Hidden Field Spam Blocker
Description
Web forms present the opportunity for misuse by anyone who uses your form or who can find security holes they can exploit. Groups or individuals who spread Spam advertising or computer viruses are two of the most common sources of misuse of unprotected forms.
This document illustrates one way to increase the security of your ASP forms to protect against spam.
Please keep in mind no security mechanism is foolproof and this fix is no different.
Instructions
This method is based on two main concepts: first, that Spam bots will fill in all fields on a form, including hidden fields; second, that a person will only fill in fields on a form they know about or can see.
The basic idea here is to add a hidden field to your forms and check to see if it is filled in before completing the form submission. If the hidden field has data, we assume that a spam bot entered the data in the form; if the hidden field is empty, we assume that a person entered the data in the form.
Code
HTML and ASP
This html code will need to be added to your form and checked by ASP code for any data entered into the field. For this document an example in ASP is provided. Please keep in mind this is an example you can start with but you may need to make some minor adjustments to get the code to work in your form.
<input type="text" id="SpamTrap" name="SpamTrap" value="" size="5" style="display: none; border: 0;">
Example Form
This is an example form that represents types of forms you may want to protect. Your form may be different, so make sure you adjust the (ASP) code to meet the needs of your form.
<form method="POST" action=""> <p>Name: <input type="text" name="name" size="20"></p> <p>Email: <input type="text" name="email" size="20"></p> <p>Comments:<br> <textarea rows="5" name="comments" cols="50"></textarea></p> <input type="text" id="SpamTrap" name="SpamTrap" value="" size="5" style="display: none; border: 0;"> <p><input type="submit" value="Submit" name="B1"> <input type="reset" value="Reset" name="B2"></p> </form>
ASP Code (Example)
Note that in ASP any line that begins a single apostrophe is a comment line.
<%
Dim name, email, comments, spamTrap
name = Request.Form("name")
email = Request.Form("email")
comments = Request.Form("comments")
spamTrap = Request.Form("SpamTrap")
'check for data in SpamTrap field'
if spamTrap <> "" OR Len(spamTrap) > 0 then
'this is a SPAM, SpamTrap field is not empty'
'One way to handle a form submitted by a Spam bot is to just end the Response.'
'If you end the response make sure you clean up any code (variables, etc.) '
' that has executed as part of the form submission'
'You can end the response by using this line of code'
Response.End
Session.Abandon
else
'this is a real user since the SpamBot field is empty'
'here is where you put your code or a call to your code to process the form the way to want'
end if
%>
TEST, TEST, TEST!
After you put this code into your ASP file, make sure you test it. Here are the tests you should run after inserting the code.
- Test the form by entering valid data and submitting it. Make sure it works as you expected and there are no errors.
- Temporarily remove the style attribute (style="display: none; border: 0;") from the SpamTrap field on your form (this will allow the field to be displayed). Go back to your form and reload the form so the SpamTrap field is displayed. Enter valid data into the form fields and also enter some data (any data) into the SpamTrap field. Submit the form. You should see a blank page rather than the page you expected.
- *** DON'T FORGET *** to put the style attribute back in your form and reload the form to make sure the SpamTrap field is hidden again.
Additional steps to protect forms
- Validate all fields by checking that fields only contain data in them that you would expect. For example,
a phone number should not include letters.
- If you do restrict fields in any way, make sure you provide an example of the format that you expect from the visitor filling out the form. To do this put a text label underneath or next to the input field with text that displays the format you want.
Examples:
- Only allow letters to be entered in fields that should only be letters, such as a persons name.
- Only allow numbers, parenthesis and a dash to be entered in phone number fields
(unless you accomodate internation numbers).
- Only allow numbers and forward slashes (/) in a date field.
- Restrict the length of a phone number field to 14 (unless you accomodate internation numbers).
e.g. (208) 111-2222
- Restrict the length of any field, such as a full name field might be restricted to 50 characters.
Allowing visitors to enter any type of character and any length of text into a form field presents opportunities to misuse your form. The more strict you are about the type of information that can be entered into form fields, the greater your chance of preventing misuse of your form.