Prevent php web contact form spam

Question

I am an amateur web designer, I have searched on stackoverflow.com and other websites and have found many fixes for this issue I\'m having, but none of them have worked (probabl

Answer 1

Create a form field and hide it for the users. In the php script check if this field is submitted, but empty. Now you know the request is from your form and a user.

Spam will fill the hidden field, or if they use your php script direct the spam protection field is not set.

HTML

<input name="website" type="text" class="website"/>

CSS

form .website{ display:none; } /* hide because is spam protection */

PHP

# spam protection
if (isset($_POST["website"]) && $_POST["website"] == "") {
  # your php code to mail here
} else {
  http_response_code(400);
  exit;
}

You can find more method's how to protect a php form spam here: https://zinoui.com/blog/protect-web-forms-from-spam

Answer 2

An even simpler approach that works for me. Literally all spam that I receive(d), had a url in the message. So I filter on that, and have not received any spam messages since. I used to get about 10 a week.

Add this under your line   $error_message = "";   in your php-file:

if(preg_match('/http|www/i',$comments)) {
    $error_message .= "We do not allow a url in the comment.<br />";
  }

The /i in the preg_match makes it case independent. The 'http' also filters for 'https'.

Answer 3

Hidden fields, silly questions (what is 3+4?), etc, are not very effective at blocking spam on forms.

I researched this several years ago, and came up with a solution I call "FormSpammerTrap". It uses JavaScript code to 'watch' for focus/onclick on required fields. Automated processes, unless highly customized for a specific site (which takes more time than spambot owners want to take), can't 'focus/onclick' a required field.

I have a free solution at my www.FormSpammerTrap.com site. And there's a form there that spambots can try to spam...and they haven't, for more than 3 years. You are welcome to try it out...it's all open source, so you can see how it works. (And, if you use the form, I don't harvest your email. I reply once, then delete your email.)

My technique is much more effective in blocking spambots. They haven't been able to spambot the contact form on that site.

Answer 4

A simple trick is to create a honeypot field:

html

<!-- within your existing form add this field -->
<input type="text" id="website" name="website"/>

css

/*in your css hide the field so real users cant fill it in*/
form #website{ display:none; }

php

//in your php ignore any submissions that inlcude this field
if(!empty($_POST['website'])) die();

Answer 5

Usually the bots submit a form very fast. So, based on that, another solution could be to add another hidden field that contain the number of seconds that passed from when the page was oppened. This can be done using JavaScript. Then check it in PHP. If the number of seconds is smaller than 5 seconds then it's spam (It's more likely that the real client needs more time to fit the form). You can adjust the number of seconds based on how many fields the form contain.

Answer 6

If the spam you're getting does not have a comment, why not simply add a check for that? There's absolutely no reason for a real, human visitor to submit your contact form without a comment.

Since you don't want to add a captcha, the easiest solution in the short term would be to check that the comment is a minimum number of characters and contains at least a certain number of words.

For example:

$comments = trim($_POST['comments']); // trim() to strip off whitespace from beginning and end, like spaces and linebreaks

if (strlen($comments) < 20 || substr_count($comments, " ") < 3) {
    died('Your comment is too short.');
}

This is a very simple check to see that the comment contains at least 20 characters and at least 3 spaces (4 words). Tweak as needed.