How to prevent robots (spambots) from automatically spamming up your WEB Form?
Posted by Abzetdin Adamov on January 12, 2012
Randomized field names to prevent spambots to automatically submitting your form
The Internet boom reinforces the security problems and unfortunately increases the number of unfair users that are using technology in improper way. At the same time the interactive nature of Web increases the number such opportunities. Actually, the main purpose of using spambots is to spread unsolicited information mainly for advertisement purposes.
So, how to prevent spambots from automatically submitting your WEB Form? It’s quite old problem and have several solutions:
1. Most common and effective way is the use of Captcha. Many people give up because they don’t want to type additional field or it’s too difficult to recognize symbols on Captcha. Captcha is not always very good at keeping spam away because computer software already can recognize letters as well as humans do. Sometimes developers trying to make Captcha more complex for spambots, in fact make it harder to read just for humans (Example: low text-to-background contrast or bad color combination does nothing to stop computer, since in this sense computers have plenty of advantages over human).
2. Text-based logical Captcha is another methods, however its just slightly different approach to the same common image-based Captcha. The idea is that, web forms shows some instructions and human is expected to enter to input some data according to those instruction. For example, “If tomorrow is Monday, what day is today?”, or “Enter the third word of this sentence.”, etc.
3. Another way is to add to form additional input(s) and hide them through CSS (<input type=”text” name=”login” style=”display:none”>). After this application on server side should check if additional field has been filled out or not and accept form datas if field is empty and reject if not. The point here is that for spambot this field is just one of thers and will fill it in, on the other hand humans don’t see it at all so its going to be empty. Its obvious that this method is not effective against targeted attacks or if the form was examined by human to determine fields those have to be left unchanged.
4. And finally, proposed method of spambot prevention the idea of which is that, actually any spambot must know the names of inputs of the web form in order to spam repeatedly, in other words input names have to be constant. So, why don’t we specify input names randomly. In this way all input names will change randomly after each submission. Since, spambot can’t predict the filed names, the continues spamming will be complicated.
However, even this approach can’t prevent spamming totally. For example, in the case when spambot does not store field names and each time request web form content newly, this method will not help… Because, in this case spambot does not care about field names and just takes what is there…
PHP code to enable randomized field names and prevent some kind of spambots to automatically submit your form:
<html>
<head>
</head>
<body>
<?php
session_start();
if (isset($_SESSION['fld_name'])) { // Check if appropriate form field has session declared for it...
if (isset($_GET[$_SESSION['fld_name']])) {
echo "<br>".$_GET[$_SESSION['fld_name']];
echo "<br>".$_GET[$_SESSION['fld_sname']];
echo "<br>".$_GET[$_SESSION['fld_email']];
}
}
$_SESSION['fld_name'] = randName(5); // Creates sessions for each field-input with random value (for example, string with length 5)
$_SESSION['fld_sname'] = randName(5);
$_SESSION['fld_email'] = randName(5);
?>
<!-- HTML Code of Web Form -->
<form>
<input type="text" name="<? echo $_SESSION['fld_name'];?>"><br> // The name parameter of each input is assigned randomly
<input type="text" name="<? echo $_SESSION['fld_sname'];?>"><br>
<input type="text" name="<? echo $_SESSION['fld_email'];?>"><br>
<input type="submit" value="Submit">
</form>
<!-- Function to generate random string -->
<?php
function randName($len) {
$rnd = array_merge(range('a', 'z'));
$out ='';
for($i = 0; $i < $len; $i++) {
$out .= $rnd[mt_rand(0, count($rnd)-1)];
}
return $out;
}
?>
</body>
</html>
Abzetdin Adamov's IT Blog 
Xeayyam said
Sir, just two days ago hackers released a free toolkit designed to defeat the audio version of Google’s reCAPTCHA system. http://midsizeinsider.com/en-us/article/recaptcha-hacked-stiltwalker-c-neura
Sahib said
The fourth method is very interesting. I will use it. Thank You!!
P.S. You have a little error in your code:
to get the textbox data you should use the $_POST or $_REQUEST array, not the $_GET array
Matthew said
Here’s an addition to the third method. Instead of leaving the value NULL or blank, assign a value to a variable which would be hard to match:
$yyy = !empty($_POST[‘yyy’]) ? trim(stripslashes(strip_tags($_POST[‘yyy’]))) : ‘E8AB9A27-23C3-41A8-BB89-BF232F54FEE1’
Then, in later processing if the value doesn’t equal this you’d know to reject.
Michael Kwayisi said
Hi Abzetdin. Your random string generator doesn’t guarantee that the returned string is unique among the other ones generated. Indeed, the possibility of having the same string multiple times is very tiny, however, your algorithm doesn’t factor it in at all.
Brian said
@Sahib. Form defaults to $_GET array, when method is not specified.