Right way to show email -addresses

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
KalleL
Forum Newbie
Posts: 12
Joined: Mon Apr 30, 2007 8:52 am

Right way to show email -addresses

Post by KalleL »

Hopefully this is right section for this one. I think it's in some way security matter.

've been developing portal for gaming community. As email is probably the best way to contact people in these circles (along with IRC), it's important for people to share their email addresses. The problem is, how to display email addresses in the page? Okay, I know format "username [at] domain [dot] exp" would be secure one, when it comes to spam bots. But this isn't for my eye, and definitely not for random user's eye the best solution. Is there any other way to fight against spam bots? And is it really so that spam bots can't simply convert [at] to @ and [dot] to ., as it's so easy to do for example in PHP?

Couple years ago, when I was starting my coding "career" I found some Javascript code from the internet, where email address was generated by function, like printing "adf" + ".em" + "ail" + "@" + "dom" + "ain" + ".com". If PHP would slice the address, and pass it to JS function, will it help? Does this kind of solution make any sense? Does it help anything?

Is just showing address as text better option than using mailto -link?

Of course users are allowed to hide their email, but can I anyhow fight against these spam bots with those users willing to share their email addrresses? Please share any comments/thoughts.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

There are a lot of different ways to try to save email addresses from spam bots... breaking up the address, using JavaScript (assuming the bots don't have access to JavaScript), generating images (like a CAPTCHA), etc. However, I think the best way is to just find a way to hide them from bots, period. Make it members only and prevent bots from getting that far after the registration process by proving they are human.
KalleL
Forum Newbie
Posts: 12
Joined: Mon Apr 30, 2007 8:52 am

Post by KalleL »

Yeah, they're already mostly behind registration, even though registration process, is quite simple still. But good points, thanks for them!
User avatar
xpgeek
Forum Contributor
Posts: 146
Joined: Mon May 22, 2006 1:45 am
Location: Kyiv, Ukraine
Contact:

Post by xpgeek »

The best way - it is to hide emails.

See sent email functionality on this forum as example.
Z3RO21
Forum Contributor
Posts: 130
Joined: Thu Aug 17, 2006 8:59 am

Post by Z3RO21 »

Personally I don't even show the e-mails to members unless that specific has their e-mail address public where at that point they have the ability to control exposure of their address. As for users that do not allow their e-mail address to be publicly viewed can use a form and a script on my server to send member 2 member e-mail where only the script is allowed to see the e-mail. Then the receiver of the e-mail can e-mail back exposing their e-mail or choose not to respond and still keep their e-mail secure.
Post Reply