Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
  1. #1
    New Coder
    Join Date
    Dec 2010
    Location
    UK
    Posts
    67
    Thanks
    15
    Thanked 0 Times in 0 Posts

    Exclamation Spam on contact form

    Hi Guys,

    I was hoping someone could help with this, our site is currently receiving no end of spam at the moment! I have very limited space to put a captcha code (and don't really know how these work) so have instead entered a form field...

    what colour is an orange?

    if the user enters orange then the form is sent, if not t a pop up will open prompting the user to answer the question.

    The problem is this simply does not work! Perhaps the bots can answer this question but for what ever reason I need a really good way of blocking the spam.

    Any suggestions?

    Here is the code I'm using...

    <form id="form1" name="form" method="post" action="form.php" onsubmit="return validateForm();">

    <label>Name
    <span class="small">Required</span>
    </label>
    <input type="text" name="name" id="name">

    <label>Email
    <span class="small">Required</span>
    </label>
    <input type="text" name="email" id="email">

    <label>Phone Number<span class="small"> Required</span></label>
    <input type="text" name="phone" id="phone">

    <label>Enquiry <span class="small">Your message</span></label>
    <textarea name="message" cols="4" rows="2" id="message"></textarea>

    <label for="verify">What color is an orange? <span class="small">Required</span></label>
    <input type="text" name="verify" id="verify" value="" size="22" tabindex="1" onchange="javascript:this.value=this.value.toLowerCase();" />

    <button type="submit">Send message</button>

    </form>
    Many thanks in advance!

  • #2
    Senior Coder
    Join Date
    Apr 2011
    Location
    London, England
    Posts
    2,120
    Thanks
    15
    Thanked 354 Times in 353 Posts
    A small point, but you could ask 'What colour is a lemon?' Ans: Yellow!

    I don't know how these bot-things work but, I suppose, if the answer is within the client-side script then it might find it..?

    If they're clever I suppose, also, that it could look for questions beginning 'What colour is..' and just guess a number of times.
    "I'm here to save your life. But if I'm going to do that, I'll need total uninanonynymity." Me Myself & Irene.
    Validate your HTML and CSS

  • Users who have thanked AndrewGSW for this post:

    designedbyria (05-16-2011)

  • #3
    Banned
    Join Date
    Feb 2011
    Posts
    2,699
    Thanks
    13
    Thanked 395 Times in 395 Posts
    Imo question/answer type captcha's are one of the weakest you can use because all a hacker has to do is continually load your form to eventually get all if not most of the questions and then program the bot to provide the correct answer depending on the question it gets.

    Imo one of the better freebie, fairly easy to integrate captchas is reCaptcha .
    I used it before building my own captcha.

    But if you don't want to use a captcha, one thing you can do that should stop much of the spam is:

    1) add an empty hidden input textbox in your form. People users won't see it but bots probably will and so will enter some string into it.

    2) in your form processing script, first check if any data has been sent in the hidden text box. If it has then abort the rest of the processing of the server side script. If it is empty, then hopefully a human submitted the form.

    As I said, this won't guarantee all spam will be blocked but it should block much of it.



  • Users who have thanked bullant for this post:

    designedbyria (05-16-2011)

  • #4
    New Coder
    Join Date
    Dec 2010
    Location
    UK
    Posts
    67
    Thanks
    15
    Thanked 0 Times in 0 Posts
    Hi Andrew,

    That's what I was worrying about! These bots are clever, and although I don't have a clue how they work, I think they will find a way. Once they've found a site they know they can spam on they will keep doing it!

    I like your suggestion about the lemon though, that makes much more sense! i will give that a go and also add a few invisible form fields, then somehow if these fields have been filled I will know it's a bot - just need to find a way of preventing the form from sending if this is the case...

    I read about that somewhere...

  • #5
    New Coder
    Join Date
    Dec 2010
    Location
    UK
    Posts
    67
    Thanks
    15
    Thanked 0 Times in 0 Posts
    Bullant you read my mind! That's exactly what I'm gonna do! If that doesn't work I'll take a look at the reCaptcha suggested. I guess I'll just rejig the form in some way to allow for space if that happens. I don't like Captchas but if they work they work. I guess this will pretty much be trial and error...

