If your PHP website contains forms that can be submitted, they can probably be submitted by automation. With PHP programming, a programmer can create a PHP script that submits GET or POST form data directly to the recipient script. The programmer’s code can access a database of information, such as a hacker’s dictionary, and iterate the form submissions until something works, or to flood your website with their content. There are many variations on the technique used to attack a website through automated form submission, but they all use similar tactics and techniques.
One of the most effective methods of preventing successful form submissions is to require an image-to-text translation of textual content from a graphic to a form field. The form would use PHP to display a graphic containing text that the user can rad, which must be correctly entered into one of the fields in the form. If the text is entered correctly, the form validates and continues with whatever else it is meant to do. If the text is missing or incorrect, PHP rejects the submission.
The reason this prevents automated form submissions is that it is difficult to perform Optical Character Recognition (OCR) on some images and not hacker/spammer programmers won’t apply the significant time required to automate such text entries from graphics. The image containing the textual code should contain some background artwork that makes OCR significantly more difficult. Logos, lines, and colors make OCR more than difficult, diminishing the likelihood that OCR will be employed, and thus increasing the safety of your forms and PHP scripts.
The file containing the form and PHP code should contain the ability to generate both the textual code to be used as well as the image to display that code. The code should be tracked from the form to the PHP receipt script, so they can be compared. The most effective method is using PHP Sessions to store the randomly generated textual string. The PHP code generating the image should be stored as a separate file, and used anywhere text needs to be displayed as a graphic.
This technique has some implications and caveats. Be sure to unset the PHP session variable containing the textual code if the form is reloaded. Defeat the browser and server caches from displaying the old graphic code, so the user always sees current data, not the old data. Make sure the PHP graphic code generator is given the code to embed in the graphic. When generating the textual code, it s safest to remove the number 0 and the letter O, perhaps also removing the letter Z and the number 2, the letter I and the number 1, etc. This prevents misinterpretation from the graphic blocker. Make the top layer text similar in contrast to the background artwork and overall image, so OCR cannot perform well.
Graphic blockers can be customized to use any font and contain logos, so they are consistent with the website theme. Various methods of skewing the text in the image can be employed, in combination with different sizes, fonts, colors, styles and other ways of making the characters differ. Whichever set of methods and techniques the PHP programmer uses, graphic blockers will diminish the chances your website will be damaged or abused by form spammers.