely random fudge factor into the code each time you display the page, so unless they read and parse your source every single time, it won't work.

Basically that session ties a specific value to a specific page being rendered, which is where the hash value also comes into play on my site, the Romanian dude never got past it and he tried for hours :)

Besides, almost every site uses javascript these days in the page layouts, nav menus, and Ajax everywhere. The internet it almost unusable if you don't have it enabled, which is why I don't have any problem using it but the bots sure do!

FYI, people that tried my code have said it stopped the problem dead in it's tracks without all the craziness involved with the majorly complicated solutions everyone else peddles. Sometimes simplicity and obscurity are all you need to kick spam to the curb.
4:03 pm on Jan 13, 2012 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



you can drop a cookie on their system with javascript as well, and then check if they have the cookie before you submit server-side.
then they will have to allow both cookies and javascript, and hardly any of the easy bots will get past that.

i put a time on my cookie too, and then check how long they took to fill in the form. if its just a matter of seconds then you can disallow it straight away.
4:14 pm on Jan 13, 2012 (gmt 0)

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 5+ Year Member



check if they have the cookie before you submit server-side


This should probably be checked server-side, not via javascript, for it to work best. Otherwise, also a good idea.
4:29 pm on Jan 13, 2012 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Also, spam bots are automated programs and use curl (or a curl-like mechanism) and the truly motivated can spoof user agents and set and read cookies.

There is no sales pitch in cleansing and filtering input server side. :-)
11:22 pm on Jan 14, 2012 (gmt 0)

5+ Year Member



Thanks, lostdreamer. Can I use that code verbatim, or are there some values that need to be customized?

Thanks, incrediBILL. Looks like a great solution as well. Is that the exact code I can use, or will I need to customize it for the form in question? Also, you mentioned that in order to make it really secure, a multiplier would need to be added. Care to give step-by-step instructions for that?

And I assume that I put the HTML form code either above or below the current form code. Is that right? If not, what is the correct placement?

eelixduppy, I figured that might be the case. Google usually makes things as simple as possible. I might take your advice and become more familiar with PHP via your links. Thanks.

With regard to the server side solution, could you possibly give step-by-step instructions? Thanks.
9:31 pm on Jan 17, 2012 (gmt 0)

5+ Year Member



I use the form name, and two hidden fields. One is a time stamp and the other is an md5 hash of the form name, time stamp and another variable like a secret phrase. The md5 cannot be created independently because of the secret phrase which is not part of the form. It verifies that the time stamp and form name or valid and I set a 15 minute time limit on the validity of the form.

That should give the user enough time to fill out the form and the md5 value can't be used past the 15 minute window.

Haven't had a problem with spam since I implemented this.
 

Featured Threads

My Threads

Hot Threads This Week

Hot Threads This Month