Page 1 of 1

Configuring form with hidden antispam field

Posted: Sun May 04, 2008 9:55 am
by awa
Hi

I have a contact form script I like and have used in several places. It's simple and I understand what it does and I can add and require as many fields as I want easily - so inevitably it's been hit by the spammers.

I don't really want a captcha adding on to the page. What I would like to do is to add a honeypot type trap - so there is a text field hidden by CSS and if it gets filled in (such as by a bot filling in all fields) it rejects the submission.

The code works fine until the introduction of the section

Code: Select all

<?php
      }
    }else if (empty($COMMENT2)) { 
?>
<p>Thanks for your message</a></p>
 
I added the 'Thanks' so if anyone actually see it, they think it's gone through and there's no error messaging for them to see.

I've tried several variations on empty functions, but each time all I get is the blank white page, so something is breaking it but not so that it will hint why.

I've also tried with a second $nothanks type of thing earlier in the script, looking for any character in the field but same result.

Can anyone offer the correct syntax to make it work?

Thanks.

Code: Select all

<?php
  $to='My Name <web@mysite.co.uk>';
  $messageSubject=$_POST['NAME']." : ".$_POST['REF'];
  $confirmationSubject="My Name: ".$_POST['REF'];
  $confirmationBody="Thank you for your email.\n\nI aim to reply to you within 24 hours.\n\nPlease see below for a copy of the information you supplied.\n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n";
  $REF='';  
  $NAME='';
  $EMAIL='';
  $MESSAGE='';
  $displayForm=true;
  if ($_POST){
    $REF=stripslashes($_POST['REF']);
    $NAME=stripslashes($_POST['NAME']);
    $EMAIL=stripslashes($_POST['EMAIL']);
    $MESSAGE=stripslashes($_POST['MESSAGE']);
    
    foreach ($_POST as $Field=>$Value) 
    $MsgBody .= "$Field: $Value\n\n"; 
    
    $valid=eregi('^([0-9a-z]+[-._+&])*[0-9a-z]+@([-0-9a-z]+[.])+[a-z]{2,6}$',$EMAIL);
    $nothanks=eregi("(\r|\n)(to:|from:|cc:|bcc:)",$MESSAGE);
    if ($EMAIL && $MESSAGE && $valid && !$nothanks){
      if (mail($to,$messageSubject,$MsgBody,'From: '.$EMAIL."\r\n")
          && mail($EMAIL,$confirmationSubject,$confirmationBody.$MsgBody,'From: '.$to."\r\n")){
        $displayForm=false;
?>
<p>Thank you - your message was successfully sent. 
A copy has also been sent to your email address</p>
<br />
<br />
</p>
<?php
    echo '<p>','<em>'.htmlspecialchars($REF).'</em>','</p>';
    echo '<p>','<em>'.htmlspecialchars($NAME).'</em>','</p>';
    echo '<p>','<em>'.htmlspecialchars($EMAIL).'</em>','</p>';
    echo '<p>','<em>'.htmlspecialchars($MESSAGE).'</em>','</p>';
 
      }else{
?>
<p>
  Sorry, something went wrong when the server tried to send your message<br />
<br />
This is usually due to a server error, and is probably not your fault<br />
<br />
Please try again in a few minutes, or drop me an email at <a href="mailto:mail@mysite.co.uk">mailto:mail@mysite</a></p>
<?php
      }
    }else if ($nothanks){ 
?>
<p><strong>
  Your message contained email headers within the message body.<br />
<br />
This seems to be a spam attempt and the message has not been sent.</strong></p>
<p>If you believe this to be an error, then please drop me an email at <a href="mailto:web@mysite.co.uk">web@mysite.co.uk</a></p>
 
 //Here's the section with a problem
 
<?php
      }
    }else if (empty($COMMENT2)) { 
?>
<p>Thanks for your message</a></p>
 
 //End problem section
 
 
<?php
}
    }else{
?>
<p><strong>
  Sorry, your message could not be sent<br />
<br />
</strong>You must include both a valid email address and a message</p><?php
    }
  }
  if ($displayForm){
?>
<form action="contact.php" method="post">
 
 // Form HTML goes here
 // Includes 'hidden' text box, as below
 
<tr>
<td>
<div align="left">
<label for="COMMENT2">Comment 2</label>
<br />
<input type="text" name="COMMENT2" class="textboxh" />
</div></td></tr>
 
 // End form HTML
 
</form>
<?php
  }
?>

Re: Configuring form with hidden antispam field

Posted: Sun May 04, 2008 12:15 pm
by Verminox
Your if-else structure curly brackets seem to be messed up. The 'problem section' is actually in a block that is being executed if $_POST is false (i.e, no POSTed data). In fact, when I copied your code directly it gave me a PARSE ERROR because of some extra '}' characters so I don't know where exactly they came from. Also, $COMMENT2 is never initialised in the script, so it will always be empty.

Re: Configuring form with hidden antispam field

Posted: Sun May 04, 2008 1:17 pm
by awa
OK... thanks for the comments. I'll revist the brackets.
I don't remember where the code originated but I just duplicated and edited the $nothanks section as an extra stage, thinking that would do the trick.