PHP Form Spam Prevention

Question

Please bear with me as I am a graphic designer with some coding knowledge, but not near as much as a developer. And after many hours of tinkering and asking Google, I've decided to ask y'all directly!

I've been working on building a contact form for my website. So far so good, except for one thing. I would like to add a simple spam prevention field.

I've added a field "spamcheck" with the question 6+2=? but I do not know how to code the PHP to require that the value specifically be 8. As long as the other fields are correctly filled out, the form will submit regardless of the number entered here despite any attempt to mess with the code (thus why you will see my $spamcheck variable but the current coding only requires that it have a value like the rest of the fields).

I have included the PHP, the validation the PHP calls to, and the form. Apologies if the form has some excess code; I have tried many different versions of PHP form tutorials to no avail.

And of course, thank you very much for your help! :)

Here is the PHP code I have placed directly in the web page:

<?php 
define("EMAIL", "email@gmail.com");

if(isset($_POST['submit'])) {

  include('validate.class.php');

  //assign post data to variables 
    $name = trim($_POST['name']);
    $email = trim($_POST['email']);
    $budget = trim($_POST['budget']);
    $deadline = trim($_POST['deadline']);
    $message = trim($_POST['message']);
    $spamcheck = trim($_POST['spamcheck']);

  //start validating our form
  $v = new validate();
  $v->validateStr($name, "name", 1, 50);
  $v->validateEmail($email, "email");
  $v->validateStr($budget, "budget");
  $v->validateStr($deadline, "deadline");
  $v->validateStr($message, "message", 1, 1000);
  $v->validateStr($spamcheck, "spamcheck");

  if(!$v->hasErrors()) {
       $from = "website.com"; //Site name
  // Change this to your email address you want to form sent to
  $to = "email@gmail.com"; 
  $subject = "Hello! Comment from " . $name . "";

  $message = "Message from " . $name . "
  Email: " . $email . " 
  Budget: " . $budget ."
  Deadline: " . $deadline ."
  Message: " . $message ."";
  mail($to,$subject,$message,$from);


    //grab the current url, append ?sent=yes to it and then redirect to that url
        $url = "http". ((!empty($_SERVER['HTTPS'])) ? "s" : "") . "://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
        header('Location: '.$url."?sent=yes");

    } else {
    //set the number of errors message
    $message_text = $v->errorNumMessage();       

    //store the errors list in a variable
    $errors = $v->displayErrors();

    //get the individual error messages
    $nameErr = $v->getError("name");
    $emailErr = $v->getError("email");
    $budgetErr = $v->getError("budget");
    $deadlineErr = $v->getError("deadline");
    $messageErr = $v->getError("message");
    $spamcheckErr = $v->getError("spamcheck");

  }//end error check
}// end isset
  ?>

This is the validate.class.php which it calls to:

<?php
class validate {

  public $errors = array();

   public function validateStr($postVal, $postName, $min = 1, $max = 1000) {
    if(strlen($postVal) < intval($min)) {
      $this->setError($postName, ucfirst($postName)." is required.");
    } else if(strlen($postVal) > intval($max)) {
      $this->setError($postName, ucfirst($postName)." must be less than {$max} characters long.");
    }
  }// end validateStr

   public function validateEmail($emailVal, $emailName) {
    if(strlen($emailVal) <= 0) {
      $this->setError($emailName, "Please enter an Email Address");
    } else if (!preg_match('/^[^0-9][a-zA-Z0-9_]+([.][a-zA-Z0-9_]+)*[@][a-zA-Z0-9_]+([.][a-zA-Z0-9_]+)*[.][a-zA-Z]{2,4}$/', $emailVal)) {
      $this->setError($emailName, "Please enter a Valid Email Address");
        }
  }// end validateEmail     

  private function setError($element, $message) {
    $this->errors[$element] = $message;
  }// end logError


  public function getError($elementName) {
    if($this->errors[$elementName]) {
      return $this->errors[$elementName];
    } else {
      return false;
    }
  }// end getError

  public function displayErrors() {
    $errorsList = "<ul class=\"errors\">\n";
    foreach($this->errors as $value) {
      $errorsList .= "<li>". $value . "</li>\n";
    }
    $errorsList .= "</ul>\n";
    return $errorsList;
  }// end displayErrors

  public function hasErrors() {
    if(count($this->errors) > 0) {
      return true;
    } else {
      return false;
    }
  }// end hasErrors

  public function errorNumMessage() {
    if(count($this->errors) > 1) {
            $message = "There was an error sending your message!\n";
        } else {
            $message = "There was an error sending your message!\n";
        }
    return $message;
  }// end hasErrors

}// end class
?>

And here is the form html/php:

