Some of my forms are being spammed.
So, the first thing I did was insert a php page called check.php which checks the values inputted using strpos().
So, anyone who fills in a form gets sent to this page, and if it looks like spam i.e contains dodgy words or href, it stops it being sent.
If not, it goes to a CGI file. The CGI file also has a referrer, and so cannot be accessed directly without going through a page on the website. (it checks the referring url).
But now I have a puzzle. This morning, one came through with a submit button on it (I deleted the submit button from my check.php page and auto submitted it on page load). Also, the submit button had the same name as the submit button on the form the user fills in.
So basically this means they came through the form, didn't go anywhere near the check.php file (When I tried to submit their post as a user, I got stopped when it went to the check.php page).
So my question is this:
Can a spammer change the action of a form? And if so, how do I stop this happening?
I just can't understand otherwise how they would have submitted the form with a submit button with the same name as the one on the initial form page (before it gets to check). Check.php does not send a submit button!