vineri, 26 noiembrie 2010

[Updated] How to Add ReCAPTCHA to Your Contact Form Script: Reducing Spam in Your Contact Form

Over the years, I have received many requests from webmasters to add some sort of spam filtering capability to the contact form script generated by the Free Feedback Form Script Wizard. The reason, of course, is that spammers nowadays send automated computer programs, called "spam bots", to scour the web for feedback forms to dump spam into. As such, if your email software or email service doesn't have extensive spam removal facilities, you will probably be inundated by spam submitted through your own contact form.

This article teaches you how you can add a basic spam reducing facility, called the CAPTCHA test, to the feedback form generated by the wizard. You've probably encountered such tests before: after filling in a contact form, you are usually required to enter some string of letters or numbers to prove that you are a human and not a spam bot. If you don't know what I'm talking about, take a look at one such form at the Feedback Form with CAPTCHA Demo page.

CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart". The idea is to create a test that any human can pass easily but computer programs will fail. It is useful for things like feedback forms since you want humans to be able to send you feedback, but you don't want spam programs to send you its junk.

There are many different types of CAPTCHA tests around. One type, which is the sort we will use here, places a series of words in a graphical image and asks your human visitor to enter the words he/she sees. The hope is that most computer programs won't be able to "see" the words (since programs can't actually "see" anything) and so will be unable to give the correct answer.

Of course this is not foolproof. There are a number of ways to defeat this, such as to incorporate optical character recognition (OCR) technology into the spam bots, or to employ cheap (human) labour to decode it, etc. However, the plan is that having such a test will at least reduce some of the spam entering your mail box by weeding out the less sophisticated spam bots wandering around the Internet.

This article is for the ordinary non-technical webmaster, who simply wants to add a CAPTCHA test to their web form. It is NOT for the programmer who wants to learn how to implement their own CAPTCHA test.

If you are a programmer, looking for a way to create your own CAPTCHA test, you may want to check out the following, more relevant, articles:

If you don't want to reinvent the wheel, you may also be interested in checking out the Free PHP CAPTCHA Scripts page to see how others have implemented the CAPTCHA facility for their form. For the curious, I have simply used the ReCAPTCHA script linked to on that page for my form.

Before you rush out to add the CAPTCHA test, note that there are important disadvantages to adding this CAPTCHA test.

By default, the basic feedback form created by the Feedback Form Script Wizard (when you don't enable the CAPTCHA test) is totally self-reliant. That is, as long as your website is running, your feedback form will also be running. If your website is down, then of course your form will also be down. But then, so will the rest of your website, so you don't have to worry about visitors going to your feedback form and finding that it doesn't work.

If you enable the CAPTCHA test in the feedback form, however, your form will become dependent on a third party service run by the Carnegie Mellon University and Google, called ReCAPTCHA. They supply the pictures that will be shown in your form. When your form is displayed, the feedback form script requests a new picture from ReCAPTCHA. After your visitor enters his/her answer to the "security" challenge test, the letters/words typed by him/her will be sent to the ReCAPTCHA website. They will then respond by telling the feedback form script whether or not the answer is correct.

(Don't worry. Only the "secret" words, the CAPTCHA words, are actually sent to ReCAPTCHA. Your visitors' messages are not transmitted to them.)

This means that if the ReCAPTCHA service is bogged down in some way, the display of your feedback form will become very sluggish (because the pictures won't load). If the network connection between your website and the ReCAPTCHA service has problems, your form will not work (since the script won't be able to get the answer checked). If the ReCAPTCHA service ever closes, your visitors will no longer be able to successfully send you feedback.

And you can't rely on your users to tell you that there's a problem with your feedback form. After all, it's your feedback form that has problems so they won't be able to reach you at all.

Having said that, before you give up in despair, the ReCAPTCHA service appears to be used by tons of websites all over the world, seemingly without problems. It has also worked flawlessly when I tested it. But that doesn't mean bad things can't happen in the future. You'll just have to decide for yourself whether you want to take the risk or not.

