>I have contact info including email address in MySQL. If I use php to
extract them into online directory, can a spambot harvest the address? or
does the spambot read the raw php code?
Clients do not read raw php code. The server won't send it.
(Unless you manage to break PHP, e.g. briefly while upgrading it,
or misconfigure it, e.g. naming a PHP script foo.pjp, which the
server treats as text.) If you're concerned about harvesting
email addresses, also worry about your database password, which
could give away the mother lode of spam targets.
If the email address is sent to a client, you can assume that a
spambot *WILL* harvest it, unless you limit access to that page to
a small group of trusted people with passwords or some other
authentication method. The mere idea of having an "online directory"
invites spam.
I previously used javascript to hide my email addresses but more and more
people are disabling javascripting for security reasons. I need to find a
way to keep my email address from being harvested.
Javascript is nearly worthless for hiding email addresses from
spambots (aside from the fact that it is Turned Off(tm) and a
Security Hole(tm)). Spambots likely just do a regular-expression-match
on email addresses in amongst the HTML and Javascript code; they
don't actually bother to format any of it, much less run any
Javascript. (If it shows up looking like an email address with
View Source, it's vulnerable). Whether or not actual people with
browsers run Javascript is not very relevant here. They aren't
your main threat. However, if you ARE worried about them, remember
that cut 'n paste or eyeball-and-keyboard can harvest stuff designed
to be 'bot-proof.
Does encoding the email with Ultimate Mailto (hex and dec code) help?
I don't know what this is.
How can I protect the emails in MySQL when they are displayed on a page?
If they are displayed on a page, anyone who can view that page
can harvest them. The solutions are (a) DON'T display them, or
(b) severely limit who you display them to. One approach is to
only display email addresses the user already knows (his own).
One possibility is to render the email address into an image
using an unusual font (say, the Kidnap font) and transfer it
as an image. That's still vulnerable if any spammer manages
to convince one of your people with access to transcribe it
for them with promises of $$$.
Gordon L. Burditt