PHP to validate small gif on HTML form

I have a simple contact HTML form which sends me an email when someone uses it.

I want to show a little gif image that the user needs to verify, helping avoid bots and spam

Something like reCaptha but less intrusive.

The gif doesn’t have to change, I’ll just use the same one.

Can anyone help.

Why not put a sum in the image and then get the user to enter the value in an input field.
You say the value isn’t going to change so compare the user input against a hardcoded value.

Hope that helps.

I prefer to have a hidden field which, if filled in, aborts the form. That stops the bots in their tracks. But to make life a little better for some screen reader users etc. you could add a simple sum in words that will allow the form to submit. That is, the label says “what’s two plus two?”, and the form sends if either “four” or “4” are entered, but aborts if anything else is submitted. Keep it hidden with display: none so that most people—even some screen readers—won’t see it.

It’s better not to make life harder for honest people.

I think I’ll try the hidden field trick.

Let’s say I add a hidden field ‘validate’, how do I check that is hasn’t been filled in before the email is sent?

Can some help me out?

This is what I sometimes use:

if (!empty($validate) && !($validate == "4" || $validate == "four")) {
	echo "Crime does not pay!";
	exit ();
}

So, if the filed is empty, or if it contains “4” or “four”, the form sends. Otherwise, the form aborts and a message is shown.

Ok I’ve added the hidden field ‘validate’ but can’t figure where to put that piece of code you gave me, I suspect it goes in the middle.

Does the IF statement need and ELSE to go with it.

Sorry for the questions, I’m a designer not a coder lol

<?php

$Name = $_POST['Name'];
$EmailFrom = $_POST['EmailFrom'];
$Company = $_POST['Company'];
$Message = $_POST['Message'];
$validate = $_POST['Validate'];


$ewho="hello@#########.co.uk";
$datesent=date("l dS of F Y h:i A");
$ip=$_SERVER['REMOTE_ADDR'];
$subject="Contact";
$mailhead="From: $EmailFrom";
$mailbody ="This email was sent via the website form" . "\
\
";
$mailbody .="Name: " . "$Name" . "\
\
";
$mailbody .="Email: " . "$EmailFrom" . "\
\
";
$mailbody .="Company: " . "$Company" . "\
\
";
$mailbody .="Message: " . "$Message" . "\
\
";
$mailbody .="DATE: " . "$datesent" . "\
";
$body .=stripslashes($mailbody);

mail($ewho,$subject,$body,$mailhead);
?>

Yes, I suspect that will work.

Sorry for the questions, I’m a designer not a coder

Me too, so let’s fumble together, until an expert arrves. :slight_smile:

See if this works:

<?php

$Name = $_POST['Name'];
$EmailFrom = $_POST['EmailFrom'];
$Company = $_POST['Company'];
$Message = $_POST['Message'];
$validate = $_POST['Validate'];

if (!empty($validate) && !($validate == "4" || $validate == "four")) {
	echo "Crime does not pay!";
	exit ();
}

$ewho="hello@#########.co.uk";
$datesent=date("l dS of F Y h:i A");
$ip=$_SERVER['REMOTE_ADDR'];
$subject="Contact";
$mailhead="From: $EmailFrom";
$mailbody ="This email was sent via the website form" . "\
\
";
$mailbody .="Name: " . "$Name" . "\
\
";
$mailbody .="Email: " . "$EmailFrom" . "\
\
";
$mailbody .="Company: " . "$Company" . "\
\
";
$mailbody .="Message: " . "$Message" . "\
\
";
$mailbody .="DATE: " . "$datesent" . "\
";
$body .=stripslashes($mailbody);

mail($ewho,$subject,$body,$mailhead);
?>

Does the IF statement need and ELSE to go with it.

No.

Yep I got it working with that.

I’ve tested it by manually entering a value in the form and it does indeed stop the code from emailing.

Thanks, much appreciated.

Phil

I haven’t used the .gif but i’ll leave that part of the verifying code there for future reference.

Great, glad that worked.

It would also be a good idea to run the other fields through validation, though, as a lot of damage could be done by allowing anything in those fields. Best to lock down each input. That means checking what’s typed into each field and displaying an error message if the rules aren’t followed. At the moment, the email field could be uses for a mass spam attack (as I understand it). So you can include something like this as well (although this is more complex than just aborting the form, as we did above):

if (empty($EmailFrom) || !preg_match("/^[^0-9][A-z0-9_]+([.][A-z0-9_]+)*[@][A-z0-9_]+([.][A-z0-9_]+)*[.][A-z]{2,4}$/", $EmailFrom)) { 
$error_msg[]="Your email must have a valid format";
}

You also need a way to display the error messages etc., so this starts to get more complex. But the form as is is open to serious spam injections, I believe. (As I said, though, I’m no expert.)

You can never stop an actual person using a form for no good, but I’d say the thing to avoid is bots. I guess if an individual takes the trouble to study your code and then set up a bot to do its work, that’s a pain, but I doubt that happens often. And it would be easy to change your hidden form question once a month or so to foil the bots anyhow.

In the case of the OP’s question, we are really just taking about a simple contact form that won’t involve a database.

The more pressing issue, I think, is to tighten security on the form to prevent header injections and the like.

Using hidden fields is ok as long as you are aware that it will only stop “nuisance” attempts to use your form for sending spam and not someone who is determined and knows what they are doing by easily bypassing the hidden field attempt to stop spamming and protect your database.

All someone would need to do is view your html and css to see it is a hidden field and so anyone with at least half a brain would tweak pretty quickly that the field is not meant to be filled in. They can then use your form to potentially fill your database with garbage or do other potential damage and/or spamming.

Also, asking questions is also a weak captcha. You would just need to load the form manually a few times to get all or at least the majority of questions. Then the bot just needs to be programmed to give the correct answer for the question it is given.

Again, asking questions will at most stop “nuisance” attempts but not someone who knows what they are doing.

Thanks webdev1958

There’s no database involved but I’ll look at adding some more security.

I don’t want to spend hours researching php code for a simple contact form that just emails myself, especially when it seems, no matter you do there’s always a way the spammers can get around it.