Home » Php » php – Good Form Security – no CAPTCHA

php – Good Form Security – no CAPTCHA

Posted by: admin April 23, 2020 Leave a comment


Is there a good method of form security that does not involve CAPTCHA? CAPTCHA is so annoying, but I need security because I am getting form spam. My form is PHP.

How to&Answers:

Try akismet. It’s great at flagging spam. The API is easy to use and completely transparent to your users.


Here’s what I’ve found to be very effective (and dead simple):

  1. Put a hidden field on your form. Give it a name like “phone” or something similar/common and put in a default junk value.

  2. Put another regular text input field on your form, but hide it with CSS. Make that one empty. Again, give it a “real” sounding name (first_name, phone_number, whatever).

  3. When the form is posted, verify that the hidden field still has the default value and the field you hid with CSS is still empty.

You’re basicly taking advantage of the fact that most spam bots will simply fill in every field in the form in order to avoid failing any required field validation checks. Some might be smart enough to ignore hidden fields, but I’ve never seen one that was smart enough to ignore fields hidden with CSS.

To address some comments – Is this a truly “secure” system? no, it certainly isn’t. It would be trivially broken by anybody who wanted to specifically target your site. That said, it is still remarkably effective against the automated form spamming bots that most “low value” sites will see.

If you want to stop a determined attacker, you’ll need something a bit more invasive. Another poster mentioned Akismet, which is a good option. Re-Captcha would be another. Stopping determined, targeted spammers is hard though. Even Yahoo and Google have a hard time with it.


This kind of validator is cute and quick!


Obviously, you will want to display one of a many possible animal images, and the list should be randomized as well.

I understand it will only work X% of the time, but adding more options to the list will help reduce spam.


I have already worked something similar.

  1. When you open a form generate one md5() string and put it in session (for example $_SESSION[‘captha’])
  2. Your form sould have one hidden field and when you open this form write this data from $_SESSION[‘captha’] into this hidden field
  3. When you receive this post request compare value in session and value which come with this hidden field. If it is same everithing is ok and vice versa. Of course, after you handle this request just delete variable $_SESSION[‘captha’].

This work for me.


If all you are doing is avoiding spam bots (automated programs that seek <form> tags, fill in all <input> fields, then submit the form), then a simple solution is to do as Paolo said: use JavaScript to add a hidden field. The disadvantage is for people who disable JavaScript.

Feel free to use this:

<form method="post" action="contact.php" id="commentForm">
  <label for="name">Name</label>
  <input type="text" name="name" id="name" maxlength="64" /><br />

  <label for="email">Email</label>
  <input type="text" name="email" id="email" maxlength="320" /><br />

  <label for="message">Message</label>
  <textarea name="message" rows="10" cols="40" id="Message"></textarea><br />

  <label for="human">40 + 2 =</label>
  <input type="text" name="human" id="human" size="10" maxlength="3" /><br />

  <p align="center">
  <input type="submit" name="submit" value="Send" class="submit-button" />

Then place the following as “contact.php” in the same directory:

require_once 'lib/swift_required.php';

// Reason for not contacting.
$reason = 'default';

error_reporting( 0 );
ini_set( 'display_errors', 0 );

function not_contacted() {
  global $reason;

  header( 'Location: error.html' );

function wms_error_handler($errno, $errstr, $errfile, $errline) {
  return true;

function wms_shutdown() {
  if( is_null( $e = error_get_last() ) === false ) {

set_error_handler( "wms_error_handler" );
register_shutdown_function( 'wms_shutdown' );

$name = trim( $_POST["name"] );
$email = trim( $_POST["email"] );
$message = trim( $_POST["message"] );
$human = trim( $_POST["human"] );
$subject = 'FormSpam';
$contacted = false;

if( is_null( $name ) || empty( $name ) ) {
  $reason = 'name';
  $human = false;
else if( is_null( $email ) || empty( $email ) ) {
  $reason = 'email';
  $human = false;
else if( is_null( $message ) || empty( $message ) ) {
  $reason = 'message';
  $human = false;
else if( is_null( $human ) || empty( $human ) || $human !== '42' ) {
  $reason = 'computer';
  $human = false;

if( $human === '42' ) {
  $subject = 'YourCustomSubject - '.$name;

  $transport = Swift_SmtpTransport::newInstance( 'localhost', 25 );
  $mailer = Swift_Mailer::newInstance( $transport );

  $message = stripslashes( $message );

  $message = Swift_Message::newInstance()
    ->setSubject( $subject )
    ->setFrom( array( $email => $name ) )
    ->setTo( array( 'YourEmailAddress' => 'Your Name' ) )
    ->setPriority( 1 )
    ->setBody( $message )

  if( $mailer->send( $message ) ) {
    header( 'Location: contacted.html' );
    $contacted = true;

if( $contacted === false ) {

Should prevent 99% of spam.

I have not added constants, but I’m sure you can figure out where to change the script. I’ve removed the part where it redirects to different pages depending on what was (or was not) entered by the user (e.g., missing full name, e-mail address, message, and such). If you want a full version of the script, let me know and I’ll fix the code to be more new-developer-friendly.

Note the Swift Mailer dependency.


Yes, I invented and developed a method many years ago called nocaptcha.

I tested employed it in my sites for a year then noticed google also using it.

I released it for Joomla (see
http://shop.ekerner.com/index.php/shop/joomla-nocaptcha-detail )
and since it has been copied by many platforms (see https://www.google.com.au/search?q=nocaptcha ).

I believe the git hosted version via the above link can be deployed to any site, and if you cant find a version for your site then perhaps ask my dev team for a custom solution (see: http://www.ekerner.com/ ).


Math questions are interesting alternative. You can even write your own simple math checker by using random numbers.

Here are couple of plugins:




Depends on the type of form spam, general bots made for spamming any form it finds can easily be foiled by a lot less obstructive measures (like “what is the name of this site?”), but if someone has made a bot targeting your site specifically you will need captchas or something equally annoying.


If cutting down spam is the immediate need, putting the form in an iframe has been effective for me.

<iframe src="contactform.php" scrolling="no" height="*"  width="*"></iframe>

Set the frame’s height and width a little bigger than your form’s width and height. Use CSS to make the frame border 0 so users won’t notice they’re looking at the form within frame.