Here's the full PHP script of my anti spam check which also checks for "bad" characters + if the extra email was filled in + also writes a timestamp to see if the form was submitted too quickly or too long after being generated i.e it was saved offline and submitted by bots.
And as tmaster says, always hard-code the To: From: Subject: fields.
In the PHP header code
Code:
// check if any of the SPAMBOT criteria are true
if(preg_match("/bcc:|cc:|multipart|url|Content-Type:/i", implode($_POST))) {
$spam=true;
}
if (preg_match_all("/<a|http:/i", implode($_POST), $out) > 3) {
$spam=true;
}
if(!empty($_POST['emailagain'])){
$spam = true;
}
// if e-mail is not formatted correctly, show error message
if(!eregi("^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+(.[a-z0-9-]+)*(.[a-z]{2,3})$", $_POST['email'])) {
$error = true ;
}
if($_POST['formtime'] < time()-3600) {
$spam=true;
}
In the form, I add these fields:
Code:
<span style="display:none;visibility:hidden;">
<label for="emailagain">Do not enter anything in this field as it's designed to stop SPAMBOTS!</label>
<input type="text" name="emailagain" id="emailagain" value="" />
<input type="text" name="formtime" value="<?php echo time(); ?>" />
</span>
Cheers,
Niggles
__________________
-------------------------------------------------
World Music World - bringing the World's Folk Music Cultures Together
http://www.worldmusicworld.com/
-------------------------------------------------