Most CAPTCHA tests have a major flaw. Because of their visual nature, the blind are unable to enter those cryptic words in the pictures. The good thing about the ReCAPTCHA test (and one of the main reasons why I chose this particular CAPTCHA implementation over the others) is that it has an audio facility for the blind. A blind person, encountering your form, should theoretically be able to click the audio file link and hear an audio message which he/she can transcribe into the test field. So in that sense, the ReCAPTCHA test does not exclude the blind from using your form.

Unfortunately, in spite of this, it still excludes those who are both deaf and blind, who surf the web using tactile displays (eg, Braille displays). That is, if you can neither see a picture nor hear words spoken in the audio file, the form is completely inaccessible to you.

Please bear this in mind before you rush out to enable the CAPTCHA option in the Wizard. As you scrabble about under an avalanche of spam, looking for a way to solve your spam problems, remember that this solution may cause others problems. It is not ideal, since it excludes some people from your form.

If your email server and software has sufficiently good spam filters that has warded off spam in the past, and you think you don't really need the CAPTCHA facility, perhaps you should consider holding off on it. Otherwise, you may be introducing a problematic cure for a non-existent disease. But it's up to you, of course. I just wanted to make sure you have enough information to make an informed decision.

To enable the CAPTCHA option in the feedback form generated by the wizard, do the following.

Go to the ReCAPTCHA website, and sign up for an account. The service is free, or at least it was when I wrote this article. (If it ever stops being free, please let me know and I'll modify the wizard to use a different CAPTCHA facility.) You'll be required to supply a username, password, your email address and your website's domain name.

When you've finished signing up, you will be given two strings of cryptic letters and numbers. These are your public and private "keys". You will need to enter these keys into the Feedback Form Wizard, so I recommend that you keep the ReCAPTCHA web page open, so that you can just copy and paste the strings. Don't type them manually or you may introduce typing errors and give the wrong keys to the wizard.

Go to the Free Feedback Form Wizard. Read the instructions and the terms of use and fill in the details requested. (You'll have to choose the PHP script because I haven't got around to implementing the facility in the Perl version.)

When you reach the "Advanced Options", enter your ReCAPTCHA public and private keys in answer to the question "To enable the CAPTCHA test, please enter both your ReCAPTCHA Public Key and your ReCAPTCHA Private Key". Be sure to enter them into the correct blanks: that is, make sure that your public key goes into the "Public Key" field and your private key goes into the "Private Key" field. These keys have to be integrated into the form and script that is created by the wizard, which is why they are requested. (Don't worry. Like all the other data you enter into the wizard, they are not recorded anywhere, not even in my web logs. As the ReCAPTCHA site so aptly puts it, I'm trying to help you block spam, not introduce it.)

Follow the rest of the instructions in the wizard to create your feedback form HTML code and feedback form script. Do not close this window.

Since you enabled the CAPTCHA facility, the feedback form script needs an additional program file provided by the ReCAPTCHA website. (Note: if you did not enter your public and private keys into the wizard, you do NOT need to get this file. This file is only needed if you have enabled the CAPTCHA test.)

Go to the ReCAPTCHA library site and download the file. That is, just click the link labelled "" to get the file onto your own computer. Save it anywhere on your computer (eg, your desktop). This applies to you whether you are using Windows, Mac OS X, Linux, or whatever.

When the file has been successfully downloaded, open the zip file. On Windows XP and above, this is done by simply double-clicking the file. A folder window should open, showing another folder called recaptcha-php-1.10. Double-click that folder as well. You should now see 5 files listed in your window.

Drag the file named "recaptchalib.php" from the window to the same location where you saved the "feedback.php" file generated by the Feedback Form Wizard. Later, when you publish/upload your feedback.php file, you will need to publish/upload this file as well. It is to be uploaded to the same folder as your feedback.php file. Let me say that again. The recaptchalib.php file is to be placed in the same location as your feedback.php on your website.

You can ignore all the other files in the zip file. You don't need them. In fact, once you've copied the recaptchalib.php file, you can delete the zip file if you want.

