• 0

How to prevent comment form spam


Question

I have a contact form on my website and i'm getting ruthlessly spammed. I have it set up so that javascript checks the inputs but im still getting loads of blank messages and the like.

I was wondering if i could get the php to check the the inputs before it submits the form.

this is the html form:

 <form action="http://thebettertwin.co.uk/wp-content/themes/thebettertwin2/mail.php" class="contactForm" name="cform" method="post">
                <p class="contactinfo">Use the contact form below to get in touch, I’ll get back to you shortly.</p>
                <div class="input_boxes">
                    <p><label for="name">Name</label><span class="name-missing">Please enter your name</span><br />
                    <input id="name" type="text" value="" name="name" /></p><br />
                    <p><label for="e-mail">E-mail</label><span class="email-missing">Please enter a valid e-mail</span><br />
                    <input id="e-mail" type="text" value="" name="email" /></p><br />
                    <p><label for="subject">Subject</label><br />
                    <input id="subject" type="text" value="" name="subject" /></p><br />
                    <p><label for="spam">Is ice hot or cold?</label><span class="spam-missing">Its cold!</span><br />
                    <input id="spam" type="text" value="" name="spam" /></p><br />
                    <p class="contactmessage"><label for="message">Message</label><span class="message-missing">Say something!</span><br />
                    <textarea id="message" name="message"></textarea></p><br />
                 </div>   
                 <input class="submit" type="submit" name="submit" value="Submit Form" onfocus="this.blur()"  />
            </form>

the relevant javascript:

   //submission scripts
  $('.contactForm').submit( function(){
    //statements to validate the form 
    var filter = /^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$/;
    var email = document.getElementById('e-mail');
    if (!filter.test(email.value)) {
      $('.email-missing').show();
    } else {$('.email-missing').hide();}
    if (document.cform.name.value == "") {
      $('.name-missing').show();
    } else {$('.name-missing').hide();} 
    if (document.cform.message.value == "") {
      $('.message-missing').show();
    } else {$('.message-missing').hide();}  
    if (document.cform.spam.value == "") {
      $('.spam-missing').show();
    } else {$('.spam-missing').hide();}  
    if (document.cform.spam.value != "cold") {
      $('.spam-missing').show();
    } else {$('.spam-missing').hide();}  
    if ((document.cform.name.value == "") || (document.cform.spam.value == "") || (document.cform.spam.value != "cold") || (!filter.test(email.value)) || (document.cform.message.value == "")){
      return false;
    } 


    if ((document.cform.name.value != "") && (filter.test(email.value)) && (document.cform.message.value != "")) {
      //hide the form
      $('.contactForm').hide();

      //show the loading bar
      $('.loader').append($('.bar'));
      $('.bar').css({display:'block'});

      //send the ajax request
      $.post('http://thebettertwin.co.uk/wp-content/themes/thebettertwin2/mail.php',{name:$('#name').val(),
                email:$('#e-mail').val(),
                subject:$('#subject').val(),
                message:$('#message').val(),
                spam:$('#spam').val()},

and the mail form:

<?php
//declare our variables
$name = $_POST['name'];
$email = $_POST['email'];
$subject = $_POST['subject'];
$message = nl2br($_POST['message']);
//get todays date
$todayis = date("l, F j, Y, g:i a") ;
//set a title for the message
$body = "From $name,<br /> \n\n$message";
$headers = 'From: '.$email.'' . "\r\n" .
      'Subject: '.$subject.'' ."- Message from thebettertwin.co.uk" . "\r\n" .
    'Reply-To: '.$email.'' . "\r\n" .
  'Content-type: text/html; charset=utf-8' . "\r\n" .
    'X-Mailer: PHP/' . phpversion();

//put your email address here
mail("mymail@thebettertwin.co.uk", $subject ."- Message from thebettertwin.co.uk".'', $body, $headers);
?>
<!--Display a thankyou message in the callback -->
<div id="mail_response">
    <div class="thanks">
    <br />
    <br />
    <h3>Thank you <?php echo $name ?>!</h3><br />
    <p>I will answer your message soon as possible.</p><br /><br /><br />
    </div>
    <div class="sent">
        <br />
    <br />
    <h5>Your message was sent on: </h5>
    <p><?php echo $todayis ?></p>
    </div>
</div>    

i tried placing this before the mail form to check the right input and then letting the form run but it doesnt seem to run properly when i do:

<?php 
$spam = $POST['spam']; 
if ($spam == "cold") : ?> 

Any help on this would be appreciated.

