Garbage web form submissions driving me nuts

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
rhecker
Forum Contributor
Posts: 178
Joined: Fri Jul 11, 2008 5:49 pm

Garbage web form submissions driving me nuts

Post by rhecker »

I have a couple of web forms that receive hundreds of garbage submissions every day. I have validation on the email field but can't really do much validation on other fields because the forms can be filled out in Chinese, Russian, Vietnamese as well as English. I can't use a captcha because it would have to deal with the various languages, would really confuse the Vietnamese, and the client doesn't want it. I have installed BadBehaviour, but still the problem persists.

Given the above, I can't figure out what else I can try to stem the tide of garbage submissions.

Also, I simply don't understand what these garbage submissions are trying to accomplish. All submissions are filtered through mysql_real_escape_string and the forms don't post to php_self.

I appreciate any thoughts.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Garbage web form submissions driving me nuts

Post by matthijs »

What you can try is add a hidden form field, and when validating validate it for being empty. The spambots who fill in your form probably will fill in that field as well, and are therefore refused submitting of the form. It is not bullet-proof, but might help
User avatar
Darhazer
DevNet Resident
Posts: 1011
Joined: Thu May 14, 2009 3:00 pm
Location: HellCity, Bulgaria

Re: Garbage web form submissions driving me nuts

Post by Darhazer »

rhecker wrote:I can't use a captcha because it would have to deal with the various languages, would really confuse the Vietnamese, and the client doesn't want it.
It should not. You can create a captcha with numbers only and virtually all captchas use latin alphabet (even russian and chinese)

matthijs suggestion is good (even better is to use text input, but hide it with css), and I would go with this option if I can use captcha.
rhecker
Forum Contributor
Posts: 178
Joined: Fri Jul 11, 2008 5:49 pm

Re: Garbage web form submissions driving me nuts

Post by rhecker »

I really like the hidden field idea, so thanks for that. Also like the idea of using CSS to hide it as a way to further foil the bots.

Our visitors from Vietnam are often less tech-savvy than visitors from other places, so I'm afraid that a captcha would confuse them. They have enough trouble entering a correct email address in the email field! When I tried a captcha on an English-only form, I received a lot of resistance.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Garbage web form submissions driving me nuts

Post by Apollo »

rhecker wrote:Our visitors from Vietnam are often less tech-savvy than visitors from other places, so I'm afraid that a captcha would confuse them. They have enough trouble entering a correct email address in the email field! When I tried a captcha on an English-only form, I received a lot of resistance.
Remember, a captcha can also look like this: 5 + 18 = [???]

Especially if you render that equation in an image (which is easy with imagettftext), you'll get rid of quote some spam bots.

Another option is to use some javascript. Most spam bots will simply scan your html for form fields, but not be able to execute javascript. If you send the email only if some javascript condition is met (such as calculating an md5 hash or something into a hidden field) you will again ditch lots of bots.
Post Reply