Jump to content

formmail php

gabrielebr

By gabrielebr
in PHP

Recommended Posts

gabrielebr Newbie

gabrielebr

Posted
Posted

Hello,I'm still trying to understand what is the best way to protect the email addresses agianst spam bots.As the captcha has severe drawbacks with respect to accessibility I come to the conclusion that perhaps form mail can be the solution (as I'm unable to work with a database that perhaps can hide the addresses).I read somewhere that this one is one of the best formmail:http://www.tectite.com/dlformmail.phpbut i don't understand why it should be safe as the recipient address is wrtitten into the html while, if I understood well, it is safer to have the address into the PHP file.Could anyone suggest me a "safe" formmail not too complicated to customize ?Thank youRegardsGabriele

Link to comment
Share on other sites
niche Devoted Member

niche

Posted
Posted

This might get moved to PHP. What are you concerned about? If, you strip all the unnecessary notation from user input and limit user input to human speed. What could happen? I know I'm leading with my chin, but is there a specific example of how someone can get data after taking basic precautions (unless they have user names and passwords)?

Link to comment
Share on other sites
gabrielebr Newbie

gabrielebr

Posted
  • Author
Posted
This might get moved to PHP. What are you concerned about? If, you strip all the unnecessary notation from user input and limit user input to human speed. What could happen? I know I'm leading with my chin, but is there a specific example of how someone can get data after taking basic precautions (unless they have user names and passwords)?
I don't know if you have had a look to this: http://www.tectite.com/dlformmail.phpthe email address is in the html file so in principle it is as safe as writing directly mailto:"name@server", I believe.I'm not an expert but for what i understood the address should stay in the PHP and even so I'm not sure it is really spam-proof.Gabriele
Link to comment
Share on other sites
Synook w3schools Guru

Synook

Posted
Posted

You can always just hardcode the email address into the PHP file:

$email = "smith@example.com";//...mail($email, "Subject", "Email");

Link to comment
Share on other sites
gabrielebr Newbie

gabrielebr

Posted
  • Author
Posted
You can always just hardcode the email address into the PHP file:
$email = "smith@example.com";//...mail($email, "Subject", "Email");

Thank you.Is it true that it is safer to have the email address into the php instead than having it in the html ?regardsgabriele
Link to comment
Share on other sites
Synook w3schools Guru

Synook

Posted
Posted

Well, if the email address is not sent to the client, then there is no way for the client to read it...

Link to comment
Share on other sites
thescientist w3schools Guru

thescientist

Posted
Posted
Thank you.Is it true that it is safer to have the email address into the php instead than having it in the html ?regardsgabriele
i've wondered this, because it still doesn't seem to stop the spam bots, because they can still submit your form, right? They might not get the email address, sending the email is still the ultimate goal for them.
Link to comment
Share on other sites
Synook w3schools Guru

Synook

Posted
Posted

Also, sending emails via a form is always going to be inherently harder than just scraping an email address. We had a discussion on this in an Informatics lecture - the aim of the sort of spam bots that screenscrape email addresses is to try to get their spam out to as many possible recipients in the shortest amount of time. If it even takes ten times as long to fill out people's forms and send them, even if you could develop some sort of universal script that works 90% of the time, it's still not as worthwhile as just scraping everyone else's email addresses and just sending spam to them instead. No system is foolproof, but the harder it is the better.

Link to comment
Share on other sites
gabrielebr Newbie

gabrielebr

Posted
  • Author
Posted
Also, sending emails via a form is always going to be inherently harder than just scraping an email address. We had a discussion on this in an Informatics lecture - the aim of the sort of spam bots that screenscrape email addresses is to try to get their spam out to as many possible recipients in the shortest amount of time. If it even takes ten times as long to fill out people's forms and send them, even if you could develop some sort of universal script that works 90% of the time, it's still not as worthwhile as just scraping everyone else's email addresses and just sending spam to them instead. No system is foolproof, but the harder it is the better.
Thank you everybody,I have the impression you are setting up a technical discussion between experts, but in practice what do you suggest ? Could you please give some practical examples ?It seems it is not very easy to protect the email addresses (without javascipt and without captcha)...regardsGabriele
Link to comment
Share on other sites
Synook w3schools Guru

Synook

Posted
Posted

Basically, make it as hard as reasonable for robots. For example, you could integrate an anti-spam system like Akismet, give your form fields random names, etc.

Link to comment
Share on other sites
boen_robot w3schools Guru

boen_robot

Posted
Posted
Thank you everybody,I have the impression you are setting up a technical discussion between experts, but in practice what do you suggest ? Could you please give some practical examples ?It seems it is not very easy to protect the email addresses (without javascipt and without captcha)...regardsGabriele
Yep.Not only it's hard, but it's impossible even in theory to completely protect an email AND enable screen readers and/or search engines to look at it. Both screenreaders and search engines are essentially bots... the only difference is in their purpose. A spam bot collects emails in a list and send emails, google would collect stuff (emails included) to enable users to search them, and screen readers would collect stuff to read them to users... but they all need to look at them (i.e. collect them in a SPAM bot like fashion) to do their thing.If you have any text (including email) in any form, the text is accessible in all ways to whatever computer has it. If the text portion (e.g. email) is in a text that's read by the client (HTML, CSS, JavaScript, Flash, etc.), then the client, and any program on it has access to it and can potentially gather any portion of the text it wants (email included) and do whatever it wants with it. If the text is only read by the server, then any program on that server (PHP included) can read it, but as long as no text with the text portion (e.g. email) is given to the client, the client won't be able to read that text portion.OK, that paragraph above is probably a little confusing... read it slowly several times, replacing "text" with "email" if you must. I used "text", because this applies to anything (e.g. form data), not just email addresses.
Link to comment
Share on other sites
gabrielebr Newbie

gabrielebr

Posted
  • Author
Posted
Yep.Not only it's hard, but it's impossible even in theory to completely protect an email AND enable screen readers and/or search engines to look at it. Both screenreaders and search engines are essentially bots... the only difference is in their purpose. A spam bot collects emails in a list and send emails, google would collect stuff (emails included) to enable users to search them, and screen readers would collect stuff to read them to users... but they all need to look at them (i.e. collect them in a SPAM bot like fashion) to do their thing.If you have any text (including email) in any form, the text is accessible in all ways to whatever computer has it. If the text portion (e.g. email) is in a text that's read by the client (HTML, CSS, JavaScript, Flash, etc.), then the client, and any program on it has access to it and can potentially gather any portion of the text it wants (email included) and do whatever it wants with it. If the text is only read by the server, then any program on that server (PHP included) can read it, but as long as no text with the text portion (e.g. email) is given to the client, the client won't be able to read that text portion.OK, that paragraph above is probably a little confusing... read it slowly several times, replacing "text" with "email" if you must. I used "text", because this applies to anything (e.g. form data), not just email addresses.
Thank you very much.After reading quite a lot I came to the conclusion you have suggested: I will make forms in php.It is not the best as opening directly the email client would be better if someone wants just to send a simple message but I have not been able to find anything of this kind written in php.Nice weekend to everybody
Link to comment
Share on other sites
thescientist w3schools Guru

thescientist

Posted
Posted
Thank you very much.After reading quite a lot I came to the conclusion you have suggested: I will make forms in php.It is not the best as opening directly the email client would be better if someone wants just to send a simple message but I have not been able to find anything of this kind written in php.Nice weekend to everybody
i think you're missing the point. using mailto puts the email address right in the markup, where that email address can be collected by the spam bots. If you use mail()in php, at least that email address isn't out there for bots to collect. In that case you'll only get the occasional annoying email.
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...