  • #6
    Master Coder
    Join Date
    Dec 2007
    Posts
    6,682
    Thanks
    436
    Thanked 890 Times in 879 Posts
    Quote Originally Posted by designedbyria View Post
    Hi Guys,

    I was hoping someone could help with this, our site is currently receiving no end of spam at the moment! I have very limited space to put a captcha code (and don't really know how these work) so have instead entered a form field...

    what colour is an orange?

    if the user enters orange then the form is sent, if not t a pop up will open prompting the user to answer the question.

    The problem is this simply does not work! Perhaps the bots can answer this question but for what ever reason I need a really good way of blocking the spam.

    Any suggestions?

    Here is the code I'm using...



    Many thanks in advance!
    if you validate data only using javascript and not on server side, in form.php, there is no need to answer to any question, they just send a post request to form.php with few information extracted from your form.

    best regards

  • #7
    Banned
    Join Date
    Feb 2011
    Posts
    2,699
    Thanks
    13
    Thanked 395 Times in 395 Posts
    Quote Originally Posted by designedbyria View Post
    Bullant you read my mind! That's exactly what I'm gonna do! If that doesn't work I'll take a look at the reCaptcha suggested. I guess I'll just rejig the form in some way to allow for space if that happens. I don't like Captchas but if they work they work. I guess this will pretty much be trial and error...
    no problem

    Also, try to make the hidden input look as legitimate as possible in terms of the name you give it so that if a hacker looks at your html source, the purpose of the hidden input doesn't become obvious. And maybe use css to hide the input instead of using type="hidden"

  • Users who have thanked bullant for this post:

    designedbyria (05-16-2011)

  • #8
    New Coder
    Join Date
    Dec 2010
    Location
    UK
    Posts
    67
    Thanks
    15
    Thanked 0 Times in 0 Posts
    Right... I'm getting in a bit of a mess here, I have created an invisible form field using an online guide I found...

    <form id="form" name="form" method="post" action="form.php">

    <label>First Name
    <span class="small">
    Required</span></label>
    <input name="first_name" type="text" id="first_name" />

    <label>Surname
    <span class="small">
    Required</span></label>
    <input name="last_name" type="text" id="first_name" />

    <label>Email<span class="small"> Required</span></label>
    <input name="email" type="text" id="email" />
    <label>Phone Number<span class="small"> Required</span></label>
    <input name="telephone" type="text" id="email" />
    <label>Enquiry<span class="small"> Required</span></label>
    <textarea name="comments" id="comments"></textarea>
    <!-- The following field is for robots only, invisible to humans: -->
    <p class="robotic" id="pot">
    <label>If you're human leave this blank:</label>
    <input name="emailconfirm" type="text" id="emailconfirm" class="robotest" />
    </p>
    <p>
    <input type="submit" value="Send Message" class="submit" />
    </p>
    </form>
    this works as I can easily work out how to hide elements using css. I'm getting in a mess with the PHP. When filling out the form an error.. "complete all fields" shows - and obviously this is not what we want. I have amended the original php file to this...

    <?php
    if(isset($_POST['email'])) {

    // EDIT THE 2 LINES BELOW AS REQUIRED
    $email_to = "you@yourdomain.com";
    $email_subject = "Your email subject line";


    function died($error) {
    // your error code can go here
    echo "We are very sorry, but there were error(s) found with the form you submitted. ";
    echo "These errors appear below.<br /><br />";
    echo $error."<br /><br />";
    echo "Please go back and fix these errors.<br /><br />";
    die();
    }

    // validation expected data exists
    if(!isset($_POST['first_name']) ||
    !isset($_POST['last_name']) ||
    !isset($_POST['email']) ||
    !isset($_POST['telephone']) ||
    !isset($_POST['comments'])) {
    died('We are sorry, but there appears to be a problem with the form you submitted.');
    }

