In email form how do we say "must be equal to X"?

Matthew Wilson wrote:

Hi, we are getting a lot of spam through our PHP Feedback form, and have set
up a new field 'prove you're human', asking them to do some simple maths.

What is the command for the PHP script itself, to say "this field must be
equal to 9 or return the error page"?

Look up "captcha".

/m

Matthew Wilson wrote:

Hi, we are getting a lot of spam through our PHP Feedback form, and have
set up a new field 'prove you're human', asking them to do some simple
maths.

What is the command for the PHP script itself, to say "this field must be
equal to 9 or return the error page"?

Thanks!

Matt

Hi Matt,

Go to Wikipedia or something like that and search for an approach named
captcha.
It boils down to the fact that a simple Turingtest (with distored images) is
used to make sure the user is human and not a (simple) bot.
Don't buy a solution, many free captcha alternatives are out there. :-)

Regards,
Erwin Moller

Matthew Wilson wrote:

Hi, we are getting a lot of spam through our PHP Feedback form, and have set
up a new field 'prove you're human', asking them to do some simple maths.

What is the command for the PHP script itself, to say "this field must be
equal to 9 or return the error page"?

Thanks!

Matt

Check out the header() function.

BTW - this is a simplified form of CAPTCHA. It might be good enough for
your purposes - but you might want to follow the other recommendations
here and look for a CAPTCHA solution.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Matthew Wilson wrote:

Hi, we are getting a lot of spam through our PHP Feedback form, and have set
up a new field 'prove you're human', asking them to do some simple maths.

What is the command for the PHP script itself, to say "this field must be
equal to 9 or return the error page"?

Just add another input of text type (you can name it what ever you want, say
fun), you random two values and make another input of hidden type (you can
call it what ever you want, but not the same as the previous, say real), then
on the script where you receive the form you compare the two values

---form page, must pe in this case a php page---
<?PHP
$a=rand(5, 15);
$b=rand(8, 20);
echo "How much is $a+$b?";
?>
<input type="text" name="real" value="<?PHP echo ($a+$b); ?>">
<input type="text" name="fun">
---eof--

--- the receiving script ---
/* Set this in top of your script */
if($_REQUEST['fun']!=$_REQUEST['real']) {
header("Location: http://www.example.com/errorpage.php");
exit;
}
--- eof ---
//Aho

"J.O. Aho" <us**@example.netwrote in message
news:4r************@mid.individual.net...

Just add another input of text type (you can name it what ever you want,
say fun), you random two values and make another input of hidden type (you
can call it what ever you want, but not the same as the previous, say
real), then on the script where you receive the form you compare the two
values

That's great but a little complex for our needs. The actual capture form is
HTML, only the receive script is PHP. Can you offer a simpler version which
just expects the number "5" rather than random numbers?

Here is the format we follow, and the relevant field that expects a 5 is
"human":

<?
// ------------- CONFIGURABLE SECTION ------------------------

// $mailto - set to the email address you want the form
// sent to, eg
//$mailto = "yo**************@example.com" ;

$mailto =

// $subject - set to the Subject line of the email, eg
//$subject = "Feedback Form" ;

$subject = "Feedback" ;

// the pages to be displayed, eg
//$formurl = "http://www.example.com/feedback.html" ;
//$errorurl = "http://www.example.com/error.html" ;
//$thankyouurl = "http://www.example.com/thankyou.html" ;

$formurl =
$errorurl =
$thankyouurl =

$uself = 0;

// -------------------- END OF CONFIGURABLE SECTION ---------------

$headersep = (!isset( $uself ) || ($uself == 0)) ? "\r\n" : "\n" ;
$name = $_POST['name'] ;
$email = $_POST['email'] ;
$referee = $_POST['referee'] ;
$human = $_POST['human'] ;
$comments = $_POST['comments'] ;
$http_referrer = getenv( "HTTP_REFERER" );

if (!isset($_POST['email'])) {
header( "Location: $formurl" );
exit ;
}
if (empty($email) || empty($comments) || empty($human)) {
header( "Location: $errorurl" );
exit ;
}
if ( ereg( "[\r\n]", $name ) || ereg( "[\r\n]", $email ) ) {
header( "Location: $errorurl" );
exit ;
}
if (get_magic_quotes_gpc()) {
$comments = stripslashes( $comments );
}

