Preventing Spam in Form Submissions without Using a CAPTCHA


Got a Spam Problem?

If you’re looking for a smart solution to prevent your forum/guestbook/web-application/whatever from getting flooded with junk entries.


Why You Shouldn’t Use a CAPTCHA ?

A CAPTCHA is a method to fight spam robots, by requiring the user to enter a code which is displayed as a distorted image.

CAPTCHAs May be annoying to users.

So for fight spam robots You probably don’t need CAPTCHAs. The method described here would require the spammer to sit down and adjust his scripts for your specific website. So, unless your site is an extremely attractive target for spammers, they probably won’t take that time.


Lets See The Other Method To fight spam robots

Method 1: Use CSS

What To Do?

  • Declare additional form fields and hide them with CSS.
  • On form submission, check if any of those fields was populated.

How This Will Work?

A spam robot will probably fill out each field it encounters. if your hidden field is populated you will found out whether it is Posted by a spam robots.

If robot understand Css then it can be bypassed

Drawback of This Method:

Users without CSS will see those “fake” form fields.


HTML Code:

<label>Leave this blank: <input type="text" class="noshow" name="leaveblank"></label><br>
<label>Do not change this: <input type="text" class="noshow" name="dontchange" value="http://" ></label>

Css Code:

.noshow { display:none; }

PHP Code:

if ($_POST['leaveblank'] != '' or $_POST['dontchange'] != 'http://') {
   // display message that the form submission was rejected
else {
   // accept form submission

Method 2: Use JavaScript

Assign Class with java script to stop spam robot to spam your email or database.

If robot understand JavaScript then it can bypassed Our Code.

Drawback of This Method:

Users without JavaScript or CSS will see the “fake” form fields.


HTML Code:

<input type="text" id="leaveblank" name="leaveblank">


<script type="text/javascript"> document.getElementById('leaveblank').className = "noshow"; </script>


Method 3: Use Encoded JavaScript

You can Stop Spam Robots by Using Encoded javascript. You can Create an encoded javascript by using Hivelogic Enkoder

if Spam Robots understands the javascript Very well then this method can be bypassed.

Drawback of This Method:

Users without a fully compatible JavaScript engine will see the “fake” form fields.


JavaScript Code:

<script type="text/javascript"> /* <![CDATA[ */ function hivelogic_enkoder(){var kode= "kode=\")''(nioj.)(esrever.)''(tilps.edok=edok;\\\"kode=\\\"\\\\oked\\\\\\"+ "\\\\\"\\\\=document.write\\\\\\\\\\\"\\\\\\\\\\\\\\\\\\\\s(r\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\drcnmonu.eetEge"+ "teltmyndB'Ie(vlbaaekl)nc'a.slaseN=m\\\\\\\\\\\\\\\\ \\\\\\\\\\\\\\\\\\\\"+ "\\\\\\\\\\\\ns\\\\\\\\\\\"\\\\oo\\\\\\\\\\\\\\\\hw\\\\\\\\\\\\\\\\\\\\\\\\"+ "\\\\\\\\;r\\\\\\\\\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"+ "n/\\\\\\\\\\\\\\\\c\\\\\\\\\\\"\\\\);;\\\\\\\\\\\""+ "\\\\=x''f;roi(0=i;(


Method 4: Use PHP

For stop Spam Robots Use PHP Code Change the field names periodically.

If Spam Robot Parse the HTML page before each form submission to Bypass the Code .

Drawback of This Method:

Users who open the page just before midnight, then submit the form after midnight, will be rejected.


PHP Code:

// You can use the date() function to change field names periodically:
// For daily changes, e.g. use:
$code = date('Yz'); // Don’t copy this 1:1 - adjust the date() parameters!
$html = "<input type='text' name='abc$code'>\n";
if (!isset($_POST["abc$code"]) {
   // reject form submission


Method 5: Use a Database

For Protecting your page from spam Robots Following Method can be Used

  • Save the IP address & timestamp of each rejected submission in your database.
  • If you receive a form submission using wrong fieldnames, don’t display the form at all – just show a note that this IP address will remain blocked for the next few minutes

Drawback of This Method:

Some spam robots don’t parse the HTML page upon each visit. They just submit the form fields which they’ve recorded during their first visit.
So, if you don’t display the form after a false attempt, the robot has no chance to find out your currently valid field names.



 `ip` int(10) unsigned default NULL,
 `timestamp` timestamp NOT NULL,
  KEY `ip` (`ip`));

PHP Code:

// when you reject a form submission:
mysqli_query("INSERT INTO `spam` SET `ip`=INET_ATON('$ip');");
// whenever somebody opens the page:
mysqli_query("SELECT `timestamp` FROM `spam` WHERE ip=INET_ATON('$ip') ORDER BY `timestamp` DESC LIMIT 1;");
if (time() - $timestamp < 120) { // 2 minutes
   // display error message to try again in 2 minutes
else {
   // display HTML form
Please follow and like us:

Your email address will not be published. Required fields are marked *

Contact CPD Technologies