Link to comment
Share on other sites

12 answers to this question

Recommended Posts

  • 0

1) Use a capcha type system?

Yeah I was going to use a CAPTCHA as a last resort. Theyre pretty ugly though and thought there might be a good way in php to prevent the form from running if the fields arent filled in correctly.

Link to comment
Share on other sites

  • 0

Yeah I was going to use a CAPTCHA as a last resort. Theyre pretty ugly though and thought there might be a good way in php to prevent the form from running if the fields arent filled in correctly.

Captcha is the most reliable way and honestly, it's so common now it's not even that annoying anymore. Use basic fields if you feel like, like sums or basic questions, but expect some bots to get around that.

Link to comment
Share on other sites

  • 0
Theyre pretty ugly though and thought there might be a good way in php to prevent the form from running if the fields arent filled in correctly.

Write your own then. I did and it fits exactly where I want it on the form, and styled to suit.

And look, I could bypass your form "security" simply by vieiwing the source!

Link to comment
Share on other sites

  • 0

You probably should also add additional security protection your mail sending code. The code you have there does nothing to stop header injection, which means that the form could be used to send spam to other addresses than just yours. Basically, you would want to check the posted data and remove header delimiters and parameters from the variables that are used in the headers. Also, could be best for your own safety that you allow just plain text messages to be sent.

Link to comment
Share on other sites

  • 0

Write your own then. I did and it fits exactly where I want it on the form, and styled to suit.

Congrats

And look, I could bypass your form "security" simply by vieiwing the source!

It doesnt need to be some super secure form. just the amount of spam im getting is ridiculous.

Captcha is the most reliable way and honestly, it's so common now it's not even that annoying anymore. Use basic fields if you feel like, like sums or basic questions, but expect some bots to get around that.

Yeah ok.

Thanks for the advice.

You probably should also add additional security protection your mail sending code. The code you have there does nothing to stop header injection, which means that the form could be used to send spam to other addresses than just yours. Basically, you would want to check the posted data and remove header delimiters and parameters from the variables that are used in the headers. Also, could be best for your own safety that you allow just plain text messages to be sent.

Ok thanks.

I'm still learning the field and followed a tutorial on a site to build the current form so i know its not perfect but i will look into that.

Link to comment
Share on other sites

  • 0

The prevent empty inputs from emailing, you'd just need to use PHP to check each input, similar to how you did with javascript.

Eg;

if($name == '' || $message == ''){ // etc
    // Don't send the message, the form's not been filled in properly, so you might want to redirect the user back to the html form page
}else{
    // Send the email
}

Link to comment
Share on other sites

  • 0

If you don't want to use any type of spam protection that requires user interaction, you could at least generate nonces to validate the forms. Using a nonce (a number only used once, required to be correct to the form be sent) would at least cut the amount of blind external queries you get. As you are using WordPress, you could use its library. It should have functions for generating and checking nonces (wp_create_nonce and wp_verify_nonce, I believe).

Link to comment
Share on other sites

  • 0

The prevent empty inputs from emailing, you'd just need to use PHP to check each input, similar to how you did with javascript.

Eg;

if($name == '' || $message == ''){ // etc
    // Don't send the message, the form's not been filled in properly, so you might want to redirect the user back to the html form page
}else{
    // Send the email
}

Thanks thats the thing i was looking for to begin with, but this thread has given me lots more to look into.

Link to comment
Share on other sites

  • 0

I applaud you for not using captcha. I would recommend using a simpler approach where you ask the user say what is 10 + 14. Have the answer hashed with salt as formkey and when the user submits the form check their answer. Its simple enough that ti doesn't annoy users and it is effective against bots.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.