PHP Comment Form Validation to Protect Against Spam
Question
I am building a comment form for a website. Eventually, it will be a popup jquery form utilizing ajax. I am trying to get the php together right now and want to make sure that I cover all of the bases to protect against spam.
There are four fields: email, name, url, and comment. This is what I have for the php so far:
$email = $_POST['email'];
if(!filter_var($email, FILTER_VALIDATE_EMAIL)){
print "E-mail is correct";
$to = 'asdfdsafasdfsda@gmail.com';
$subject = 'the subject';
$message = 'hello';
$headers = 'From: webmaster@example.com';
mail($to, $subject, $message, $headers);
} else {
print "E-mail is not correct";
}
Just checking to make sure that the user is using a proper email address. I am not utilizing a database so am not worried as much about SQL injection or other database related problems. I just want the form to be secure against spam-bots.
What are the other elements I should include in my php to protect against spam?
3 answers
solution1
2 ACCPTED 2012-02-20 22:08:18
You can generally not decide if a message is spam or a desired text, so syntactic checks like the one you did for the email won't work.
there are on the other hand some solutions out there that try to find certain properties that could identify a message as spam. you can for instance look into http://wordpress.org/extend/plugins/akismet
a common solution is to use a captcha. that is a picture containing some obfuscated text only a human can read. google provides a simple captcha system, if you want to try: http://www.google.com/recaptcha
solution2
1 2012-04-11 05:39:00
Use an anti-spam database. Botscout has a really good one, as well as Spambusted. They have code samples and plugins for all major open-source scripts.
As for what information you need, one important information would be the user's IP.
The CSRF token is a good idea and it helps make sure that the commnets only originate from your website (thus not allowing someone to post a comment from a script outside of your website), but it's not particularly effective against a spammer who knows what he's doing.
Captcha is a good solution as well (and the Google Recaptcha is very easy to include), but it can be cumbersome for your end users.
If the only functionality you want to have is comments, than you might also want to try an already established solution, like Disqus
solution3
0 2012-02-20 22:20:26
Captcha Ads
I haven't used it but read about it. Concept is appealing. It is easier to read for user and you make money in the process.
PS: please do post what you ended up implementing besides recaptcha.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.