Validating form and protecting it from bots

Security and PHP
#1

Hi there,

I hope this is the correct place to post my question. I have been using a form from helpvid which has been great except I’ve started to get spammed. I was reading some websites about how to stop this and then got confused as to how to apply to the existing code. I wanted to add a verification step such as for posting on this forum but am unsure how to add to the existing code. I have copied the code below and would really appreciate if somebody might be able to help me or direct me where to go for some help. Thank you so much for your time!!!

/* Email Variables */
$emailSubject = ‘ClientContact!’; /Make sure this matches the name of your file/
$webMaster = ‘[email protected]’;

/design by Mark Leroy @ http://www.helpvid.net/

/* Data Variables */
$email = $_POST[‘email’];
$name = $_POST[‘name’];
$phone = $_POST[‘phone’];
$comments = $_POST[‘comments’];
$leaveMessage = $_POST[‘leaveMessage’];
$whichCity = $_POST[‘whichCity’];

$body = <<<EOD



Name: $name

Email: $email

Phone: $phone

Comments: $comments

Leave Message: $leaveMessage

Which City: $whichCity

EOD;
$headers = “From: $email\r\n”;
$headers .= “Content-type: text/html\r\n”;
$success = mail($webMaster, $emailSubject, $body,
$headers);

/* Results rendered as HTML */
$theResults = <<<EOD

sent message <!--
#2

Protecting against bots is a quite big topic, especially for the lucky ones who are running big sites with lots of users. A small to mid-sized site probably won’t have to deal with anything too nasty though, as the cost factor of implementing a custom spam-bot is too high compared to the possible payout.

Anyway, I would try to simply implement recaptcha, it can be found here:

It should be really easy to add to your site, but if you run into any troubles you are welcome to come back with any issues :slight_smile: With recaptcha you get a captcha service that both look good, provide visual and hearing challanges and on the top of it all you help digitalize books and papers when users complete challenges! Please note that if you have user logins it is normal to not use human verification (as it can be quite an annoyance) on logged in users.

In addition I would look into CSRF (Cross Site Request Forgery):
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

This basically involves you creating an unique token which you add to the session and as a hidden field in the form. If the form submitted token != the session token then reject the post. Might also be a good idea to have a time limit on these tokens as well :slight_smile:

#3

@JimL has some really good idea’s, you should look into all of them.

PHPHelp had issues with bots creating new members and one of the ways that was combated was adding a second layer on authorization on top of a captcha code, by asking simple questions from a bank of questions.

PHPHelp was getting over 200 fake sign ups a day with just a captcha, with both now there hasn’t been one in multiple weeks.

Sponsor our Newsletter | Privacy Policy | Terms of Service