How can I prevent spamers from using our form processors?

synergypoint

I have been using FormMail.php (based on formmail.pl) to process form submissions.

It uses the HTTP_REFERER value to make sure that only someone from a valid domain submits to the form processor.

Unfortunately not all browsers support HTTP_REFERER and the manual for PHP even says this is not 100% reliable.

So what else can I do to make sure that only people visiting my web site can submit to the form processor?

I could use cookies but not all browsers have cookies enabled.

Is there a way to pass a variable from one PHP page to another without it being written to HTML like in a "hidden" form varialbe. Someone could simply read that from the page code and submit it in the URL.

Any ideas?

Thanks.

mystrymaster

well if your code is written correctly they wont be able to pass it via the URL they will have to pass it with a form because the page should be looking for variables via $_POST[varhere]

But I suppose you could look document referer. I am pretty sure there is a way to do that with php.

dalecosp

I could use cookies but not all browsers have cookies enabled.

Is there a way to pass a variable from one PHP page to another without it being written to HTML like in a "hidden" form varialbe. Someone could simply read that from the page code and submit it in the URL.

Sessions? 😉