Prevent Form Injection

When I first wrote this article 7-8 months ago I was very disturbed about Captcha and still am. Why? First of all because it’s just plain inaccessible to everybody. You don’t have to have the slightest vision problems (or any other problem for that matter) to get in trouble when trying to decipher the more and more ridicules outputs from various Capthas. What I do like about Captcha is that it tries to stop spam and I’m sure it works great. In fact it works so great it also stops humans. How did it ever get this far (out) that we have to behave silly, obstruct our visitors with foolish solutions just to protect our inboxes?

Spam out of control

Spam is the Internet’s version of junk mail, telemarketing calls, leaflets, survy calls etc. All of this mixed into a single annoying electronic package. So how much is spam out the. I don’t think anyone knows exactly but Wiki has this to say about it! That is why I think we should do out outmost to prevent and stop spam. If there is any truth in the Wiki article then I think it’s safe to say… spam is out of control.

Captcha vs SpamTrap

So is there anything revolutionary about SpamTrap you may ask. Nothing revolutionary going on here. In fact I would say it’s a Captha clone outputting random questions in plain text with really simple answers instead of images. I believe It must be better using simple questions in plain text when compared to hopeless twisted letters and numbers.

SpamTrap features

So what is SpamTrap and what can it do for you! SpamTrap is NOT a guarantee against spam! It’s just another tool in the spam fighting toolbox, just like Captcha. The zip file contains a (x)html/php page (form.php) and a folder containing two inc files. The page works right out of the box. The only thing you need to do, is to change the recipient mail address and include the absolute path to your thank you page. Create one if you don’t have one. The form fields are labeled explicitly with their controls. The form can be used in a table based layout or as a css-based form page. That’s up to you.

Lets get started

Download and unzip the file into your website directory. You need to change 2 values in the script. Below you’ll find the php code from the top of the form.php page. I’ve colored the code for easy editing: Green means edit and red means don’t edit.

< ?php include("php/"); include("php/"); $validator = new ValidateForm(); if ($HTTP_SERVER_VARS['REQUEST_METHOD'] == 'POST'){ $validator->addCheck('First_and_Last_name');
 if ($validator->validate() && checkAnswer()){
 //send email or another action to be performed
 $SendTo = ""; /* Change this to match your email address /*
 $FromString .= "from: ". $validator->get("Email_address") ."\r\n";
 $Indhold .= "Navn: ". $validator->get("First_and_Last_name") ."\r\n";
 $Indhold .= "Email: ". $validator->get("Email_address") ."\r\n";
 $Indhold .= "Comment:\r\n".preg_replace("(\r\n|\r|\n)","\r\n" ,$validator->get("Comment"))."\r\n\r\n";
 $MailSuccess = mail($SendTo,$Subject,$Indhold,$FromString);
 header("Location: absolute path to your thank you page");

The cut and paste process

Copy the processing php code from the very top of the form.php page. Place the copied php code above the opening html tag on the page you want the form to appear on. When the changes to the receiver address and the location of the thank you page are in place you’re ready to cut’n’paste the form itself. Select the form and paste it where you want it to appear. Save your html file as form.php (or change the action […action=”form.php]” to what you want to call your form page) .

Copy the block of Error php code from the form.php page and place it like any other paragraph of text. A good place would preferably be above your form, or anywhere else you want errors to display. You’re done with your new form page. Now you just need to add the final bits and pieces to make your forms page look as you want it. If you don’t know how, then do a search for “css form styling” or something like that. Upload your page to your site and test. If the form submits, and you see the thank you page, and you get mail, then it works! Otherwise your site is not hosted on a php enabled server or something else went wrong.

Use the form/PHP at your own risk!

Adopted from Kim K Jonsson at GeekMinistry, 2007.


I am Techie, the webmaster and main author for the w3techie blog.

You may also like...

3 Responses

  1. Aaron says:

    I hear you about form injections and spam and all that fantastic “noise” out there because of it. I’ve designed my own bot traps in the past with some success but also ran into problems when I blocked search engine bots temporarily, too 🙂 I say the best form is the one that checks EVERYTHING before it does ANYTHING. Make sure the script only reads data from a particular referring page. Make sure the data is checked and cleaned before executing (removing anything that could be ran as code, remove spam links, etc). Verify email addresses while you’re at it. I hate spam!

  2. Spam is a bear of a problem for me. I don’t use captchas on my site because I’m always getting hung up on them myself. I often times just click off if asked to decipher one of those idiot boxes. Man, the last one I had tried to access had a square as a character in the captcha…A SQUARE! I really wanted access to the members area of the site and was anxious to join but every time I refreshed the page it would have that crazy square as a character in the captcha. I stupidly searched my keyboard hoping that, heh, there was some key that just magically materialized but no square. Finally out of frustration I gave up on the site.

    I’ll give this SpamTrap a shot on my site and see if I can get it to work. Thanks for this.

  3. Thanks for the short tutorial!

    I will try it myself to get rid of these stupid captchas. For myself, i had a lot of problems on several sites to decipher the captcha and sometimes i just stopped trying.

    Easy captchas are cracked easily, harder captchas are a pain in the *** for humans.

    Lets see how spamtrap performs on my blog

Leave a Reply

Your email address will not be published. Required fields are marked *