Matt's Blog

Protecting Forms From SPAM

July 11th, 2007 at 11:44 PM (9 years ago) by Matt Freedman

eMoms at Home is having another Group Research Project, so here’s my post. 😀  

In this age of the Internet, SPAM is an inevitability. If you have a site that’s open to the public, and it has some type of Form on it, it’s only a matter of time before SPAM starts rolling in.

Sure, you can filter it out at your end, but why not stop it from even getting through? Why not use rudimentary techniques to stop SPAM bots from even getting the comment to the processing stage? These rudimentary techniques are easy for humans to easily pass, but SPAM bots will have a hard time with it.

CAPTCHA

Probably the most common way of trying to stop SPAM is by using a CAPTCHA. CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. What it is a dynamically generated (in other words, on-the-fly) image that contains a random string of letters, numbers and/or other characters or a word. The text is then made less readable by one or more of the follow methods:

  • distorting the text, such as by warping it
  • adding random lines
  • coloured shapes behind the text
  • grids
  • textures on the font
  • colours

There is a large flaw with CAPTCHA’s. People are making SPAM bots smarter and smarter, so CAPTCHA’s need to get harder and harder. That’s fine, but a lot of CAPTCHA’s cross the line of the human being able to read it. So, when it gets to that point, nothing’s going to get through that form, not even stuff from humans.

Another large flaw with CAPTCHA’s are that screen readers can’t read/see them. So when someone who is disabled or visually impaired comes to that form, they won’t be able to type in the CAPTCHA because they won’t know it’s there. Large corporations, such as Microsoft, have developed a way for the CAPTCHA to be spelled out. But, that’s extremely hard, and a waste of time, basically.

I’m not going to provide any code for CAPTCHA’s, mainly because every CAPTCHA should be different.

Simple Math

Another method of prevent simple SPAM bots from submitting SPAM into your forms is to make the submitter do some simple math. And by simple math, I mean like “1+1”, not “-(2x2 + 56 • 3xy3r2wc6)2 = 3456″. 😉 Which I don’t even think is possible. 😛 Well, it might be…

Matt Cutts uses this technique on his blog, for comments.

Here’s some proof-of-concept code (note, this code might not work, that’s why it’s called proof-of-concept 😉 ):

First of all, you would want to generate some random numbers. Now, since this is simple math, I recommend nothing over 10, so the user will, hopefully, know the answer without even thinking about it. I’m going to use the mt_rand() function. You could also use the rand() function, but mt_rand() is faster and is more random.

So, lets randomise some numbers!

<?php 
$number1 = mt_rand(1, 10); 
$number2 = mt_rand(1, 10); 
$equation_string = $number1 . "+" . $number2; 
$equation_answer = $number1 + $number2; 
?>

Now, you’ll want to use $equation_string right beside a new text input field.

Now, you could just take out $equation_answer and then store $equation_string in a hidden field and then process it on the flip side of the form. But, to make it easier, we’re going to do something different.

So, what you want to do is store $equation_answer in a hidden field (<input type=”hidden” />). But, wait, don’t leave it raw. By raw, I mean just the answer. It should be encoded first. For this, I’m going to use base64_encode(), simply because it’s decodable and it came to mind first. 😛

So, replace the second to last line in the code before, with this:

$equation_answer = base64_encode($number1 + $number2);

Then, in the processing part of your form, you’ll want to grab the value of the text field and the hidden field (so make sure you put a id and name on it), use base64_decode() to decode the answer and check if they match. Assuming you put the fields in the variables $user_answer and $equation_answer, respectively: (you better make sure they submitted a number, too)

if (!is_numeric($user_answer)) {
echo "That's Not a Number!";
exit;
}
$equation_answer = base64_decode($equation_answer);
if ($user_answer == $equation_answer) {
// Okay, passed, carry on processing...
}
else {
// Failed, stop the script...
echo "Your Calculation is Incorrect!";
exit;
}

And, there you have it. 😀

Conclusion

I have explained two different rudimentary ways of stop simple SPAM bots from even getting to the processing of your form. Please note, that it is nearly impossible to stop SPAM all together, but using a carefully thought out SPAM defense plan, you can a least minimize it.

11 Responses to “Protecting Forms From SPAM”

  1. Jeri
    Jeri says:

    Great article! I recently wrote a very similar one – but didn’t get to the code level, so I’m going to update mine to add a link to yours.

  2. Ungeek It » Blog Archive » Preventing Comment and Post Spam
    Ungeek It » Blog Archive » Preventing Comment and Post Spam says:

    […] it. If you are interested in implementing some form of CAPTCHA or challenge/response on your site, Matt’s Blog has a good overview on the […]

  3. 28 Internet Marketing and Home Business How To's - eMoms at Home - Blogging and Internet Marketing for Home Based Entrepreneurs
    28 Internet Marketing and Home Business How To's - eMoms at Home - Blogging and Internet Marketing for Home Based Entrepreneurs says:

    […] Protecting Forms From SPAM by Matt […]

  4. A Romantic Group Research Project | Romantic Ideas: Romance Tracker
    A Romantic Group Research Project | Romantic Ideas: Romance Tracker says:

    […] Protecting Forms From SPAM by Matt […]

  5. Loosely Speaking—A Virtual Assistant’s Blog » Resource Guide for Internet Marketing
    Loosely Speaking—A Virtual Assistant’s Blog » Resource Guide for Internet Marketing says:

    […] Protecting Forms From SPAM by Matt […]

  6. 28 Internet Marketing and Home Business How To’s | Life Is Risky
    28 Internet Marketing and Home Business How To’s | Life Is Risky says:

    […] Protecting Forms From SPAM by Matt […]

  7. 32 How To’s for Internet Marketing and Entrepreneurship » Derek Semmler dot com
    32 How To’s for Internet Marketing and Entrepreneurship » Derek Semmler dot com says:

    […] Protecting Forms From SPAM by Matt […]

  8. The Single Most Important Thing You Can Do To Become A Successful Consultant or Coach - Dawud Miracle @ dmiracle.com - (formerly Healthy WebDesign)
    The Single Most Important Thing You Can Do To Become A Successful Consultant or Coach - Dawud Miracle @ dmiracle.com - (formerly Healthy WebDesign) says:

    […] Protecting forms from spam […]

  9. From the emoms content-some really great and educational entries...
    From the emoms content-some really great and educational entries... says:

    […] and How You Can Make it Work for You by Joe CherayHow To’s for Web Design and Site OptimizationProtecting Forms From SPAM by MattCSS for Beginners – Changing the Fonts by Lucy NixonWeb 101: The Three-Column CSS Layout by […]

  10. My Mention at Derek Semmler.com and a Collaborative Effort! | Kansans and Friends In Weight Loss
    My Mention at Derek Semmler.com and a Collaborative Effort! | Kansans and Friends In Weight Loss says:

    […] Protecting Forms From SPAM by Matt […]

  11. Rene
    Rene says:

    hi nice post, i enjoyed it

Leave a Reply

Quote selected text

Leave the following field empty: