I don't like captchas, yeah is useful but a lot of people hate it too. People are making you a favor telling you whats wrong on your site (or trying to BUY something from you), so... you just don't ask silly questions before selling. Make it easy for them, figure something out.

Captchas filter a lot of spam, also a lot of useful messages you'll never get to see.

Add url filters, they work.

It's probably a good idea to keep this on topic as there are many threads here addressing the methods to stop spam input, which ones work, which ones can be circumnavigated (as captchas can.)

These are technical issues as opposed to business advantages/uses of your contact form.

Does anyone know the easiest way to block all HTML input from the input fields on a contact form that does not involve SSL? I use shared hosting.

Most of my spam comes from link spammers or code insertion attempts

Thanks

I could not live without contact forms. I used to have regular email links and the information I got was useless. Contact forms enable me to streamline the information exchange for a better client experience and cut down on email tag.

to block all HTML input from the input fields on a contact form that does not involve SSL?

Perl:

foreach $v (keys %data) {
$data{$v} =~ s/<\/*([^>])+>//g;
}

PHP:
foreach ($_POST as $key=>$value) {
$_POST[$key] = preg_replace("/<\/*([^>])+>/g",'',$value);
}

But this is a very bad approach. It is an example of "guessing" bad data, which is a never ending task. When they start doing this (and they will)

[a href="some-spam-link"]
or [url=.... (can't exemplify here, it turns to a link)

It falls down. Accept only what you want:

$data{$v} =~ s/[^A-Z0-9\-\;\.\,\"\'\!\@\(\)\s]+//ig;
...
$_POST[$key] = preg_replace("/[^A-Z0-9\-\;\.\,\"\'\!\@\(\)\s]+/ig",'',$value);

Translation: throw everything away except A-Z, 0-9, spaces, and basic punctuation, there is no reason for anything else in a contact form, EXCEPT the @ sign for email address. Note that % is not there, which is the preamble to encoded input. If you must have a %, do a similiar substitution for the word: ' percent.';

Last technical reply I'll make in this thread; start a new one and I'll be glad to help, as will better coders than I!

I never know how to use a database to keep e-mail address of users safely.

The word database here would be kind of a overkill, most sites will only need to write the info to a csv type flat file. Just make sure you don't have that file in a public viewable part of the site.

*** there is no reason for anything else in a contact form, EXCEPT the @ sign for email address ***

There have been several occasions that I have tried to let a site know about some problem with a page, or a link, and this restriction has stopped the message being sent.

Changing the text to not include the specifics, and asking them to mail me back because the form would not accept the details, saw no reply and, on one site, the problem still exists two years later.

There's a well known SEO, one that speaks at conferences, whose contact page is completely blank in both Opera and Safari. I spotted that problem well over a year ago, and it is still not fixed. :)

I am attempting to steer clear of technical issues . . . . mods feel free to splice in a new thread, sorry . . .

There have been several occasions that I have tried to let a site know about some problem with a page, or a link, and this restriction has stopped the message being sent.

You need to sort out what's an absolute spam attempt, and what you remove silently for safety. My previous post was to answer the question; for example, you would stop the process for known spam patterns, then go on to silently only accept what you know is safe. So if you put an email address in the contact field - which should not be necessary, as there is already an email address field - it would render as oopsexample.com.

From experience, the only ones who regularly do this are "naive spammers" - not the ones who are attacking us daily, but the ones who don't really know the definition of spam, or consider their messages as "not spam" because they see them as important. A classic example is someone going from site to site pasting the same message into forms: "I have great products, contact me at oops@example.com." This shows a blatant disregard for the site they are on, ofttimes pasting into a site who's subject matter is completely unrelated, and they don't take the time to even change their message.

But I'm with you on the whole idea of understanding "what you think you know" may not be the whole story; any time you set up a filtering or anti-spam technique, it requires bringing in someone - or many people - who will always find something you didn't think of.

g1smd
...
posts:100xx

i hate to go off topic on a Featured Home Page Discussion.
i couldn't help but notice that one of our "very Senior Members" reached a major milestone recently.
congratulations, g1smd!
many thanks on behalf of the thousands of members you have helped over the years...

g1smd - For your longstanding and outstanding contributions to WebmasterWorld you have earned the right to the member of the month parking spot at WebmasterWorld HQ. Congrats! Enjoy! :P

It is amazing how often I want to give feedback on a site but it doesn't work. I don't like captcha as a user but I have to try several times for some of them to work. Some are just unreadable. Is that a number or a letter? upper or lowercase because some of them care which. Just a pain and I give up.

And another good one is where you fill something out and then you get a spam protection service link that you're supposed to click so the person with the form can be contacted. duh.

I've kept my forms pretty simple over the years. I send the results to a new address and then change that address every so often to start over in the spam department. Since it's only a form, I just kill the old address. My real replies come from another address.

You definitely want to tamper-proof your forms for tons of reasons.

One very simple non-tech solution. Never call the field names what they are. Spam-bots insert things that they think correspond to the field names. So if you have a field named "email", the bot will enter an email address. Call your email field "hello" or something.

Other bots will enter email addresses in every single field.

So... you could call your name field "email" and your email field "address".

Then, run a simple check. If you have something other than an email address in your email field (that you have called "name"), it's a bot. If you have an email address in your name field, it's a bot.

One related point: never send a direct auto-response before running this check. Otherwise, you're responding to the bots. Apart from clogging your email server with tons of junk and load, you're also informing any spammers that have used a real address (rare) of your legitimate email address.

Otherwise, if it's a bot, just make the site respond just as if the form had worked correctly.

As I said, that's for a simple non-tech solution.

For the tech side, there are two things you need to do.

1) Foil the hackers. Avoid injection attempts by filtering out any html and php and other assorted crap.

2) Foil the nasty spammers. Insert dynamic fields in your form, swap the action address, all kinds of fun things.

I agree TOTALLY that you don't want a captcha on your contact form unless the idea is to get fewer contacts. A captcha on a login form is fine (though the dynamic stuff above will do just as well), but definitely NOT on a first-meeting contact form.

It is very important to use captcha easy to read for human, but not automatic software. Some hosting providers are taking strong measurements against contact forms because spammer always trying to abuse them with automatic submissions.