$messageproper =

"This message was sent from:\n" .
"$http_referrer\n" .
"------------------------------------------------------------\n" .
"Name of sender: $name\n" .
"Email of sender: $email\n" .
"Referred by: $referee\n" .
"2+3=$human\n" .
"------------------------- COMMENTS -------------------------\n\n" .
$comments .
"\n\n------------------------------------------------------------\n" ;

mail($mailto, $subject, $messageproper,
"From: \"$name\" <$email>" . $headersep . "Reply-To: \"$name\" <$email>" .
$headersep . "X-Mailer: chfeedback.php 2.07" );
header( "Location: $thankyouurl" );
exit ;

?>
Thanks so much!

Matt

Matthew Wilson wrote:

"J.O. Aho" <us**@example.netwrote in message
news:4r************@mid.individual.net...

>Just add another input of text type (you can name it what ever you want,
say fun), you random two values and make another input of hidden type (you
can call it what ever you want, but not the same as the previous, say
real), then on the script where you receive the form you compare the two
values

That's great but a little complex for our needs. The actual capture form is
HTML, only the receive script is PHP. Can you offer a simpler version which
just expects the number "5" rather than random numbers?

Here is the format we follow, and the relevant field that expects a 5 is
"human":

The drawback with using a fixed value is that the spammer can adjust his
script to enter the value 5, so they would have a bit more work if the value
is random the best is really to store things in a session, show a disorted
image and ask what it says on it and compare the values from the session and
from the form.

//Aho

["Followup-To:" header set to comp.lang.php.]
Matthew Wilson wrote:

Hi, we are getting a lot of spam through our PHP Feedback form, and have set
up a new field 'prove you're human', asking them to do some simple maths.

What is the command for the PHP script itself, to say "this field must be
equal to 9 or return the error page"?

if ($_POST['human_proof'] != 9) {
// spammer
} else {
// ok
}

--
I (almost) never check the dodgeit address.
If you *really* need to mail me, use the address in the Reply-To
header with a message in *plain* *text* *without* *attachments*.

["Followup-To:" header set to comp.lang.php.]
Matthew Wilson wrote:

The actual capture form is
HTML, only the receive script is PHP. Can you offer a simpler version which
just expects the number "5" rather than random numbers?

Here is the format we follow, and the relevant field that expects a 5 is
"human":

<?
// ------------- CONFIGURABLE SECTION ------------------------

define ( 'SPAMMER_URL', 'http://www.example.com/spammer.html' );
define ( 'SPAMMER_CHECK', '5' );

// $mailto - set to the email address you want the form
// sent to, eg
//$mailto = "yo**************@example.com" ;

$mailto =

<snip>

if (get_magic_quotes_gpc()) {
$comments = stripslashes( $comments );
}

### With apologies for using a different code structure
if ( $_POST['human'] != SPAMMER_CHECK ) {
header( "Location: " . SPAMMER_URL );
exit ;
}

$messageproper =

"This message was sent from:\n" .
"$http_referrer\n" .
"------------------------------------------------------------\n" .

<snip>

--
I (almost) never check the dodgeit address.
If you *really* need to mail me, use the address in the Reply-To
header with a message in *plain* *text* *without* *attachments*.

Matthew Wilson wrote:

"J.O. Aho" <us**@example.netwrote in message
news:4r************@mid.individual.net...

>>Just add another input of text type (you can name it what ever you want,
say fun), you random two values and make another input of hidden type (you
can call it what ever you want, but not the same as the previous, say
real), then on the script where you receive the form you compare the two
values

That's great but a little complex for our needs. The actual capture form is
HTML, only the receive script is PHP. Can you offer a simpler version which
just expects the number "5" rather than random numbers?

Here is the format we follow, and the relevant field that expects a 5 is
"human":

<?
// ------------- CONFIGURABLE SECTION ------------------------

// $mailto - set to the email address you want the form
// sent to, eg
//$mailto = "yo**************@example.com" ;

$mailto =

// $subject - set to the Subject line of the email, eg
//$subject = "Feedback Form" ;

$subject = "Feedback" ;

// the pages to be displayed, eg
//$formurl = "http://www.example.com/feedback.html" ;
//$errorurl = "http://www.example.com/error.html" ;
//$thankyouurl = "http://www.example.com/thankyou.html" ;

$formurl =
$errorurl =
$thankyouurl =

$uself = 0;

// -------------------- END OF CONFIGURABLE SECTION ---------------

$headersep = (!isset( $uself ) || ($uself == 0)) ? "\r\n" : "\n" ;
$name = $_POST['name'] ;
$email = $_POST['email'] ;
$referee = $_POST['referee'] ;
$human = $_POST['human'] ;
$comments = $_POST['comments'] ;
$http_referrer = getenv( "HTTP_REFERER" );

if (!isset($_POST['email'])) {
header( "Location: $formurl" );
exit ;
}
if (empty($email) || empty($comments) || empty($human)) {
header( "Location: $errorurl" );
exit ;
}
if ( ereg( "[\r\n]", $name ) || ereg( "[\r\n]", $email ) ) {
header( "Location: $errorurl" );
exit ;
}
if (get_magic_quotes_gpc()) {
$comments = stripslashes( $comments );
}

$messageproper =

"This message was sent from:\n" .
"$http_referrer\n" .
"------------------------------------------------------------\n" .
"Name of sender: $name\n" .
"Email of sender: $email\n" .
"Referred by: $referee\n" .
"2+3=$human\n" .
"------------------------- COMMENTS -------------------------\n\n" .
$comments .
"\n\n------------------------------------------------------------\n" ;

mail($mailto, $subject, $messageproper,
"From: \"$name\" <$email>" . $headersep . "Reply-To: \"$name\" <$email>" .
$headersep . "X-Mailer: chfeedback.php 2.07" );
header( "Location: $thankyouurl" );
exit ;

?>
Thanks so much!

Matt

Matt,

If you're always expecting the same number, your spambots will quickly
pick up on that and you're no longer secure.

Aho's response is good, and very easy to implement. The one thing I
should add, though, is to encrypt the hidden value some way. A one-way
hash would work, for instance. Then when they enter the value on the
form, encrypt it the same way and compare the results with what's in the
hidden field.

For instance:

<input type="text" name="real" value="<?PHP echo crypt($a+$b,
'oUrSeCrEt'); ?>">

And on the other end:

if(crypt($_REQUEST['fun'], 'oUrSeCrEt')!=$_REQUEST['real'] ...

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

"Pedro Graca" <he****@dodgeit.comwrote in message
news:sl*******************@ID-203069.user.individual.net...

["Followup-To:" header set to comp.lang.php.]
Matthew Wilson wrote:

>Hi, we are getting a lot of spam through our PHP Feedback form, and have
set
up a new field 'prove you're human', asking them to do some simple maths.

What is the command for the PHP script itself, to say "this field must be
equal to 9 or return the error page"?

if ($_POST['human_proof'] != 9) {
// spammer
} else {
// ok
}

Thanks, that seems to work, although we amended it to:

if ($_POST['human'] != 9) {
header( "Location: $errorurl" );
exit ;
}
....then the rest of our script

What should "// spammer" be in your script? Should we have left that in, in
order to prevent all attacks? :-S

Matt

Following on from J.O. Aho's message. . .

>Matthew Wilson wrote:

>"J.O. Aho" <us**@example.netwrote in message
news:4r************@mid.individual.net...

>>Just add another input of text type (you can name it what ever you want,
say fun), you random two values and make another input of hidden type (you
can call it what ever you want, but not the same as the previous, say
real), then on the script where you receive the form you compare the two
values

That's great but a little complex for our needs. The actual capture form is
HTML, only the receive script is PHP. Can you offer a simpler version which
just expects the number "5" rather than random numbers?

Here is the format we follow, and the relevant field that expects a 5 is
"human":

The drawback with using a fixed value is that the spammer can adjust his
script to enter the value 5, so they would have a bit more work if the value
is random the best is really to store things in a session, show a disorted
image and ask what it says on it and compare the values from the session and
from the form.

