phpFormProtect protects forms from spammers in a way that doesn't annoy users. It is an alternative to a CAPTCHA, and could also be used to prevent comment spam. It works by running each submission through a number of tests, and then scoring the submission. Any one of the tests by itself has flaws, but working together they provide a high quality indicator of the spamminess of a given form submission. The last two tests by default cause failure based on the points assigned. This is easily configurable.
This project is a port of CFFormProtect. We found that when switching from ColdFusion to PHP, there wasn't anything similar. Many thanks to the folks at CFFormProtect, especially for fp.js, which is a copy of cffp.js.
The tests are as follows:
- Hidden Form Field - If hidden form field is filled in, this is an indicator of spam
- Time Form Submission - If form is filled out too fast or too slow, this is an indicator of spam
- Too many URLs - If the comment field has too many URLs (Number is configurable) this is an indicator of spam
- Mouse Movement - If the user does not use their mouse, this is an indicator of spam
- Used Keyboard - If the user does not use their keybaord, this is an indicator of spam
- Validate Referer - If the HTTP referer does not match the form URL, we shouldn't accept the submission.
- Validate Email - If the email address provided in the form is not valid from a syntax perspective, we shouldn't accept the submission.
Dan McCarthy (mcc@rthy.net)
0.2
Require the package within your composer.json
:
"require": {
"mccarthy/phpFormProtect": "master"
}
Update Composer:
$ composer update
- Copy the phpfp folder into the same folder that contains the form and form processing page on your web host
- Put this line of code between the form tags of the form you want to protect:
<?php include 'phpfp/phpfp.php'; ?>
- On the form processing page, do something like the following:
$fp = new FormProtect;
$fpResult = $fp->testSubmission($_POST);
if($fpResult[pass]) {
//echo "Passed, looks like a valid submission. Process as normal, send email, etc.";
}
else {
//echo "Failed. Looks like spam. Log, block IP, email, etc.";
}
###Sample Code
- The files "contact.php" and "contact-process.php" contain sample code showing how to use phpFormProtect.
- You can either use the sample code files, or add similar logic to your form processing page.
- Include IP, Reverse IP Lookup, Referring URL, and Browser in Email
- Handle empty form post better
- Eliminate or fix spam words test
- Add logging
- Add config file
- Move JS into
<head>
- Integrate akismet
- Integrate project honeypot
- Integrate https://code.google.com/p/phpspamdetection/
- Integrate spamhaus dbl - (Assisting article)
- Integrate http://www.linksleeve.org/
- Add ideas from http://www.webmasterworld.com/php/4406126.htm
- http://stackoverflow.com/questions/1577918/blocking-comment-spam-without-using-captcha
- http://nedbatchelder.com/text/stopbots.html
- http://www.sitepoint.com/stop-comment-spam/
- http://www.sitepoint.com/comment-spam-compiled-and-interpreted/
- http://www.sitepoint.com/spam-fighters-toolkit/
- http://sblam.com/en.html
This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.