CakePHP Form Spam

I have built a contact form using CakePHP following the tutorial at http://snook.ca/archives/cakephp/contact_form_cakephp

But would like to add a spam protector where the user is presented with a 5 letter character word such as BB42A that is random and the user has to type in before they can submit the form.

I have done some Googling but haven't开发者_如何学C found anything suitable online.

Any suggestions? Thanks

The one at the bottom of here is quite good: http://mattbrett.com/portfolio/hire/

I would suggest using an existing CAPTCHA library or service rather than rolling your own. No sense re-inventing the wheel.

One of the best is reCAPTCHA. Here's a good tutorial on implementing reCAPTCHA in Cake.

you can use actice/passive captchas with simple math questions like 2+3 http://www.dereuromark.de/2010/08/09/how-to-implement-captchas-properly/

how secure it needs to be is your decision. for most sites this is more than enough.

Actually - one of easiest ways I found to beat spambots was to have a hidden field in every contact form; and usually spambots would fill it whereas humans, as they can't see it, wouldn't be able to.

Try adding to your view:

//call it something along the lines of 'name' or 'email', and the
//real form field 'x1' or 'x2' etc
$this-Form->input('aformfield', array('class' => 'aformfield');

Make sure you hide it in your css:

.aformfield{display:none;}

In the controller before you send the email, check to see if the hidden field is filled:

if(!empty($this->data['Model']['aformfield'])){
    $this->Session->setFlash('You shouldn\'t be able to fill out a hidden field');
    $this->redirect($this->referrer());
}

It's not bullet proof and I'm sure spambots will ifnd a way around it but it's a good place to start if you don't want to do captcha's.

What you need is called captcha.

Google search for cakePHP + captcha should come up with some cakePHP plugins. I don't develop in cakePHP, so I can't tell more.

You can, of course, make your own captcha and then integrate it in your website. To keep it short:

• Generate a random string;
• create an image with this string (imagecreate function on php.net);
• save the string as session variable;
• compare what user submitted with what's saved in session.

Code:

<?php
session_start();    

function rand_str($length = 6,
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890')
{
    $chars_length = (strlen($chars) - 1);
    $string = $chars{rand(0, $chars_length)};
    // Generate random string
    for ($i = 1; $i < $length; $i = strlen($string))
    {
        // Grab a random character from list
        $r = $chars{rand(0, $chars_length)};
        // Make sure the same two characters don't appear next to each other
        if ($r != $string{$i - 1}) $string .=  $r;
    }
    return $string;
}

header("Content-Type: image/png");
$im = @imagecreate(100, 40) or die("Cannot Initialize new GD image stream");
$background_color = imagecolorallocate($im, 0, 0, 0); // black
$text_color = imagecolorallocate($im, 255, 255,255); // white

$random_string = rand_str();
$_SESSION['captcha'] = $random_string;

imagestring($im, 5, 5, 5,  $random_string, $text_color);
imagepng($im);
imagedestroy($im);

?>