    $first_name = $_POST['first_name']; // required
    $last_name = $_POST['last_name']; // required
    $email_from = $_POST['email']; // required
    $telephone = $_POST['telephone']; // not required
    $comments = $_POST['comments']; // required
    $email_message .= "First Name: ".($first_name)."\n";
    $email_message .= "Last Name: ".($last_name)."\n";
    $email_message .= "Email: ".($email_from)."\n";
    $email_message .= "Telephone: ".($telephone)."\n";
    $email_message .= "Comments: ".($comments)."\n";
    $robotest = $_POST['emailconfirm'];
    if($robotest)
    $error = "There has been an error, please try again.";
    else{
    if($from_name && $from_email && $message){
    $header = "From: $from_name <$from_email>";
    if(mail($to, $subject, $message, $header))
    $success = "Thank you for contacting our Bristol office, your message has sent!";
    else
    $error = "Sorry there was a problem sending the e-mail. Please try again.";
    }else
    $error = "All fields are required.";
    }
    if($error)
    echo '<div class="msg error">'.$error.'</div>';
    elseif($success)
    echo '<div class="msg success">'.$success.'</div>';
    }
    ?>
    I know it's a tall order but if any one can spot my mistake(s) that would be an enormous help! I've been looking at it for so long now and getting nowhere! If anything I'm making things worse!

    Thanks!

  • #9
    New Coder
    Join Date
    Dec 2010
    Location
    UK
    Posts
    67
    Thanks
    15
    Thanked 0 Times in 0 Posts
    I've sorted it out now I made that harder than it needed to be! Thanks for all your help!

  • #10
    Master Coder
    Join Date
    Dec 2007
    Posts
    6,682
    Thanks
    436
    Thanked 890 Times in 879 Posts
    Quote Originally Posted by designedbyria View Post
    I've sorted it out now I made that harder than it needed to be! Thanks for all your help!
    no, is not harder at all, is useless and you didn't solve the problem because the validation in form.php is missing. A simple post request to your form.php with all names of the form filled, including the 'invisible' one, will pass and you will get a mail.
    Edit: to make clear one things, the bots usualy doesn't use your form to submit data but they jump directly to the script from your action attribute of the form


    best regards
    Last edited by oesxyl; 05-16-2011 at 04:31 PM.

  • #11
    Banned
    Join Date
    Feb 2011
    Posts
    2,699
    Thanks
    13
    Thanked 395 Times in 395 Posts
    Quote Originally Posted by oesxyl View Post
    no, is not harder at all, is useless
    No it's not useless at all. If the hidden input has been filled in then you know it was filled in by a bot. If it is empty, then the form is more likely to have been submitted by a human.

    The server side script needs to validate all incoming data whether it came from an associated input form or not.

    From earlier

    But if you don't want to use a captcha, one thing you can do that should stop much of the spam is:

    1) add an empty hidden input textbox in your form. People users won't see it but bots probably will and so will enter some string into it.

    2) in your form processing script, first check if any data has been sent in the hidden text box. If it has then abort the rest of the processing of the server side script. If it is empty, then hopefully a human submitted the form.

    As I said, this won't guarantee all spam will be blocked but it should block much of it

  • #12
    Banned
    Join Date
    Feb 2011
    Posts
    2,699
    Thanks
    13
    Thanked 395 Times in 395 Posts
    Quote Originally Posted by designedbyria View Post
    I've sorted it out now I made that harder than it needed to be! Thanks for all your help!
    You're welcome , but I have a few concerns about your code.

    <label>If you're human leave this blank:</label>
    <input name="emailconfirm" type="text" id="emailconfirm" class="robotest" />
    I'm not sure why you need the label at all. It provides hackers with a clue that you might have hidden fields in your form.

    I would have an email confirm input as part of the normal form to make users confirm their email address.

    I wouldn't name any inputs with names like "robotest" which essentially tell hackers that input's purpose is to try to stop spam. Use names that appear to be related to the rest of the form.

    PHP Code:
    $robotest $_POST['emailconfirm'];
                    if(
    $robotest
    This code only checks for the existence of $robotest and not if there is something entered in it. Even if it is empty, as would be the case when a human submits the form, the test condition will evaluate to true. You can use empty() to check if a bot entered anything into the hidden input.

  • #13
    Regular Coder
    Join Date
    Apr 2006
    Posts
    111
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Every time the user submits you want to run a function that adds the value 1 to a variable. In the if statement to process the form, you want to have the if say if ($variable = 0) {

    Then you could just have a 30 second timer to set it back from 1 to 0.