//Aho

There is another very good reason for generating forms in PHP:
Mr.Spammer's friend finds a suitable form, and passes /the form/ to Mr.
Spammer. Mr. Spammer doesn't sit at IE typing in spam does he? He
hacks the GET or POST request that a browser would send. This is
something that any script-kiddie could do.

So how do you conquer that? It's no good you having
<pseudo code>
// prepare form in PHP
R := Random number
S := SpecialFunction(R)
form.hidden.fieldR := R
form.instruction := Please type S to validate

// validate submitted form in PHP
R := POST[fieldR]
Sform := POST[fieldS]
Sneeded := SpecialFunction(R)
If(Sform <SNeeded){ // bad form ...
</pseudo code>

Why is this no good? Because the same form can be reused time and time
again where R and S never change from the first time they were served.

So you need to give your forms a 'unique' request number and store that
in the session ready to match with a submitted form. For example:
<pseudo code>
// prepare form in PHP
R := Random number
SESSION[R] := R
S := SpecialFunction(R)
form.hidden.fieldR := R // 'hidden' is cosmetic only
form.instruction := Please type S to validate

// validate submitted form in PHP
Rform := POST[fieldR]
Rneeded := SESSION[R] // fetch from session
ClearFromSessionArray(R) // this is single shot!
if(Rform<>Rneeded){ ... hacking or double submit ...->}
Sform := POST[fieldS]
Sneeded := SpecialFunction(Rneeded)
If(Sform <SNeeded){ // bad form ...
</pseudo code>

This doesn't deal with other problems especially those who GET the form
fresh each time but you have made a start in the right direction.

--
PETER FOX Not the same since the bridge building business collapsed
pe******@eminent.demon.co.uk.not.this.bit.no.html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.demon.co.uk>

My function tests your human-ness, and if youre human, thanks you for
taking the test and displays the email address. Also, if you have
proven your humanity, the next time you come to the contact page, you
will be recognized by a coookie, and given the address without the
test.

<?php
ob_start();
//required for cookies to work
// including file must start output buffer - ob_start();
function spamProofEmail(){

$explanation = "
<p>Email Address:</p>
<p>Sorry, We get too much spam. <br>
You'll have to pass a little test to make sure <br>
you're human, and not a spam-bot.<br></p>";

$emailaddress = 'D***@ExampleDomain.com';// use StudlyCaps,

$thehumanstring = 'surfsup';
$formtext = "Please type the word <strong>$thehumanstring</strongin
the box";
$thenclick = "Then click here to get our email address.";

$sorry = "Sorry, I guess you didnt pass the test, please try again.";
$thankyou = '<BR>Thank you.<BR>';

// +++++++++++++++++++++++++++++++++++++++++++++++++

$thehumanstring = strtolower($thehumanstring);
$postlower = strtolower($_POST['humanstring']);
$formaction = $_SERVER['REQUEST_URI'];
if ($postlower == $thehumanstring){
setcookie("spambotno", "spambotno", time()+60*60*24*100, "/");
$speHTML .= $thankyou;
}
if (($_COOKIE['spambotno'] == "spambotno") OR ($postlower ==
$thehumanstring)){
$emaillower = strtolower($emailaddress);
$speHTML .= '<BR><a
href="mailto:'.$emaillower.'">'.$emailaddress.'</a>';
return $speHTML;
}

if (($_COOKIE['spambotno'] != "spambotno") && ($postlower !=
$thehumanstring)){
$speHTML .= $explanation;}
if (isset($_POST['humanstring'])){
if ($postlower != $thehumanstring){
$speHTML .= $sorry;}}

if (($_COOKIE['spambotno'] != "spambotno") && ($postlower !=
$thehumanstring)){

$speHTML .='
<form name="the_form" action="'.$formaction.'" method="POST">
'.$formtext.' <br>
<input type="text" name="humanstring" size="30">
<br />
<input type="submit" value="'.$thenclick.'">
</form>

<script language="JavaScript"><!--
document.the_form.humanstring.focus();
//--></script>
';
}
return $speHTML;
}

?>
<html>
<head></head>
<body>
This is our contact page:
<?php echo spamProofEmail(); ?>
</body>