Our guestbook has been attacked by spam bots quite a bit recently and I finally got around to stopping the spam with a neat little trick from the ASP.NET AJAX Control Toolkit that real users won't even notice (as long as they have Javascript enabled...)


<?PHP
if($_POST['Bot'] == "Yes")
echo 'You're a bot! Stop messing with my form!'
else if($_POST['Bot'] == "No")
echo 'Hi ' . $_POST['name'] . '!'
?>
<form action="test.php" method="POST">
Name: <input type="text" name="name">
<input type="hidden" id="Bot" name="Bot" value="Yes">
<script type="text/javascript" language="javascript">
document.getElementById('Bot').value = "No"
</script>
<input type="submit">
</form>


A lot of spam bots don't execute javascript so you are safe from them. For people that disable javascript, you can modify the above code to do something like...


<form action="test.php" method="POST">
<?PHP
if($_POST['Bot'] == "Yes") {
?>
I'm not sure if you're a bot or not... what is five plus eight?<br />
<input type="text" name="HumanTest">
<input type="hidden" name="name" value="<? echo $_POST['name'] ?>">
<input type="submit">
<?
} else if($_POST['Bot'] == "No" || $_POST['HumanTest'] == "13" || $_POST['HumanTest'] = "thirteen") {
echo 'Hi ' . $_POST['name'] . '!'
} else {
?>
Name: <input type="text" name="name">
<input type="hidden" id="Bot" name="Bot" value="Yes">
<script type="text/javascript" language="javascript">
document.getElementById('Bot').value = "No"
</script>
<input type="submit">
<? } ?>
</form>


And that will allow regular people that have javascript enabled to not be bothered by proving they're human while also allowing for the occasional user that disables it.


Disclaimer: It has been a while since I've wrote any PHP so I can't guarantee any of that PHP code will work.

Disclaimer: It has been a while since I've wrote any PHP so I can't guarantee any of that PHP code will work.The code looks good so far, but I found an error in the second block of code. The changes I made are added in red: ;)
...
<input type="submit">
<?
} else if($_POST['Bot'] == "No" || $_POST['HumanTest'] == "13" || strtolower($_POST['HumanTest'] == "thirteen")) {
echo 'Hi ' . $_POST['name'] . '!'
} else {
?>
Name: <input type="text" name="name">
...
This change fixes the single equals sign operator error, as well as added in a strtolower() command, so that if the user inputs Thirteen or tHirTeeN you know they still had the right answer.

The code looks good so far, but I found an error in the second block of code. The changes I made are added in red: ;)
...
<input type="submit">
<?
} else if($_POST['Bot'] == "No" || $_POST['HumanTest'] == "13" || strtolower($_POST['HumanTest'] == "thirteen")) {
echo 'Hi ' . $_POST['name'] . '!'
} else {
?>
Name: <input type="text" name="name">
...
This change fixes the single equals sign operator error, as well as added in a strtolower() command, so that if the user inputs Thirteen or tHirTeeN you know they still had the right answer.

Thanks artdutra, I've been doing too much with VB.NET and SQL at work lately, I kept starting to type "OR" instead of "||" also but managed to catch all of those mistakes.

I was thinking about the spam blocking code a minute ago and think there may actually be a better way to do the thing...


<html>
<body>
<?PHP
if((strtolower($_POST['Bot']) != "thirteen" && $_POST['Bot'] != "13"))
echo "You're a bot! Stop messing with my form!";
else
echo 'Hi ' . $_POST['name'] . '!';
?>
<form action="test.php" method="POST">
Name: <input type="text" name="name">
<script type="text/javascript" language="javascript">
document.write('<input type="hidden" id="Bot" name="Bot" value="Yes">');
document.getElementById('Bot').value = "13";
</script>
<noscript>
What is eight plus five? <input type="text" id="Bot" name="Bot" />
</noscript>
<input type="submit">
</form>
</body>
</html>


I also caught another error when I actually tested that before posting... I had used apostrophes in my PHP strings and had one in "You're", switched that string to quotation marks.