    You could also store a cookie and use it as identification, or use sessions.

    That way if he submits, it creates a cookie using his data and then you can check for the cookie. The javascript method works too, but you have to run both the java file and the php file for the same form.

    Java would look like this:

    Code:
    var $ = function (id) {
    
     return document.getElementById(id);
    
    }
    
    var timer = 0;
    var timer2 = 0;
    
    var addtotimer = function () {
    
     if (timer == 1) {
    
     alert("You cannot click twice!");
     window.location("theform.php"); 
    
     }
    
     if (timer == 0) {
    
      timer = timer + 1;
    
     }
    
    setInterval("timer()", 1000);
    
     function timer () {
    
      timer2 = timer2 + 1;
    
      if (timer2 == 30) {
    
       timer = 0;
    
      }
     
     }
    
    }
    
    window.onload = function () {
    
    $("submit").onclick = addtotimer;
    
    }
    I think you should just make it for logged in users :/
    Last edited by SKY-ProToSs; 05-17-2011 at 02:43 AM.

  • #14
    New Coder
    Join Date
    Dec 2010
    Location
    UK
    Posts
    67
    Thanks
    15
    Thanked 0 Times in 0 Posts
    Wow and I thought it was sorted! Thank you all for your comments but now if I;m 100% honest I'm completely confused...

    I changed the code from what I last posted – here is the code for the form...

    <div id="stylized" class="myform">
    <form id="form" name="form" method="post" action="form.php">
    <label>Name</label>
    <input name="name" type="text" id="name" />

    <label>Email</label>
    <input name="email" type="text" id="email" />

    <label>Telephone Number</label>
    <input name="number" type="text" id="number" />
    <label>Message</label>
    <textarea name="message" rows="2" id="message"></textarea>
    <!-- The following field is for robots only, invisible to humans: -->
    <p class="robotic" id="pot">
    <label>If you're human leave this blank:</label>
    <input name="robotest" type="text" id="robotest" class="robotest" />
    </p>
    <input type="submit" value="Send Message" class="submit" />
    </form>
    </div>
    and this is the PHP...

    <?php
    if($_POST){
    $to = 'email@here.co.uk';
    $subject = 'Bristol Contact Form Submission';
    $from_name = $_POST['name'];
    $from_email = $_POST['email'];
    $message = "MESSAGE".$message."\nNUMBER".$number."\n";

    $from_phone = $_POST['phone'];
    $robotest = $_POST['robotest'];
    if($robotest)
    $error = "Sorry there has been an error.";
    else{
    if($from_name && $from_email && $message){
    $header = "From: $from_name <$from_email>";
    if(mail($to, $subject, $message, $header))
    $success = "Your message was sent!";
    else
    $error = "There was a problem sending your message. Please try again.";
    }else
    $error = "All fields are required.";
    }
    if($error)
    echo '<div class="msg error">'.$error.'</div>';
    elseif($success)
    echo '<div class="msg success">'.$success.'</div>';
    }
    ?>
    Right now I'm going to take your advice and change the form label and tags etc. Probably to something like "confirm" I guess?

    How would I add validation in the php? or is this not needed?

    Sorry very confused...

  • #15
    Banned
    Join Date
    Feb 2011
    Posts
    2,699
    Thanks
    13
    Thanked 395 Times in 395 Posts
    Like I said before

    I'm not sure why you need the label at all. It provides hackers with a clue that you might have hidden fields in your form.
    ...
    ...
    I wouldn't name any inputs with names like "robotest" which essentially tell hackers that input's purpose is to try to stop spam. Use names that appear to be related to the rest of the form.
    With

    Code:
    <label>If you're human leave this blank:</label>
                <input name="robotest" type="text" id="robotest" class="robotest" />
    imo you are wasting your time trying to stop spam because if I was a hacker I would see what you are doing by simply viewing your page source. I don't see any point in playing with this code until you change the above in your code.

    Regarding

    How would I add validation in the php? or is this not needed?
    I'm surprised you ask that because it shows you haven't read the previous posts where oesxyl and I both say server side (php) validation is required and I suggested one way of doing it earlier.


  •  
    Page 1 of 2 12 LastLast

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •