View Full Version : forms and php security

04-02-2007, 04:08 AM
i have a form (name, email and comments) which is being spammed mercilessly and I dont know what to do as I have image verification, validation and have changed the location of the form several times but spamming hasn't stop!!!

Has anyone got any solution? or give me a valuable advice. thank you.

04-02-2007, 04:23 AM
You would need to post your form code and your form processing code to get specific help with what they are or are not doing.

There are several threads in this and almost every serious programming help forum, that you can search for, that discuss things like email header injection.

Edit: You don't mention javascript, but the validation you do mention is probably using javascript. Here are some recent threads on the subject of form to email abuse -


I even had someone in a different forum post the "ultimate" spam proof form code, but he passed the secret answer in a hidden form field and then blindly compared the entered answer with the secret answer. When both of them were empty (as in a script submitting the data) the test passed and sent the email...

04-02-2007, 02:16 PM
I have one suggestion that is easy to try.

Create another "fake" form on your page, before the "real" form,
and comment it out in your HTML code.

Spammer robots will scan your HTML and see the "fake" form first.
I've discovered that once they find the form, they look no further.

Also, on your "real" form, for your form processing script, don't use
script names such as email.php, formmail.php, etc. Make the
script name cryptic ( "E3d8Uhk.php" ) ... same with your form variable names.

04-02-2007, 03:19 PM
One thing to remember with all these "tricks", is that there are a lot of people in low wage countries that spend their day spamming forms (and get paid to do it). So adding in measures like commented out forms and cryptic filenames won't benefit you all the time.

04-02-2007, 07:39 PM
If your form to email code is written securely, so that nothing bad that is put in a form field makes its' way into the header field to set its own TO:, CC:, BCC:, ... field, then then there is no way for a spammer to send his email through your code. If there is no benefit received, the spammer won't continue to abuse your code and there is no need for any of these "tricks." If you have securely written form to email code, you don't even need a captcha.

04-02-2007, 07:54 PM
They don't look for this benefit. They hardly ever know whether it works or not.

Just the chance of it working is enough.