RJM62
Touchdown! Greaser!
- Joined
- Jun 15, 2007
- Messages
- 13,157
- Location
- Upstate New York
- Display Name
Display name:
Geek on the Hill
I have put together a halfway decent PHP spam stopper for contact forms. Briefly, this is what it does:
1. Compares the epoch time when the form loaded to the time when the contact form script is called, and kills it if less than eight seconds have transpired. (Robots would probably fill the form in less than eight seconds.)
2. Sets up a bogus captcha trap in an invisible DIV ("id "swizzle" in the code posted below). Because robots generally ignore CSS, they will see the field and fill it in. If the value matches a random number generated by the script and presented as if it were a captcha, the script dies.
3. Checks the value of information entered into the bogus captcha field for "http://" or "@." If it contains those strings, the script dies.
4. Gets the client IP address at both the form and the processor stage. If they don't match, the script dies.
A working example of the script can be found at www.rjmwebdesign.com/spamproof.php . Here's code for both pages:
Code for sending (form) page:
Here's the PHP for the processing page:
Comments Welcome.
Best,
Rich
1. Compares the epoch time when the form loaded to the time when the contact form script is called, and kills it if less than eight seconds have transpired. (Robots would probably fill the form in less than eight seconds.)
2. Sets up a bogus captcha trap in an invisible DIV ("id "swizzle" in the code posted below). Because robots generally ignore CSS, they will see the field and fill it in. If the value matches a random number generated by the script and presented as if it were a captcha, the script dies.
3. Checks the value of information entered into the bogus captcha field for "http://" or "@." If it contains those strings, the script dies.
4. Gets the client IP address at both the form and the processor stage. If they don't match, the script dies.
A working example of the script can be found at www.rjmwebdesign.com/spamproof.php . Here's code for both pages:
Code for sending (form) page:
HTML:
<?php
$start = time();
$captcha = rand();
$ip1=$_SERVER['REMOTE_ADDR'];
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Spamproof</title>
<link href="styles/mainstyle.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="form">
<form action="sizzle.php" method="post">
<div id="swizzle">
<?php
echo $captcha, '<br />';
echo '<input type="text" name="haha" size="15" />', " ", 'Ignore this field if you are human<br />';
echo '<input type="hidden" name="start" value="', $start, '"> <br />';
echo '<input type="hidden" name="ip1" value="', $ip1, '"> <br />';
echo '<input type="hidden" name="captcha" value="', $captcha, '"> <br />';
?>
</div>
<input type="text" name="stuff" size="25" />
Please write some stuff in the line and take your time. <br />
<input name="submit" type="submit" value="Send" />
</p>
</form>
</div>
</body>
</html>
PHP:
<?php
foreach($_POST AS $key => $value) {
${$key} = $value;
}
foreach($_GET AS $key => $value) {
${$key} = $value;
}
// get current epoch time
$timeNow = time();
// get IP address
$ip2=$_SERVER['REMOTE_ADDR'];
// get captcha response
$haha = Trim(stripslashes($_POST['haha']));
// die if submission is too fast for a human
if ($timeNow - $start < 8)
{
echo "Test failed. Less than eight seconds elapsed between when you loaded the form and when you submitted it.";
die;
// die if IP addresses don't match
} elseif ($ip1 !== $ip2)
{
echo "The IP addresses do not match. Test failed.";
die;
// die if captcha trap is filled in
} elseif ($captcha == $haha)
{
echo "The invisible captcha form was filled in. Test failed.";
die;
} elseif ($captcha == $haha)
{
echo "The invisible captcha form was filled in. Test failed.";
die;
}
// die if captcha field contains http:// or @
if (preg_match('@^(?:http://)?([^/]+)@i', $haha))
{
die;
}
echo "<strong>All tests passed!</strong><br /><br />";
echo "<strong>Test 1: Time</strong><br />";
echo "The epoch time when the form was loaded was ", $start, "<br />";
echo "The epoch time when the form was submitted was ", $timeNow, "<br />";
echo "It took ", ($timeNow - $start), " seconds to submit the form. A robot would have been faster.";
echo "<br /><br />";
echo "<strong>Test 2: Captcha Trap</strong><br />";
echo "'", $captcha, "'", " was the random number generated for the captcha trap.<br />";
echo "' ", $haha, "'", " was entered in the captcha trap field.<br />";
echo "Because ", $captcha, " does not equal ", "' ", $haha, "'", ", it doesn't appear that a robot filled this form.";
echo "<br /><br />";
echo "<strong>Test 3: Forbidden Characters</strong><br />";
echo "The value of the invisible string 'haha' is ", "' ", $haha, "' ", ". It does not contain http:// or @.<br /><br />";
echo "<strong>Test 4: IP Test</strong><br />";
echo "The form was submitted by IP Address ", $ip1, "<br />";
echo "The processing script was called by IP Address ", $ip2, "<br />";
echo "The IP addresses match.";
echo "<br /><br />";
$stuff = Trim(stripslashes($_POST['stuff']));
echo "Ohh... by the way... here is the stuff you entered: ", $stuff;
?>
Best,
Rich
Last edited: