Comments on: Avoid HTML form spam using CSS

By: dr john

dr john — Sun, 10 Jan 2010 16:50:26 +0000

dave,

you place the code snippet in the php script that is the action for the form, near the very top, so it is tested before the rest of your action script runs and processes the data, and exits at that point.

Many scripts use a foreach($_POST as $value) loop to check for blank fields in the data sent, or for characters likely to be used by a hacker (; — { and similar, see SQL Injection examples), so you’d have to have a little bit of code that tested each $value and if it was your hidden field, skip the check.

By: pligg.com

pligg.com — Thu, 07 Jan 2010 20:04:16 +0000

Avoid HTML form spam using CSS…

An approach of avoiding HTML form spam is using CSS. Non-human spammers usually fills out every input field in a form and submit it, and to overcome this kind of spam you must be able to differ between real human form submits and non-human spam. A tech…

By: dave

dave — Thu, 10 Dec 2009 23:55:25 +0000

Where do you place the php script

// check if man or machine
if ($_POST['human'] == â€œâ€){
echo â€œBad doggy. Sit bobo. Sit.â€;
exit;}

in the form? Do you place it right after the “from action”?

By: Kenny

Kenny — Fri, 12 Jun 2009 14:55:24 +0000

Thanks for this! Such a simple solution.

By: chantz

chantz — Tue, 19 May 2009 05:36:38 +0000

David Brix, thanks for the PHP snippet. I’ll try it, but where in the code do you add it? Does it matter where you put it (e.g. does it have to be before fclose or something) or can you just stick it in the end? If it helps, I’m using GoDaddy’s webformmailer.php. Thx!

By: Stephanie Boucher

Stephanie Boucher — Mon, 18 May 2009 07:54:41 +0000

I’ve tried the hidden field option to distinguish human from non human, but the php form always returns an error. I’ve tried normalperson’s idea with and without Dave Brix’s modification, and no joy. Any suggestions? Stephanie

By: Trinity

Trinity — Tue, 21 Apr 2009 20:08:25 +0000

You could also hide the dummy input text field behind another div that has a higher z-index value and is sized and filled so as to obscure the dummy field from view. That way, the css of the dummy input text field could remain identical to the css of the other text fields.

I think it would be difficult very difficult for a bot to detect that another div that is positioned in front of the dummy input field.

By: BotBoy

BotBoy — Mon, 20 Apr 2009 02:26:44 +0000

Frode why would the bot bother changing the default setting?

By: Frode

Frode — Tue, 24 Mar 2009 08:41:57 +0000

Might be even better if you set a default value of the human field, and if that value changes its managed as spam?

By: Alexwebmaster

Alexwebmaster — Tue, 03 Mar 2009 08:19:54 +0000

Hello webmaster
I would like to share with you a link to your site
write me here preonrelt@mail.ru

By: YHVH

YHVH — Fri, 13 Feb 2009 18:34:02 +0000

Django does this standardly with it’s auto creation of forms. Seems to work on the sites I run.

By: Web development

Web development — Fri, 13 Feb 2009 12:54:27 +0000

See this link you can see further info on how to avoid spam without a CAPTCHA http://www.webdigi.co.uk/blog/2009/does-your-website-really-need-a-captcha/

By: Chris Done

Chris Done — Fri, 13 Feb 2009 10:03:13 +0000

Hi Viktor,

I don’t think screen readers read the DOM tree, at all. They read the screen, literally. For example, Opera. If you hide an element with CSS, the screen reader doesn’t see it. Why should it, really?

I suspect this method is perfectly fine for screen readers, but I haven’t tested it.

By: defreegames

defreegames — Fri, 13 Feb 2009 09:38:02 +0000

thanks for sharing…

By: SEO Services

SEO Services — Sun, 11 Jan 2009 23:34:14 +0000

Nice idea, I’ll have to test that out and see how well it works.

By: James

James — Sun, 21 Dec 2008 16:12:34 +0000

Wish I could edit my comments -.-
#human{
position:absolute;
top:-100px;
left:-100px;
}

By: James

James — Sun, 21 Dec 2008 16:11:53 +0000

Another thought on this is instead of hiding it altogether is placing it at an absolute value that is -top -left. This makes it invisible to humans, but spam bots still see it and will fill it in. Also has the added advantage of not producing scroll bars, and not getting the smart spam bots to skip it because it is simply hidden ie:

#human {
top: -100px;
left: -100px;
}

By: Alaina

Alaina — Wed, 03 Dec 2008 18:38:00 +0000

is there anyway you can remove that last post?

By: Alaina

Alaina — Mon, 17 Nov 2008 14:51:41 +0000

My company is using html forms and lately we’ve been getting a lot of spam coming in through them. They don’t seem to want to do anything about it to fix it so I’m attempting to find a solution myself. So this may be a silly question (I understand the basics of html/css, but asp/php is rather confusing to me), but can this method be applied to forms that are being sent with asp?

By: Gino

Gino — Wed, 05 Nov 2008 10:31:37 +0000

This is a good idea. Some people are doing spam works. If the robots are spamming we can easily block them by using this idea but we couldn’t do anything. I am in search for block this kind of spams.I think if we can check the email id is valid or not we can identify. Can anyone give some ideas about how we can check the email is valid or not.

By: midhun

midhun — Tue, 23 Sep 2008 06:22:29 +0000

Do you think this is a better approach than image reading to avoid spamming ??

By: PHP-Shops.de: Erfolgreich Online-Shops fÃ¼hren

PHP-Shops.de: Erfolgreich Online-Shops fÃ¼hren — Sun, 24 Aug 2008 09:47:09 +0000

Formular-Spam vermeiden mit CSS…

Hier ist die Idee in jedem Formular ein verstecktes Feld einzufÃ¼gen, welches ein Spambot ausfÃ¼llen wÃ¼rde, ein Mensch allerdings nicht, da er dieses nicht sieht….

By: David Brix

David Brix — Fri, 25 Jul 2008 19:33:12 +0000

Some Folks, such as myself, might find that the php script given by “normalperson” might not work.

When I implemented it I first tried the complete snippet that he gave and immediately got an syntax error generated by the server.

Ultimately, I added only the Post check for the “human ” field, but still had a syntax error generated. I ran it by an associate of mine, David Lincer, and he discovered that there was code missing. In the ($_POST['human'] “”) argument it was missing “==”.

THE ORIGINAL CODE SNIPPET:

// check if man or machine
if ($_POST['human'] â€œâ€){
echo â€œBad doggy. Sit bobo. Sit.â€;
exit;}

THE CORRECTED CODE:

// check if man or machine
if ($_POST['human'] == â€œâ€){
echo â€œBad doggy. Sit bobo. Sit.â€;
exit;}

In addition, I changed the relevent action to redirect to my thank you page so that any bot would think that it was successful and not bother to try another attack tactic. My final code looks something like this…

// check if man or machine
if ($_POST['human'] == â€œâ€){
header( “Location: $thankyouurl” );
exit;
}

By: normalperson

normalperson — Wed, 02 Jul 2008 21:51:35 +0000

Additional idea for if they catch on to the human hidden field etc.

Create say 4 human fields

Add the CSS code to your style sheet
#human {
visibility:hidden;
display:none;
}

Then in your form to email script decide which one you would check for needing to contain no values.

// check if man or machine
if ($_POST['human3'] â€œâ€){ //you choose human1 – 4
echo â€œBad doggy. Sit bobo. Sit.â€;
exit;}

Could even add a randomizer for the four fields to make it even more random.

By: normalperson

normalperson — Wed, 02 Jul 2008 21:44:10 +0000

It’s such a nifty simple solution if you need something for spam on a basic or restricted server. Works cool. Added the stylesheet bit. In my php form to email wrote code like this after checking

// This line prevents values being entered in a URL

if ($_SERVER['REQUEST_METHOD'] != “POST”){exit;}

// This line prevents a blank form being sent

while(list($key,$value) = each($_POST)){if(!(empty($value))){$set=1;}$message = $message . “$key: $value\n\n”;} if($set!==1){header(“location: $_SERVER[HTTP_REFERER]“);exit;}

// check if man or machine
if ($_POST['human'] “”){
echo “Bad doggy. Sit bobo. Sit.”;
exit;}