PHP -- How to Protect My Email Form / Contact Form Against Spam Bots

By far, one of the most annoying things about operating websites is spam bots. They crawl onto our websites, suck up bandwidth, and dump a load of BS (I can think of many more colorful words that are more fitting) into our databases and email in-boxes on their way out. The spam usually starts as just a few wayward, sometimes unintelligible, words and links. But before long, what was once just a passing bother, grows into a menacing 1000 messages a day. At that point the problem is costing money, leaving many a distraught webmaster wondering "how do I stop spam bots from spamming my php contact form?" That is exactly the question that this web page intends to answer.

While it is impossible to cover every possible method of securing web forms against spam bots, we can cover some basics of what other web masters are using to stop spam on their websites. The topics discussed here should be more than enough to thwart the average spammer; and with a little imagination, you will be able to mix these techniques, if needs be, and come up with more complex ways of securing your php scripts against bad bots.

Using random name fields for input

One simple way to add some security to php forms is to write a script that generates a random output for the name fields in my form's HTML input. The name field will become the name of an index entry that I use to retrieve information in which my form passed to one of the super globals in php. For this discussion we will assume that the form is using the post method.

NOTE: Even though POST is slightly more secure than GET -- with GET a malicious bot or person needs only to look at the address bar in most web browsers to view the different variables and change their value -- one only need copy the webpage source form and duplicate the form from his own PC to send the data with POST.

Back to random name fields to stop spambots. When I first put a php contact form on my website, I coded more-or-less bare-bones, meaning that I did not bother to include any of the extra code required to secure my forms. At the period when I had zero visitors, this, of course, was not an issue. As you may have guessed, however, my spam free honeymoon was short lived. So, I did exactly what you are doing now. I went googling. Alas! After some million or so hours reading, I went back home to my little corner of the Internet and contemplated about the bad bots who were plaguing my website. While giving this subject much hard thought, I had an epiphany (actually it was more akin to a brain fart), that not withstanding, it occurred to me that the spam bots who were visiting my site were probably not reading all of my page's HTML each time they came. I also reasoned that those bots probably had algorithms that brought them back in attempts to pass off the same values they had used before. After all, if it was I who was writing a spam script, that's how I would do it; making my bot more efficient. I also reasoned that the bot would probably make a note of whether or not its' attempts to spam my contact forms was successful, and try to revisit later and adjust accordingly. I understand that there are some super bots out there who can read your mind and what-not, but I was banking on my delinquent bot being more of a basic thug with very little real skill. Packing this new found knowledge, I embarked on coding a super sophisticated random number generator for my form's name fields. Furthermore, I felt obligated to share this gem of Internet wisdom with fellow webmasters.

Random Field Script to Stop Spam Bots

Contact Form


First, I wrote a little php script and created some variables for use in my form's name-field; then I set those variables to random md5 hashed values.

  • $author='author'.md5(rand());
  • $emailll='emailll'.md5(rand());
  • $subject='subject'.md5(rand());
  • $website ='website'.md5(rand());

Notice that I left part of the word intact (author for example) to help me keep track of my variables.

The random numbers alone would have likely yielded the same result; but I added the hash for the sake of making the numbers harder for a spam bot to guess.

Next, I added all those values to a single string, and saved that string in a session variable.


Notice the example form above. I echoed the variables from the "random script" to their respective name fields.

With this form in place, the bad bot cannot rely on the field names that it used on its' last visit to spam my email form.

Now let's examine what I did with this form and Script information when it got to my script " messcript.php."

Example PHP Message Script


I check, first, that the variable "$_SESSION['com']," in which I stored a string of values ("author=$author&emailll=$emailll&subject=$subject&website=$website") is not null or empty.

If $_SESSION['com'] is set, then my script goes on to parse the info that is contain therein by calling the php function "parse_str()." (feel free to pass your variable values however you please. I like using "parse_str()."

