30 August 2016

Protecting forms with negative-Capchas



Every form is a target of Spam-Bots. But how to protect your web from those evil bastards?
Captcha is the most common method preventing those machines from using your forms. An image with a number or a word is created that is readable for humans but not for the automated systems. Only if you type the word correctly in a text field, the form is sent.

Efficient. But quite uncomfortable for the user. There is an easier way. But first... let's have a look, how a spam-bot works.

A bot identifys a form and fills out every input-field, selects an option of every dropdown, checks every checkbox possible. If a field has the name "email" or is defined as type="email" it simply generates a fictional but valid e-mail address. They a programmed efficient. Just filling every input and try sending it. Some of them can even identify fields that required numbers like zip-codes.


So we can use this method against it. Just create a text-field that needs to be left blank. Then you can create a container around it, that hides it when you use a common browser. All you have to do now is check the field on server-side if it is left blank.


A way to validate the inputs on the server side.


<style type="text/css">
        display: none;
<form action="" method="post" name="form1">
        <label for="email">Enter your e-mail</label>
        <input type="email" id="email" name="email" placeholder="E-Mail" />
    <!-- Here comes the Spam-bot trap -->
    <div class="forthebot">
        <label for="bot">Please leave this field blank</label>
        <input type="email" id="bot" name="bot" placeholder="Leave blank" />
    <input type="submit" value="Send" />