I've used a basic email form and php script to send an email from a website to an email account for a while and I've always been getting spam. I know this is because I don't have any security or validation for my form. I'm getting ready to change this so it slows down on the amount of spam I'm getting. What is the best way for me to stop getting spam using forms? If I add a validation only, and my HTML code still defines the email address I'm sending too will I still get spam because I have my email in my code?

Here is my HTML code:

HTML Code:

<FORM action="formmail.php" method=post>
<input type="hidden" name="recipient" value="email@domain.com">
<input type="hidden" name="subject" value="Website Contact Form">
<input type="hidden" name="redirect" value="complete_form.html">
<table border="0" cellpadding="0" cellspacing="0" width="100%">
  <tr>
    <td width="50%" align="right"><font size="2">Name:</font><span style="fontsize:9pt">&nbsp;</span></td>
    <td width="50%"><font face="Verdana"><INPUT maxLength=256 size=36 name=Name tabindex="1"></font></td>
  </tr>
  <tr>
    <td width="50%" align="right"><font size="2">Email Address:&nbsp;</font></td>
     <td width="50%"><font face="Verdana"><INPUT maxLength=256 size=32 name=email tabindex="2"></font></td>
  </tr>
  <tr>
    <td width="50%" align="right"><font size="2">Message:</font><span style="font-size: 9pt">&nbsp;</span></td>
    <td width="50%"><font face="Verdana"><textarea rows="4" name="Message" cols="24" tabindex="3"></textarea></font></td>
  </tr>
  <tr>
    <td width="100%" colspan="2"><p align="center">
      <INPUT type=submit value="Send Message" tabindex="4"> 
      <INPUT type=reset value="Clear Message" tabindex="5"></td>
  </tr>
</table>
</FORM>

Also, how can I add a field that is required? I was thinking of doing this as a validation, i.e. add an invisible box with a common name and if anything is put in this field it doesn't get processed.

But this doesn't solve the problem that my email address is still in the HTML code, do spammers still find it?

Thanks,
Matt

Even if you make your input field hidden, the information in it is still readable to spammers and to anyone who can right-click their mouse and look at the page source code. That is why you won't find many character based e-mail addresses on websites nowadays. If you really want to display your email on your website, at least make it harder for machines to read. You can display it like a .jpg image or like mymailATmydomainDOTcom or use CAPTCHA. None of these things are 100% spam proof, but you'll see a considerable drop in spam you are getting. Also, before you implement any of these anti-spam features, make sure you've changed your email address. That's because by now your current address has been shared and stored by all kinds of spammers.

Anyway there is no need for your form to contain your email information at all. Let your script take care of where the email is sent.

Quote:

Originally Posted by Avengr9914

Also, how can I add a field that is required?......

Just to give you an idea of how it works, here is a simplified version of my compulsory field validations. This particular piece checks if there are any forbidden characters inside of the string.

PHP Code:

$nameerror = "ALL GOOD" ; // sets the default value for your error message
$sent = stripslashes($_POST['odos']); // makes sure your script knows the form has been submitted
 

     function validname($name){
             return preg_match("/^[a-z0-9\s_]*$/i", stripslashes($_POST['name'])); // defines allowed characters
     }

 // ************ If the form has been submitted, this compares the submitted string to the above definition and   
     if ($sent == 1) {    
         if (!validname($name)) {
                 $nameerror = "FORBIDDEN CHARACTERS!" ;
         } else {
         }
     }
 echo $nameerror ; 


Then put a hidden field in your form like this:

HTML Code:

<input name="sent" type="hidden" value="1" />

You can add more conditions to the script. For example one that checks if the submitted field was empty and if it was then set the variable $nameerror to “COMPULSORY FIELD” or something like that. That will actually make your field required.

I have setup virtual email addresses that forwards to my real email address, so I can change my virtual email without affecting my real email address. I understand that you can't make it 100% spam proof, but I would like to be more than 0% and closer to 100%.

How about this script that puts your email address together after the page loads? It does display in the status bar when you roll over it. This is just for when I display a link to email insead of a form.

HTML Code:

<script language="javascript">
<!--
var part1 = "fake";
var part2 = "yahoo.com";
var part3 = "eMAIL";
document.write('<a href="mai' + 'lto:' + part1 + '@' + part2 + '">');
document.write(part3 + '</a>');
// -->
</script>

I'm still a bit new into PHP, but here's my input for you:
frofi is right. Just put your email in the php mail function itself. The request goes there anyway.
I personally use two methods. A client side script I recently found at http://www.leigeber.com/2008/04/dyna...rm-validation/ that quickly finds any errors and alerts the mistakes in a very cool way.
HOWEVER,
I also validate the info on the server side with php in case the user has javascript turned off.

Obvious bonus here is that you get much quicker validation that uses less bandwidth time on the client side plus the extra security of php validation on the server side. I have built a small library of php regex validation functions that I simply use via "include" with every form. Then when the form needs to validate email(for example) I can just call the php function that validates an email address up.

Question for frofi: Doesn't he have to first check if magic quotes is on before running stripslashes? (Just asking)

The point is that it doesn't matter how complicated your code is in putting your email together or how complicated the route to your real email is. Once it has been put together it is there for everyone to see.


If you want to reduce email spam DON'T use your email in your HTML code. Simple as that.


If you insist on displaying it and want more spam protection, use poor quality .jpg image or write it like this mymailATmydomainDOTcom or use CAPTCHA.


There is nothing else I know of that could help you.

I'm new to PHP, so I'm not sure how to add these features. Can someone PM their contact form so I can take a look at it?

Give us a link to your currently functional form so we know exactly what we are talking about. We'll take it from there.

Quote:

Originally Posted by racer x

Question for frofi: Doesn't he have to first check if magic quotes is on before running stripslashes? (Just asking)

http://uk.php.net/magic_quotes

I just realised I've made a mistake in the second line of the code I gave you. Here is the correction:

PHP Code:

$sent = stripslashes($_POST['sent']); // makes sure your script knows the form has been submitted 


It simply means that whatever you name your hidden input field that confirms form submission, you have to use the same name in $_POST['same_name'].