Our guestbook has been attacked by spam bots quite a bit recently and I finally got around to stopping the spam with a neat little trick from the ASP.NET AJAX Control Toolkit that real users won't even notice (as long as they have Javascript enabled...)
PHP Code:
<?PHP
if($_POST['Bot'] == "Yes")
echo 'You're a bot! Stop messing with my form!'
else if($_POST['Bot'] == "No")
echo 'Hi ' . $_POST['name'] . '!'
?>
<form action="test.php" method="POST">
Name: <input type="text" name="name">
<input type="hidden" id="Bot" name="Bot" value="Yes">
<script type="text/javascript" language="javascript">
document.getElementById('Bot').value = "No"
</script>
<input type="submit">
</form>
A lot of spam bots don't execute javascript so you are safe from them. For people that disable javascript, you can modify the above code to do something like...
PHP Code:
<form action="test.php" method="POST">
<?PHP
if($_POST['Bot'] == "Yes") {
?>
I'm not sure if you're a bot or not... what is five plus eight?<br />
<input type="text" name="HumanTest">
<input type="hidden" name="name" value="<? echo $_POST['name'] ?>">
<input type="submit">
<?
} else if($_POST['Bot'] == "No" || $_POST['HumanTest'] == "13" || $_POST['HumanTest'] = "thirteen") {
echo 'Hi ' . $_POST['name'] . '!'
} else {
?>
Name: <input type="text" name="name">
<input type="hidden" id="Bot" name="Bot" value="Yes">
<script type="text/javascript" language="javascript">
document.getElementById('Bot').value = "No"
</script>
<input type="submit">
<? } ?>
</form>
And that will allow regular people that have javascript enabled to not be bothered by proving they're human while also allowing for the occasional user that disables it.
Disclaimer: It has been a while since I've wrote any PHP so I can't guarantee any of that PHP code will work.