-6

I've been looking for a long time on how to protect my website from spammers. I searched on the internet but nothing at all! Is there any way to protect my form? E.g Some users want to spam me and creating a 'tons' of accounts.

Gs Marinakic
  • 13
  • 2
  • 6
  • 4
    Have you tried using captcha? – carl-lopez Jul 05 '13 at 21:34
  • 1
    If you want to ensure that someone creating an account is a person then the most immediate approach is to look into CAPTCHA systems. There's no 100% assured solution, but you can potentially make it difficult enough for the spammers that they won't bother. – David Jul 05 '13 at 21:35
  • 1
    Honeypots are also a good technique for trapping automated spam: though looks like Half Crazed beat me to that one – Mark Baker Jul 05 '13 at 21:36
  • You really couldn't find an answer on the web? Trys searching for [Captcha](https://www.google.co.nz/search?q=captcha) –  Jul 05 '13 at 21:36
  • There are lots of strategies, depending on how you have setup your form. [Here are a bunch of them](http://stackoverflow.com/search?q=%5Bphp%5D+prevent+spam) – Michael Berkowski Jul 05 '13 at 21:36
  • 2
    regarding your statement "I searched on the internet but nothing at all!" have a look on https://google.com/search?q=Anti+spam+for+web+forms now use captcha or security questions there are the most common used... – Mihai Vilcu Jul 05 '13 at 21:37
  • You seriously **JUST** asked the same question: http://stackoverflow.com/questions/17496830/log-specific-ip-address-of-a-registered-user – pattyd Jul 05 '13 at 21:47

1 Answers1

3

There's CAPTCHA solutions.. though not always user-friendly, I've had to look into other ventures to help overcome spam (though never 100%).

One solution over not using CAPTCHA is to add a hidden input with a value. In JavaScript, delete that hidden input. On the server side, test if it was posted or not. If it was, there's a possibility of it being spam - then from there you can hold the account for review or simply ignore it.

Another solution (this is a bit more complicated) involves writing a class that randomizes the input names based on a server session key. From there, you output the input names (scrambled/random text)... On POST, you then "decode" the scrambled text into meaningful input names and continue on with your validation, etc. If you can't "decode" it into something logical, or expected input names, then it's a false submission. One easier way of this method is to store input names in sessions, then access them $_POST[$_SESSION['input']['name']], etc. There's something like this already out there located here.

Lastly, using any of these methods, NEVER, EVER fail the submission and show the user a failure message solely due to these detection methods. Doing so will reveal that you have some sort of system in place to stop spam and alert these spam bot developers that they need to revise their script - possibly even just to attack your site even more frequently. Of course, with that said, you'll still want to continue failing the submission if someones email address isn't right...

Rob W
  • 9,134
  • 1
  • 30
  • 50
  • 2
    Yeah, I always start with a quick honeypot input, and move on from there if spam continues. It's generally a good way to go for smaller sites. – Major Productions Jul 05 '13 at 21:39
  • Nice one. I never thought about that - it would really stop lots of bots. – Geeky Guy Jul 05 '13 at 21:40
  • Updated my answer to include a third, possibly over-complicated, solution. – Rob W Jul 05 '13 at 21:44
  • Okay, and I will need to add a value on this hidden input? Or leave it blank? – Gs Marinakic Jul 05 '13 at 21:45
  • It doesn't matter. If you're checking if it's posted, you can do `if(isset($_POST['blah'])) { $possibleSpam = true; }` but you want to name this something inconspicuous, like `action` or `session` or whatever.. don't use obvious names like `attempt_to_catch_bots`.. – Rob W Jul 05 '13 at 21:46
  • ALSO: You want to fail SILENTLY. You don't want to inform the user/bot that there was an error with the submission. So beware. (updated answer with this). – Rob W Jul 05 '13 at 21:47
  • So I have to create a hidden input and then say if(isset($_POST)['hidden_input_name']){ //what goes here? } – Gs Marinakic Jul 05 '13 at 21:51
  • `if(isset($_POST['hidden_input_name'])) $isSpam = true; /**continue processing rest of form... use this variable to check LATER if spam**/`, etc. – Rob W Jul 06 '13 at 04:28