Filtering spam on a PHP contact form

Question

guys. I've been trying to wrap my head around this, but I'm very new to PHP. I've tried all sorts of tutorials for PHP spam filters, but none of them work right when I write them into the form.

The code that I've been trying to modify is:

<?php
header ("Location: index.html");
if( !empty($_POST['topName']) || !empty($_POST['topEmail']) || !empty($_POST['topPhone']) ) {
    $name = $_POST['topName'];
    $emailAddress = $_POST['topEmail'];
    $phone = $_POST['topPhone'];
    $message = $_POST['topMessage'];

    $email_to = "companyname@gmail.com";
    $email_from = "$name <$emailAddress>";
    $email_subject = "Message from online contact form";
    $email_body = "From: $name\n" .
                   "Email: $emailAddress\n" .
                   "Phone: $phone\n\n" .
                   "$message";
    $email_headers = "From: $email_from \r\n" .
                "Reply-To: $emailAddress \r\n";

    mail($email_to, $email_subject, $email_body, $email_headers);
}
exit;
?>

The only part of that which worked was adding the !empty things, but that still only blocks spam that leaves those fields blank. I can't seem to get anything to work when I follow tutorials. Is there something I can do to make a super simple spam filter, or a tutorial to follow that a newbie could understand?

Any help or advice would be appreciated!

Answer 1

To ensure that fields are not empty, you can perform some validations like so:

<?php

function checkLength($d, $min, $max){
    if(strlen($d) > $max || strlen($d) < $min){
        return false;
    } else {
        return true;
    }
}

function checkRegEx($d, $reg){
    return ereg($reg, $d);
}

$fields = [
    'name' => $_POST['topName'],
    'email' => $_POST['topEmail'],
    'phone' => $_POST['topPhone']
]

$valid = true;

// Check that each is not empty
foreach($fields as $k => $v){
    $valid = $valid && !empty($v);
}

// Add HTML Safe Message
$fields['message'] = htmlentities($_POST['topMessage']);

// Check that name has enough characters
$valid = $valid && checkLength($fields['name'], 3, 25);

// Check that Email has enough characters
$valid = $valid && checkLength($fields['email'], 5, 80);

// Check Email format
$valid = $valid && checkRegEx($fields['email'], "/^[a-zA-Z0-9.!#$%&'*+\/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/");

if( $valid ) {
    $email_to = "companyname@gmail.com";
    $email_from = "{$fields['name']} <{$fields['email']}>";
    $email_subject = "Message from online contact form";
    $email_body = "";
    $email_body .= "From: {$fields['name']}\r\n";
    $email_body .= "Email: {$fields['email']}\r\n";
    $email_body .= "Phone: {$fields['phone']}\r\n\r\n";
    $email_body .= $fields['message'];
    $email_headers = "From: {$fields['email']}\r\n";
    $email_headers .= "Reply-To: {$fields['email']}\r\n";

    mail($email_to, $email_subject, $email_body, $email_headers);
}
exit;
?>

Answer 2

One of the most effective ways to stop spam is to make sure each field contains exactly what is expected. For example, the name should only include letters, phone number digits etc. If there is no need for text fields to include URLS, not submitting messages when they do will eliminate a lot of spam.

Next you can use honeypot fields. These are fields that are hidden from people but are often detected by spam bots. You check on submission if they contain anything and if they do you know it's spam.

You can also check the time between when the form page is displayed and the form is submitted. Very quick submissions indicate aitomated spam.

Captcha should be a last resort, maybe only displayed if other techniques suggest spam.

Finally, you could make life a lot easier for yourself by using a class that does a lot of this for you, eg http://stefangabos.ro/php-libraries/zebra-form/ or a form building app like http://wufoo.com