Protecting e-mail address without forms...

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
nicolasm
Forum Newbie
Posts: 2
Joined: Thu Apr 23, 2009 2:46 am

Protecting e-mail address without forms...

Post by nicolasm »

Let's say I want to show a normal mailto: link to my visitors (not an html form),
so they can contact me through their favorite e-mail client, or webmail site.

but off course I don't want the address harvested by spambots.

Let's say I set up a .php file to display the e-mail link:

<href="mailto:whoever@wherever.com">whoever@wherever.com</a>

...but only if a CAPTCHA in a previous page was successfully answered.

Is this secure, or should I stick to the html form? (and all the anti-injection validation techniques)
User avatar
jazz090
Forum Contributor
Posts: 176
Joined: Sun Apr 12, 2009 3:29 pm
Location: England

Re: Protecting e-mail address without forms...

Post by jazz090 »

you could do one thing:

setup a page called mailto.php

instead of setting links as "mailto:email@adress.com", encrypt it once with mcrypt and then with base64 and call it $email
now set the links as <a href="mailto.php?e=$email">send email<a>

then in mailto.php decode the base64 encrypted email and decrypt with mcrypt and simply call a location header: header("Location: mailto:$decrypted_email")

however, i recomend that u set up a page that circumvents mailto and send the email with php itself (no encryption or email exposure in needed)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Protecting e-mail address without forms...

Post by kaisellgren »

The CAPTCHA would definitely block at least 99% of your spam bots. However, this is not very practical. There are no bullet proof solutions. Bots can also interpret response header. Another thing is that you could encode the characters, which could prevent many bots:

Code: Select all

function obfuscate($email)
{
 $encoded_email = '';
 for ($a = 0,$b = strlen($email);$a < $b;$a++)
 {
  $encoded_email .= '&#'.(mt_rand(0,1) == 0 ? 'x'.dechex(ord($email[$a])) : ord($email[$a]));
 }
 return $encoded_email;
}
 
echo obfuscate('kaisellgren@gmail.com');
This is what the source code now looks like:
0&#x6b&#97&#105&#115&#x65&#108&#108&#x67&#114&#x65&#110&#x40&#x67&#109&#x61&#x69&#x6c&#x2e&#x63&#111&#109
It is still possible for a bot to decode it. So, you could add some words into the email address like "myemailREMOVETHIS@email.com".

Btw, the above encryption/decryption scheme is superfluous.

If you want even better "protection", you could make a JavaScript script that generates the link.
nicolasm
Forum Newbie
Posts: 2
Joined: Thu Apr 23, 2009 2:46 am

Re: Protecting e-mail address without forms...

Post by nicolasm »

Thanks everyone... I didn't get the base64 thing, nor why it should be useful, or visible to human users
(sorry, I'm a newbie).

I think I'll just stick to the Form+Captcha approach. You are all right that, every little security measure adds up.
Post Reply