A user-friendly alternative to CAPTCHA

Technical

If you’ve ever had a form on your website then you probably know a thing or two about receiving spam. If you have no means of spam protection on your forms then you’re going to be bombarded by automated spam created by bots who visit your site, fill your forms with garbage and submit them straight through to you.

The most obvious way of protecting your forms against this method of spam and one you’ve probably been frustrated with yourself on many occassions, is a CAPTCHA field. This is the grainy picture or distorted image of letters or numbers (or both!) that you have to write into a field to check that you’re not just a bot trying to spam the form.

Most clients don’t want a CAPTCHA field on their nicely styled enquiry forms, they don’t look very nice and they are a frustration for a lot of users particularly those that have any accessibility requirements. There are several alternative ways of protecting your forms against automated spam bots and we looked at several methods before deciding on a couple that do the job effectively.

Honeypot

The first method we use is called a honeypot. This is a fairly common, tried and tested method that seems to have a decent success rate against less intelligent automated spam bots. This method involves adding a field to your form and hiding it with css, then when the form is submitted, checking that this field hasn’t been field in. The majority of automated bots won’t realise that this field isn’t actually shown on the form as it will only see the rendered source code of the page when looking for fields to fill it. The important thing here is to hide the field with CSS rather than using a hidden field, as it seems a lot of these automated spam bots don’t tend to fill in hidden fields. We specialise in PHP here at The Escape, in particularly Laravel, but a basic PHP example of a honeypot implementation can be seen below.

HTML

<input name="somename" style="display:none" type="text" />

PHP

if(!empty($_POST['somename']) { // some code to abort the submission attempt }

Timegated submissions

An automated spam bot can fill out a form on your website and submit it within seconds of visiting your website. A human, obviously, takes time to read the information on the page, fill out the form and submit it. This led us to our second method of spam protection and probably the most successful one.

When the form is rendered in the template of our websites, we print a timestamp into a hidden field on the form. When the form is submitted, our spam protection function checks  the timestamp against the current timestamp to see whether or not the form was submitted in the allowed time period. By default we set this to 10 seconds, as it’s highly unlikely that a user has been able to read, digest and fill in most forms on the majority of websites in less than 10 seconds. We do adjust this depending on the length and complexity of the form.

HTML

<input name="timestamp" type="hidden" value=" time(); ?>" />

PHP

$time_limit = 10; // the minimum amount of seconds a submission should take
if(time()-$time_limit < $_POST['timestamp']) { // some code to abort the submission attempt } 

Summary

It’s important to bear in mind that this is not an exhaustive list of options for non-CAPTCHA based spam protection and if you feel you need additional protection, it’s worth having a deeper look into the subject.

These are the two methods we've had a lot of success with for our clients here at The Escape with almost zero spam being submitted once we’ve implemented these techniques across their websites.

These methods will not prevent a determined human spammer however. They will still be able to fill out your forms and submit them with garbage unless you perform detailed validation on the content prior to submission but form validation is a topic for another day! 

After seeing how simple it is to do away with CAPTCHA fields altogether, if you are still insistent on having one on your forms, then there is a solution provided by Google called  reCAPTCHA that is a more modern and accessible approach to CAPTCHA and has a lot of support in the industry.

Fancy a bit more technical? Try these...

Validating user input on forms

Back to more