Prevent php web contact form spam
Hidden fields, silly questions (what is 3+4?), etc, are not very effective at blocking spam on forms.
I researched this several years ago, and came up with a solution I call "FormSpammerTrap". It uses JavaScript code to 'watch' for focus/onclick on required fields. Automated processes, unless highly customized for a specific site (which takes more time than spambot owners want to take), can't 'focus/onclick' a required field.
I have a free solution at my www.FormSpammerTrap.com site. And there's a form there that spambots can try to spam...and they haven't, for more than 3 years. You are welcome to try it out...it's all open source, so you can see how it works. (And, if you use the form, I don't harvest your email. I reply once, then delete your email.)
My technique is much more effective in blocking spambots. They haven't been able to spambot the contact form on that site.
Usually the bots submit a form very fast. So, based on that, another solution could be to add another hidden field that contain the number of seconds that passed from when the page was oppened. This can be done using JavaScript. Then check it in PHP. If the number of seconds is smaller than 5 seconds then it's spam (It's more likely that the real client needs more time to fit the form). You can adjust the number of seconds based on how many fields the form contain.
A simple trick is to create a honeypot field:
html
<!-- within your existing form add this field -->
<input type="text" id="website" name="website"/>
css
/*in your css hide the field so real users cant fill it in*/
form #website{ display:none; }
php
//in your php ignore any submissions that inlcude this field
if(!empty($_POST['website'])) die();
An even simpler approach that works for me. Literally all spam that I receive(d), had a url in the message. So I filter on that, and have not received any spam messages since. I used to get about 10 a week.
Add this under your line $error_message = ""; in your php-file:
if(preg_match('/http|www/i',$comments)) {
$error_message .= "We do not allow a url in the comment.<br />";
}
The /i in the preg_match makes it case independent. The 'http' also filters for 'https'.