Hello,

Half time in the footy – go crows!

I came across an alternative php and css method of controlling spam by hiding a form input using CSS (http://www.modernbluedesign.com/web-design-blog/fighting-spam-with-css/)
which would be handy where space is at a premium in a form (eg a very graphical site) and its not possible to add a captcha check etc.

The premise is that if the hidden field is filled in, its most probably been filled in by a spambot and the form is not processed (ie an error or fake success page is returned); if the hidden field is not filled in (which is how a human would read and action the script), the mailing script is processed as per normal.

I understand the potential accessibility issues and have some ideas to get around it but..

My questions is – Is it possible to run a condition in an .ini file that returns an error (ie goes to the bad_url page) if a ‘hidden’ input field receives any content at all (text or numbers) – and processes as normal if the field is left blank?

Something like?
conditions = ":@@TEST@field3~/[a-z0-9.]$/i@woops, that's not the answer we were looking for - please try again (letters only)@"

Has anyone tried anything ike this?

Any ideas to make it work?

Thanks in advance.

Hi,

I think the term for this is "negative captcha".

It seems like such a good idea that we've been planning to add it as a standard feature to FormMail for a while.

You can use conditions to implement it yourself, but the idea is that the field should be empty (blank) for a human submission and filled for a spambot submission.

So, you want to test for non-empty.

I think forum user JohnB has just implemented this using conditions, so you might want to PM him and see if he'll share his solution with you.

Or, just wait until it's in FormMail.

Thank you Russell.

I think it would be a great addition to FormMail - certainly as a backup / alternate control - and look forward for the update.

In the meantime, I have messaged John and am waiting to hear back.

Thanks again.

Nick

Thank you Russell.

Its working an absolute treat.

Did the PM thing and received such a prompt answer - everything about, and everyone involved with, this project is awesome.

Thank you kindly again.

Nick

Hello,

I was wondering whether this has been implemented or if someone could share what they're doing to implement it on their own. I'd really like to try this anti-spam method, but my programing knowledge is limited to html and css!

Thanks!

Hello,

Try this:

a. FORM - put the check into the html of your form:

<input name="check" id="check" title="whatever text you’d like to put in here if you use titles in form elements (perhaps something to advise a human user that if they do see this (eg if their CSS is off), to leave it blank)" />


b. CSS - hide the check with css in your form:

#check { font-size: 10px; width: 20px; display: none; visibility: hidden; z-index: 0; }


c. .INI FILE - setup an .ini file and add the following condition for a hidden field (which says that if the field is filled in, an error redirect should occur - the message on that page will be what you say in the condition).

conditions = ":@@TEST@check~/^$/@This is your error message (I would suggest not giving too much away otherwise the spambot may work out something went wrong and work it out).@"


d. formmail.php – link the ini file to your formmail.php around line 328

$FORM_INI_FILE = "link it in here";


e. fmbadhandler.php – set this up on your server, link it to your template directory or template URL (lines 436 or 456) and the custom error message from c. should show up on the redirect page


Helpful links:


Setting up an ini file:
http://www.tectite.com/fmhowto/inifile.php (http://www.tectite.com/vbforums/../fmhowto/inifile.php)


Setting up “form bad handler”: http://www.tectite.com/fmhowto/adverror.php (http://www.tectite.com/vbforums/../fmhowto/adverror.php)


This works a treat for me – haven’t had one spam through the forms with this control – with space permitting, you could always run this and a captcha for extra protection.

Enjoy.

Nick

Thanks for your great reply, Nick. I've been trying to follow your directions, but it's not been working. Perhaps it's because I don't use fmbadhandler.php? The site's just a small non-profit one, so its not too fancy and I've just used the bad_url function instead. I've done everything else exactly the way you wrote, so is this the problem? If so, do you know any way to work around it, or do I have to go for fmbadhandler.php?

Thanks again!

Hello again,

No probs - my suggestion is definitely to use fmbadhandler.php - I'm not sure if it would work without it. That's actually really easy to use once you've setup the bad URL. Get that working (and make sure you test it). Then the spam control should work as per original instructions. If not, I'm not sure if there's much more I can do to help on this one. Worse case scenario, perhaps run a captcha. All the best.

Nick

I have finally gotten it to work. Thanks for your help Nick!

Well done. My pleasure. It takes some fiddling but well worth it. Enjoy!!

Hi,

I really like the idea behind this anti-spam method and have tried to implement it on my site. I set up the hidden input field, fmbadhandler, and the ini file. Everything seems to work fine except that the conditional statement in the ini file doesn't seem to be doing it's job. If I temporarily turn off the css and enter text into the "check" field and hit submit, it still sends the email rather than generating the error message.

I'm new to ini files. Besides changing the text of the error message, I have just written the conditional statement as Nick has shown. Should that be sufficient or do I need to alter it in any way?

Thanks for your help,
Steve

Hi Steve,

If you've linked the ini file in formmail.php and setup badhandler it should be all ok.

Maybe its to do with the content of the ini file - I'm no expert on it but post the contents and I can have a look.

Cheers.

Nick

Doh!!

Problem solved. I was getting ready to post the ini file and discovered that the conditional statement was missing. I guess I had removed it during some of my testing. I tried the form again with the check field filled in and it now works fine. :o

Steve

great - nice one Steve

is it feasible for a bot to see any associated css on an element, in this case a display:none; or visibility:hidden; ?