Comments on: How to build a spam-free contact form without captchas

By: Alicia

Alicia — Wed, 10 Mar 2010 01:56:51 +0000

Yes, checking for extra fields injection is mandatory.

One migh also want the Name to be added there too ( not just the email ), and the subject of the email can be something like ‘Contact Form ‘ . $POST[subject] ..

I use formchamp.com to build and generate forms that send emails, and they also have a captcha less version that uses a hidden field to catch spam. Just as per suggestion of this blog entry

By: nFriedly

nFriedly — Mon, 01 Mar 2010 16:12:08 +0000

Hi Naz, you can do that by changing the line

mail( 'you@yoursite.com', 'Contact Form', print_r($_POST,true) );

to this:

$youremail = 'you@yoursite.com';

$body = "This is the form that was just submitted:
Name:  $_POST[name]
E-Mail: $_POST[email]
Message: $_POST[message]";

if( $_POST['email'] && !preg_match( "/[\r\n]/", $_POST['email']) ) {
  $headers = "From: $_POST[email]";
} else {
  $headers = "From: $youremail";
}

mail($youremail, 'Contact Form', $body, $headers );

The preg_match() is there to make sure spammers can’t abuse your server by injecting extra fields (such as CC and BCC) into the header. Take a look at http://www.thesitewizard.com/php/protect-script-from-email-injection.shtml for more info.

By: Naz

Naz — Sun, 28 Feb 2010 10:32:57 +0000

Hey, I tried this code and it works fine. But when I get the email. It comes with Array{} codes and even it shows the submit. Is there a way I can make it much better? Also it comes from my mail server which is an ugly address lol.

By: William

William — Sat, 11 Jul 2009 00:10:17 +0000

The method that you described does sound very interesting. However, recently I started using Mollom ( http://mollom.com ). There is no captcha. The form is processed by their bot and if it appears to be spam, it is rejected. I was getting at least one spam message in my inbox everyday even with a captcha. I started using Mollom about a month ago and so far only 1 spam message has gotten through.
I do want to look at the method that you described above though. I definitely see some benefits with it.

By: nFriedly

nFriedly — Thu, 18 Jun 2009 14:17:16 +0000

Oh yea, I love jQuery, if you take a look at the live demo linked in the article, http://nfriedly.com/contact , you’ll see that it uses jquery to go a little above and beyond what I mention here.

By: Ryan M.

Ryan M. — Thu, 18 Jun 2009 13:41:12 +0000

Not sure if you have taken a look at JQuery. At this point in time I’m sure you have. When i first saw i ran as fast as i code. The big chunks of code were over whelming. Besides all that, Jqery has a write in code snippet that can be used to plug chunks of code anywhere on the page based on criteria. This link ( http://docs.jquery.com/Manipulation ) has the code calls to manipulate code on a page. Very helpful if added on to your tut to provide reusable code and added security to perhaps dynamically create the whole form.

By: nFriedly

nFriedly — Tue, 09 Jun 2009 15:37:48 +0000

Oh, certainly, this is just a basic line of defense. The smart ones will still get you, but let’s face it: most spammers aren’t that smart or they’d be in a different line of work.

By: Richard Lynch

Richard Lynch — Tue, 09 Jun 2009 15:24:27 +0000

The anti-spam extra field is good.

The Javascript to “hide” your email is only going to be partially successful.

SpiderMonkey will cheerfully run the JS for the slightly smart spammers who run that to gather more/better emails.

So you’ve only stopped the stupidest spammers, not the slightly smart one.s

By: nFriedly

nFriedly — Tue, 09 Jun 2009 03:59:19 +0000

Thanks Ivan, post a link here when you do! BTW, I love the look of your site.

By: Ivan Bayross

Ivan Bayross — Tue, 09 Jun 2009 03:50:38 +0000

Thank you for a really simple explanation and codespec.

In its simplicity its brilliant and effective. I’m going to implement this approach with the few web forms I use.

Ivan Bayross