Let’s face it… nobody enjoys spam. A basic PHP contact form is generally susceptible to a massive amount of spam mail. SPF30 is a PHP library which utilizes a number of recommended spambot deterrents in an attempt to reduce form submission spam. SPF30 does not utilize any form of captcha. In addition to spam prevention methods, SPF30 also handles two-way encryption of form data. In other words, your form content cannot be easily sniffed across the wire. This adds a layer of security to your contact forms.
- You must have the PHP mcrypt module installed.
- The frontend form display requires jQuery to be loaded as it binds form submission to frontend encryption.
- The form submission contains a hashed value of a system defined secret key, the current date, and the user’s user agent.
- The form submission is invalidated in the event the submission timestamp exceeds a specific timeout period (default 1 hour).
- The form submission is invalidated in the event it was submitted in rapid succession (default 5 seconds).
- A hidden input honeypot is utilized in an attempt to trick bots into passing data with the field.
- A hidden hash field is validated against the submission time, user agent, and secret key.
- A hidden field is sent containing a the array of encrypted fields for decryption to their old field names.
- Decrypted form fields are written directly back to the POST array, abstracting the encryption from your backend handling.
- User specified form field names can undergo two-way DES encryption to obfuscate form field names.
- The encryption method goes beyond simple DES encryption for the purposes of transporting UTF-8 characters in POST data.
The code below demonstrates how to use the SPF30 library for displaying a form.
Backend Form Handler
The code below demonstrates how to handle encrypted SPF30 form submissions on the backend.