Development PHP

Authored by Corey Ballou


SPF30 – A Spam Blocking/Prevention PHP Library

Let’s face it… nobody enjoys spam. A basic PHP contact form is generally susceptible to a massive amount of spam mail. SPF30 is a PHP library which utilizes a number of recommended spambot deterrents in an attempt to reduce form submission spam. SPF30 does not utilize any form of captcha. In addition to spam prevention methods, SPF30 also handles two-way encryption of form data. In other words, your form content cannot be easily sniffed across the wire. This adds a layer of security to your contact forms.

SPF30 on Github


  • You must have the PHP mcrypt module installed.
  • The frontend form display requires jQuery to be loaded as it binds form submission to frontend encryption.


  • The form submission contains a hashed value of a system defined secret key, the current date, and the user’s user agent.
  • The form submission is invalidated in the event the submission timestamp exceeds a specific timeout period (default 1 hour).
  • The form submission is invalidated in the event it was submitted in rapid succession (default 5 seconds).
  • A hidden input honeypot is utilized in an attempt to trick bots into passing data with the field.
  • A hidden hash field is validated against the submission time, user agent, and secret key.
  • A hidden field is sent containing a the array of encrypted fields for decryption to their old field names.
  • Decrypted form fields are written directly back to the POST array, abstracting the encryption from your backend handling.
  • User specified form field names can undergo two-way DES encryption to obfuscate form field names.
  • User submitted form field values can be encrypted on the frontend using a Javascript implementation of DES.
  • The encryption method goes beyond simple DES encryption for the purposes of transporting UTF-8 characters in POST data.

Example Usage

Frontend Form

The code below demonstrates how to use the SPF30 library for displaying a form.


Backend Form Handler

The code below demonstrates how to handle encrypted SPF30 form submissions on the backend.


SPF30 on Github

Fork me on GitHub

Author: Corey Ballou

Corey Ballou is the CEO of Whether you're a student, young professional, entrepreneur, startup, or small business, you can be up and online fast with your own custom domain, email, and webpage on POP. Corey is a professional PHP developer by trade, specializing in custom web applications development for startups, small businesses, and agencies. Follow Corey on Twitter @cballou.

  • http://N/A Adam

    Does this still work if the end-user has disabled javascript?

    • cballou

      Adam, the only thing that will no longer function with javascript turned off is encrypting field values. Both the spam prevention and field name encryption will still function as intended. I hope this answers your question!

  • rhopek

    Two things:

    1) You have an error in your form.php. You have ‘Email Address’ as the label for the ‘Phone’ field.

    2) The form-handler.php doesn’t seem to actually contain any code to “decrypt” in the “// no exceptions thrown, use decrypted form data as you please” section. That page contains two dumps, but only the first one does anything.

    • cballou

      Thanks for the comment rhopek. I’ll fix the first typo right after submission of this message. In regards to your second issue, there’s another typo which attempts to pass $this->input instead of $_POST to the decryption function. My sincere apologies, I can see where this would cause quite a problem.

      There’s also an undocumented requirement for utilizing the library which I failed to mention in the initial post. You must have the PHP mcrypt module installed to be able to use the SPF30 library.

      Hope this resolves your issues. Let me know!

  • Michael

    I am attempting to implement jquery spf 30 to a contact form; however, I’m having difficultly. I have defaulted to the example above for troubleshooting.

    Line 9 spam::validate($_POST); Returns:

    Catchable fatal error: Argument 1 passed to spam::validate() must be an instance of Input, array given, called in /sitepath/test/form-handler.php on line 9 and defined in /sitepath/spf30.php on line 51

    I think I missing a basic step somewhere. I’m not certain how to cast $_POST as an input.