6 posts by 3 authors in: Forums > CMS Builder Community
Last Post: February 8, 2013   (RSS)

By zaba - February 5, 2013

Spam bots can take shower you with spam or take over your unsecured form to post spam. You should use the usual techniques to stop protect your form fields from injection and malicious content. 
A fantastic post about basic php form validation techniques can be found here:

http://myphpform.com/final-form.php

The technique I am proposing is to prevent the spam bots, the ones that are not human, from repeated posts. It basically revolves around the amount of time a human takes to fill in a form compared to a spambot. The spambot would be virtually instant. Therefore we can assume that a form submitted in under, for example 7 seconds, is unlikely to be legitimate.

Simply add this hidden field to your form, it records the time the page was accessed.

 <input type="hidden" name="loadtime" value="<?php echo time(); ?>" />

Then in your script that handles the form do something like this

<? php 

$loadtime = $_POST['loadtime'];


$totaltime = time() - $loadtime;


if($totaltime < 7)
{


#do something or just kill it



$url='http://www.danhatesspam.com/';
header ("Location: ".$url);
exit();
}


?>

basically you are subtracting the time on the handle script from the time the form was accessed and if it was less than 7 seconds you can kill it.

Hope this proves useful to someone, please feel free to post comments or if you have other suggestions.

Note to Interactive tools, it may be useful to have a non directly related section to post general help topics from forum users who would like to share tips and techniques to others?

Hi Zaba,

This is an interesting idea.

We've recently discovered a good way to stop a lot of spam bots. First you name a field something that would normally be used to store an e-mail address (eg, mail, e-mail, email, etc) and then hide it using CSS.

Then use something less obvious for the actual e-mail field, in this example I've used sendTo.

A spam bot will see the e-mail field and automatically fill it in with an e-mail address, and will put something random in the sendTo field.

As the hidden email field isn't visible to a normal user, you know that if the email field contains something, then you're probably dealing with a spambot. 

Here is some example code:

<?php

  $errors = "";

  if(@$_REQUEST['submitForm']){
    if(@$_REQUEST['email'])   { $errors = "You entererd somthing in the hidden field. Are you a spam bot?<br>"; }
    if(!@$_REQUEST['name'])   { $errors .= "Please enter your name. <br>"; }
    if(!@$_REQUEST['subject']) { $errors .= "Please enter a subject. <br>"; }
    if(!@$_REQUEST['sendTo'])  { $errors .= "Please enter an e-mail address. <br>"; }
    if(!@$_REQUEST['comment']) { $errors .= "Please enter a comment. <br>"; }
    if(@!$errors){
      echo 'form is valid!';
      exit;
    }
  }

?>

<?php echo $errors; ?>

<form method="get" action="scratch.php">
  <input type="hidden" name="submitForm" value="yes" />
  <input style="display:none;" type="text" name="email" value="" />
  <label>Name:<input type="text" name="name" value="<?php echo @$_REQUEST['name']; ?>" /></label><br>
  <label>E-mail:<input type="text" name="sendTo" value="<?php echo @$_REQUEST['sendTo']; ?>" /></label><br>
  <label>Subject:<input type="text" name="subject" value="<?php echo @$_REQUEST['subject']; ?>" /></label><br>
  <label>comment:<textarea name="comment"><?php echo @$_REQUEST['comment']; ?></textarea></label>
  <input type="submit" name='submit' value="submit" />
</form>

Having  another forum for web dev hints and tips is a good idea, and definitely something we will look into.

Thanks!

Greg

Greg Thomas

PHP Programmer - interactivetools.com

By zaba - February 5, 2013

Hi Greg, I had come across that one, the only slight downside is (although i can not verify this)  that certain screen readers for visually impaired will still display  items with the display:none; css. The way around this is to label it with "if you are a human leave this field blank", although the chances of people with screen readers filling in your form is as likely as winning the lottery, it just covers you for the odd eventuality.

On the forum note:

I often do research on specific problems, but never right down my solutions, they often go directly in to code on a site I build, then when I hit the same problem I have to try and remember which site I applied the solution to. If I was more organised I would do a blog or something, but since I use cmsb and I regularity frequent this forum it would be nice to stick the odd snippets up here and let the rest of the cmsb fans use and contribute.

Maybe you should set up a poll for this to see if people are interested, or just announce the idea in your next e-shot.

Thanks :-)

By Dave - February 7, 2013

Hi Guys,

I added the display:none trick to our signup form 1.5 weeks ago and it's already caught over 100 spambots!  I had it email me just to be sure but no false positives as of yet. 

There's a risk with all these techniques, even on the 7 seconds, people who are really fast typists or who have a browser form-filler feature might get caught as well.  Maybe I'll add a timer to the signup form next time I update it and we can collect some real-world data on just how fast those spammers are.  If it's a software bot it might be less than a second.  I started searching their ips and found there are actually sites out there that track them like this http://www.stopforumspam.com/ so lots of options for captching spammers in the future.

I also so this captcha replacement this morning, which makes people play little games instead of enter captchas: http://areyouahuman.com/

In reply to the comment on snippets, we still have a ways to go on the forum but I've been thinking about adding a "favorites" feature so people could keep a list of their own favorite posts for easy access.  Maybe that and encouraging people to post their code snippets?  Or a new forum for it, what do you think would work best? 

Dave Edis - Senior Developer
interactivetools.com

By zaba - February 8, 2013

Hi Dave,

The 7 second is an arbitrary amount, you can obviously set that much lower if you wish depending on the nature of the form.

With regards to the forum, I like the idea of favourites, but would also welcome a flagging method whereby your post could appear in the cmsb forum but flagged as developer tips (something you assign on entering the post),, so you can instantly view developer tips and add them to your favourites. Definitely something worth exploring. I personally wouldn't go for a separate forum as cmsb is my main home. I think its an area worth exploring because the cmsb forum is 1st class in terms of support you guys give, and it would surely help grow the community and be great for us going forward.