Easiest way to block spam

Technical Website Design/Showcase
1

Our guestbook has been attacked by spam bots quite a bit recently and I finally got around to stopping the spam with a neat little trick from the ASP.NET AJAX Control Toolkit that real users won’t even notice (as long as they have Javascript enabled…)


<?PHP
    if($_POST'Bot'] == "Yes")
        echo 'You're a bot! Stop messing with my form!'
    else if($_POST'Bot'] == "No")
        echo 'Hi ' . $_POST'name'] . '!'
?>
<form action="test.php" method="POST">
Name: <input type="text" name="name">
<input type="hidden" id="Bot" name="Bot" value="Yes">
<script type="text/javascript" language="javascript">
document.getElementById('Bot').value = "No"
</script>
<input type="submit">
</form>

A lot of spam bots don’t execute javascript so you are safe from them. For people that disable javascript, you can modify the above code to do something like…


<form action="test.php" method="POST">
<?PHP
    if($_POST'Bot'] == "Yes") {
?>
I'm not sure if you're a bot or not... what is five plus eight?<br />
<input type="text" name="HumanTest">
<input type="hidden" name="name" value="<? echo $_POST'name'] ?>">
<input type="submit">
<?
    } else if($_POST'Bot'] == "No" || $_POST'HumanTest'] == "13" || $_POST'HumanTest'] = "thirteen") {
        echo 'Hi ' . $_POST'name'] . '!'
    } else {
?>
Name: <input type="text" name="name">
<input type="hidden" id="Bot" name="Bot" value="Yes">
<script type="text/javascript" language="javascript">
document.getElementById('Bot').value = "No"
</script>
<input type="submit">
<? } ?>
</form>

And that will allow regular people that have javascript enabled to not be bothered by proving they’re human while also allowing for the occasional user that disables it.

Disclaimer: It has been a while since I’ve wrote any PHP so I can’t guarantee any of that PHP code will work.

2

The code looks good so far, but I found an error in the second block of code. The changes I made are added in red: :wink:

...
<input type="submit">
<?
    } else if($_POST'Bot'] == "No" || $_POST'HumanTest'] == "13" || **strtolower(**$_POST'HumanTest'] =**=** "thirteen"**)**) {
        echo 'Hi ' . $_POST'name'] . '!'
    } else {
?>
Name: <input type="text" name="name">
...

This change fixes the single equals sign operator error, as well as added in a strtolower() command, so that if the user inputs Thirteen or tHirTeeN you know they still had the right answer.

3

Thanks artdutra, I’ve been doing too much with VB.NET and SQL at work lately, I kept starting to type “OR” instead of “||” also but managed to catch all of those mistakes.

I was thinking about the spam blocking code a minute ago and think there may actually be a better way to do the thing…


<html>
<body>
<?PHP
    if((strtolower($_POST'Bot']) != "thirteen" && $_POST'Bot'] != "13"))
        echo "You're a bot! Stop messing with my form!";
    else
        echo 'Hi ' . $_POST'name'] . '!';
?>
<form action="test.php" method="POST">
Name: <input type="text" name="name">
<script type="text/javascript" language="javascript">
document.write('<input type="hidden" id="Bot" name="Bot" value="Yes">');
document.getElementById('Bot').value = "13";
</script>
<noscript>
  What is eight plus five? <input type="text" id="Bot" name="Bot" />
</noscript>
<input type="submit">
</form>
</body>
</html>

I also caught another error when I actually tested that before posting… I had used apostrophes in my PHP strings and had one in “You’re”, switched that string to quotation marks.