SiteKickr Web Development

Strong form SPAM prevention technique

To emphasize the necessity for some form of SPAM prevention, consider this example. You have an HTML form, such as:

<form action="send.cfm" method="GET">
  <input type="text" name="firstname" value="" />
</form>

This form could be submitted by a web browser, but it could also be submitted with an HTTP call by any programming language which supports them, via:

http://www.mysite.com/send.cfm?firstname=bob

Imagine that a SPAM robot performs this call thousands of times per minute, on your server. And, with each call, you insert a new database record. See where I'm going with this!

Preventing the SPAM robot

This method combines the use of encryption and the current server time to make it almost impossible for a SPAM robot to succeed in "getting through".

By encrypting the current timestamp with an arbitrary encryption key, sending it with the form submission (in a hidden field), then checking that timestamp for "recentness", you can verify that your processing script came from an actual web form.

ColdFusion Example:

<form action="send.cfm" method="GET">
  <input type="text" name="firstname" value="" />
  <cfoutput>

  <input type="hidden"
         name="auth"
         value="#Encrypt(GetTickCount(), my_encryption_key, "DES","Hex")#" />
  </cfoutput>
</form>

Then, on your processing script, simply decrypt the value in url.auth. Compare it against the value of GetTickCount() to see how many milliseconds have passed between when the form page was rendered in the web browser, and the form was submitted. You can decide on the allowable length of time. That length of time won't be too significant, as the timestamp was encrypted. Any SPAM robot would have to first guess at your encryption key and method of encryption before being able to even pass in a valid timestamp.