<span class="message"><?php echo $message_text; ?></span>
   <?php if(isset($_GET['sent'])): ?><h2>Your message has been sent</h2><?php endif; ?>
          <form role="form" method="post" action="webpage.php#contact">
            <div class="form-group">
              <input type="text" name="name" class="form-control" id="name" value="<?php echo htmlentities($name); ?>" placeholder="Full Name" required>
              <label for="exampleInputName"><i class="icon-tag"></i></label>
              <span class="errors"><?php echo $nameErr; ?></span>
              <div class="clearfix"></div>
            </div>
            <div class="form-group">
              <input type="email" name="email" class="form-control" id="email" value="<?php echo htmlentities($email); ?>" placeholder="Email" required>
              <label for="exampleInputEmail1"><i class="icon-inbox"></i></label>
              <span class="errors"><?php echo $emailErr; ?></span>
              <div class="clearfix"></div>
            </div>
            <div class="form-group">
              <input type="text" name="budget" class="form-control" id="budget" value="<?php echo htmlentities($budget); ?>" placeholder="Budget" required>
              <label for="exampleInputBudget1"><i class="icon-usd"></i></label>
              <span class="errors"><?php echo $budgetErr; ?></span>
              <div class="clearfix"></div>
            </div>
            <div class="form-group">
              <input type="text" name="deadline" class="form-control" id="deadline" value="<?php echo htmlentities($deadline); ?>" placeholder="Deadline" required>
              <label for="exampleInputDeadline"><i class="icon-calendar"></i></label>
              <span class="errors"><?php echo $deadlineErr; ?></span>
              <div class="clearfix"></div>
            </div>
            <div class="form-group textarea">
              <textarea rows="6" name="message" class="form-control" id="message" value="<?php echo htmlentities($message); ?>" placeholder="Write Message" required></textarea>
              <label for="exampleInputMessage"><i class="icon-pencil"></i></label>
              <span class="errors"><?php echo $messageErr; ?></span>
              <div class="clearfix"></div>
            </div>
            <div class="form-group">
              <input type="text" name="spamcheck" class="form-control" id="spamcheck" value="<?php echo htmlentities($spamcheck); ?>" placeholder="Spam check: 6+2=?" required>
              <label for="exampleInputSpamCheck"><i class="icon-lock"></i></label>
              <span class="errors"><?php echo $spamcheckErr; ?></span>
              <div class="clearfix"></div>
            </div>

            <button type="submit" id="submit" name="submit" value="submit" class="btn btn-large">Send Message</button>
          </form>

Answer 1

Check this out as an alternative to a captcha. Then you could use your existing class to validate the field. Say your hidden field has a name "fakeField" You could validate it with your validateSTR method via..

$v->validateStr($fakeField, "fakeField",0,0);

Since your str check is checking > and < instead of >= and <= this will return true when the length is exactly 0. This might be an easier solution for someone with little code knowledge to integrate.

Alternatively, if you're stuck on using a captcha of sort, and you know what you expect the value to be, you could add a method to check against the value you're expecting.

The method:

public function validateCaptcha( $value,$name, $expectedValue) {
if(trim($value) != $expectedValue) {
  $this->setError($name, "Captcha Incorrect");
    }
}

then change the line of code

$v->validateStr($spamcheck, "spamcheck");

to

$v->validateCaptcha($spamcheck, "spamcheck", '6');

This isn't the best solution since there are so many powerful captchas out therebut it's easy to use.

Answer 2

In the PHP script where you generate the form, you should save the correct answer to the question in a $_SESSION variable.

Then, in the PHP script that receives this form data, you should verify that what was submitted for that question matches the right answer in the $_SESSION variable.

There are a bunch of tutorials on how to use sessions in PHP.

Basically, it comes down to:

form.php

<?php
    session_start();
    $_SESSION['captcha_right_answer'] = somehow_generate_this();
?>

handler.php

<?php
    session_start();

    if ($_INPUT['captcha_answer'] != $_SESSION['captcha_right_answer']) {
        // Show "bad captcha" message, re-show form, whatever
    }
    else {
        // Captcha good - go on with life
    }
?>

Answer 3

Another simple method is to capture the time the page loads and compare it to the time the form was submitted. If the difference was too short, exit the page. spambots are quick; people are slow. Spambots may figure out various fields - even do math - but they are never going to wait around for more than a few seconds.

It takes only two lines, one in the form:

<input name="timeloaded" type="hidden" value="<?php echo time();?>" />

and one in the form processing code:

if(!(is_numeric($_POST['timeloaded'])) || time()-$_POST['timeloaded']<30) {header("Location: index.php"); exit;} 

This one is for a form that no human can fill out in less than 30 seconds. Change that for the length of form you use.