Next, my script makes sure that the other various vars (variables) are set. Make note of the "$_POST" variables. Notice how I used as indexes the variables that I sent over using "$_SESSION". After getting that data to script, I transfer the values into local vars and proceed with database and email code (not included here for security).

I tested this method of using random name-fields to stop spam on my php contact forms. After implementing this, spam went to zero. Fearing, however, that the spam-bot's master may get wise to my efforts to thwart his evil efforts, and, in turn, sick one his smart bots on me, I decided to go one step further by installing a php captcha to stop form spam.

Just to be clear on the random field generator that I created for my form -

I will explain why I decided on this. I guessed that these bots came through and read the "name attributes" of form tags. If the name attribute says email, the bot knows that it is an email field, or a firstname field etc. Then based on what type of field it found it would have logic written into it telling it what to do if it finds something like that. I thought that maybe if the bot did not see a field name that it "knew," it may skip over it or not know what to do with it. Also - since everytime your form comes up it has a different random name for its name fields - no one can set somewhere else and keep sending stuff to my form remotely based on the variables you found before. They would HAVE to use my form page because they cannot guess what the name fields are. The idea is to confuse the bot'a logic.

Stopping Spambots With php Captcha

Captcha ? you know, that little image of squiggly lines that you see all over the Internet in places where you want to post something? The idea is that bots, unless they are extremely sophisticated, cannot read the letters on the captcha image. Captcha is pretty easy to implement depending on whether you are running a custom site like or you are using software like Wordpress. This discussion only covers the former. Here at we like to "roll-our-on" so to speak Just love that good homegrown flavor that you can't get from a box o'website. Really though, I have no problem with Wordpress and other website software; I just don't like to muck around with someone else's code. Anyway, back to captcha.

I first intended to write up my own captcha (because I like to do stuff like that), but for the sake of saving time, I googled around until I found a script that I liked. I'm not going to spend a lot of time on this captcha because I didn't write it. The person who wrote it is listed in the code's license; I suggest you check that for an in depth explanation of a the captcha script. This webpage is intended for folks who already have a pretty good feel for PHP. That said, the code should need little explanation, so I will just give you the quick and skinny. Lets go back to our original form. This time I will add some extra code for the captcha.

CAPTCHA script to stop spam bot

Take notice of the additional code:

  1. <.img src="zxcvzxcvzxcvcx/capimg.php" />
  2. <.input id="security_code" name="security_code" type="text"/>

The first line of new code calls a php script that generates a random lot of numbers and outputs them as an an image.

Captcha Image Script -- capimg.php and license.

Someone asked me to be more specific about the capimg.php script and where it goes. If you are having trouble udnerstanding how to use this script do the following

  1. Create a directory for your scripts
  2. Save this image as capimg.php
  3. Create a landing page for your form -- the one that you have in the "action=" attribute of your form tag. The I created is messscript.php
  4. Use the following code at the top of your landing page:
    if(($_SESSION['security_code'] == $_POST['security_code'])&&
    (!empty($_SESSION['security_code'])) ) {
    Code to do some stuff
  5. Make sure that session_start() is at the top of the pages or it will not work.
  6. Point to the capimg.php script by placing its address in the >img src"" /> script
  7. You will also need to place this font file into your folder gunplay3.ttf
    If you wantto use a different font you can drop a different font into your folder and change the value in the capimg.php file.

Basically, the new input works with the image file to produce an image that the spam bots cannot read. You will want to place the following code on your target script, in this case " messcript.php," to deal with the captcha.

if(($_SESSION['security_code'] == $_POST['security_code'])&&
(!empty($_SESSION['security_code'])) ) {
Code to do some stuff

The two methods described in this discussion have, thus far, been very effective at stopping spam bots on my server. As of yet, I have received no more bot spam. Check back often. In the near future, I will be going over other php scripts that will help you keep out spam bots.

Author: D.Shaun Morgan