Posted on April 26th, 2010 at 07:22 AM by Corey Ballou
Let’s face it… nobody enjoys spam. A basic PHP contact form is generally susceptible to a massive amount of spam mail. SPF30 is a PHP library which utilizes a number of recommended spambot deterrents in an attempt to reduce form submission spam. SPF30 does not utilize any form of captcha. In addition to spam prevention methods, SPF30 also handles two-way encryption of form data. In other words, your form content cannot be easily sniffed across the wire. This adds a layer of security to your contact forms.
Features
- The form submission contains a hashed value of a system defined secret key, the current date, and the user’s user agent.
- The form submission is invalidated in the event the submission timestamp exceeds a specific timeout period (default 1 hour).
- The form submission is invalidated in the event it was submitted in rapid succession (default 5 seconds).
- A hidden input honeypot is utilized in an attempt to trick bots into passing data with the field.
- A hidden hash field is validated against the submission time, user agent, and secret key.
- A hidden field is sent containing a the array of encrypted fields for decryption to their old field names.
- Decrypted form fields are written directly back to the POST array, abstracting the encryption from your backend handling.
- User specified form field names can undergo two-way DES encryption to obfuscate form field names.
- User submitted form field values can be encrypted on the frontend using a Javascript implementation of DES.
- The encryption method goes beyond simple DES encryption for the purposes of transporting UTF-8 characters in POST data.
Example Usage
form.php
<?php require_once('./spf30.php'); ?>
<?php spam::init('POST', 'form-handler.php', 'signupform'); ?>
<?php $name = spam::encryption('name'); ?>
<label>Name</label>
<input type="text" id="<?php echo $name; ?>" name="<?php echo $name; ?>" />
<?php $email = spam::encryption('email'); ?>
<label>Email Address</label>
<input type="text" id="<?php echo $email; ?>" name="<?php echo $email; ?>" />
<?php $phone = spam::encryption('phone'); ?>
<label>Phone Number</label>
<input type="text" id="<?php echo $phone; ?>" name="<?php echo $phone; ?>" />
<?php $comment = spam::encryption('comment'); ?>
<label>Comments</span>
<textarea name="<?php echo $comment; ?>" id="<?php echo $comment; ?>" rows="6" cols="100"></textarea>
<!-- display hidden fields required for validation -->
<?php echo spam::hidden(); ?>
<button type="submit" value="submit">submit</button>
</form>
<!-- encrypts user-defined input on form submission -->
<?php spam::javascript(); ?>
form-handler.php
<?php
require_once('./spf30.php');
if (!empty($_POST)) {
try {
// this is simple an example of the form data before decryption
var_dump($_POST);
// run validation on the submitted email form
spam::validate($_POST);
// no exceptions thrown, use decrypted form data as you please
var_dump($_POST);
} catch (Exception $e) {
// an error occurred with the form validation
// ...
die($e->getMessage());
}
}
?>
I am attempting to implement jquery spf 30 to a contact form; however, I’m having difficultly. I have defaulted to the example above for troubleshooting.
Line 9 spam::validate($_POST); Returns:
Catchable fatal error: Argument 1 passed to spam::validate() must be an instance of Input, array given, called in /sitepath/test/form-handler.php on line 9 and defined in /sitepath/spf30.php on line 51
I think I missing a basic step somewhere. I’m not certain how to cast $_POST as an input.
Two things:
1) You have an error in your form.php. You have ‘Email Address’ as the label for the ‘Phone’ field.
2) The form-handler.php doesn’t seem to actually contain any code to “decrypt” in the “// no exceptions thrown, use decrypted form data as you please” section. That page contains two dumps, but only the first one does anything.
Thanks for the comment rhopek. I’ll fix the first typo right after submission of this message. In regards to your second issue, there’s another typo which attempts to pass
$this->inputinstead of$_POSTto the decryption function. My sincere apologies, I can see where this would cause quite a problem.There’s also an undocumented requirement for utilizing the library which I failed to mention in the initial post. You must have the PHP mcrypt module installed to be able to use the SPF30 library.
Hope this resolves your issues. Let me know!
Does this still work if the end-user has disabled javascript?
Adam, the only thing that will no longer function with javascript turned off is encrypting field values. Both the spam prevention and field name encryption will still function as intended. I hope this answers your question!