(Note: if you use Windows, and can't find the "recaptchalib.php" file, it's possible that Windows has hidden a part of the filename [namely, the file extension] from you. Consider configuring Windows to show you the full filename instead of hiding it. As a webmaster, you have to deal with all sorts of files with different extensions that have different behaviour depending on the extension, so it's best not to blind yourself to the true filename.)

Do the rest of the stuff mentioned by the feedback form wizard for creating your feedback.php file and inserting your form code into your web page. Then upload (publish) everything (including the feedback.php and recaptchalib.php files) to your site. Detailed instructions for doing this can be found in the usual feedback form tutorials (as well as in the results page of the Feedback Form Wizard):

Note that those tutorials do not mention the recaptchalib.php file, since they only deal with the main feedback form script. However, as I said above, just copy the file to the same place you saved the feedback.php file, and upload it together with the rest of your website.

You may also want to modify your "Error" page to help people failing the CAPTCHA test (it happens). See the error page on the Feedback Form with CAPTCHA Demo for an example of the sort of things you can say.

That's it. Once the form is "live" on your website, test your form by sending yourself a message.

If you ever want to remove the CAPTCHA test from your feedback form, you will need to return to the Feedback Form Wizard to generate a new form and script. Do not use your web editor to delete the picture from your web page. Doing so will only remove the picture; the feedback form script will still be expecting a CAPTCHA code answer. You need to regenerate everything, that is get a new script that doesn't test for the CAPTCHA answers and new HTML form code that does not have the CAPTCHA picture. This time, when you use the wizard, do not enter your public and private ReCAPTCHA keys, or the wizard will think you want the CAPTCHA test.

It's all free, so don't be lazy, or you'll waste even more time trying to get your self-made modifications to work.

From my testing of the ReCAPTCHA test, it seems that if you enter the wrong words in the CAPTCHA test and get the error page, you cannot simply return to the form and enter the same set of words again, this time correctly. Once you fail the test, you will have to reload the CAPTCHA picture to get a new set of words. Otherwise the ReCAPTCHA site will continue to tell the script that you failed the test. (Yes, even if you entered the right words the second time around.)

This probably won't affect many real visitors, but it will definitely affect you, the webmaster, since you're likely to want to test your form by entering the wrong words. (Real visitors usually just enter the correct words if they can. The owner of the site, however, needs to test the "fail" scenario.)

As mentioned above, the CAPTCHA facility needs to be able to connect to the ReCAPTCHA site for the latter to check the CAPTCHA answers made by your visitors. Many free web hosts do not allow PHP scripts to open any connection to other sites. As such, if you use a free web host, there is a chance that enabling the CAPTCHA option will cause your form to fail to work. In such a case, go back to the wizard and generate a new form and script, this time without CAPTCHA support (that is, don't enter your ReCAPTCHA public and private keys into the form).

This doesn't mean that the CAPTCHA-less script will work either, since a large number of free web hosts also do not allow scripts to send mail either. If this is the case, you may either have to dispense with a contact form, or move your site to a commercial web host.

If you test your form and get the following error messages (the exact details such as path and line number may differ):

Warning: require_once(recaptchalib.php) [function.require-once]: failed to open stream: No such file or directory in /path/feedback.php on line 106
Fatal error: require_once() [function.require]: Failed opening required 'recaptchalib.php' (include_path='.:/path/php') in /path/feedback.php on line 106

it means that you either did not get the recaptchalib.php file that I mentioned above, or you did not upload it to the same place as your feedback.php file. Go back to that section and complete that step.

The ReCAPTCHA private key that you enter in the wizard is embedded into your customized feedback form script (the program). The public key is inserted into the feedback form itself (the HTML code for the web page). The public key is used to get the CAPTCHA words from ReCAPTCHA for display. It's called the "public key" because it's not really a secret. It is only used to retrieve the pictures. The answer to the pictures will not be supplied to any program using that key. The private key, on the other hand, is used by the feedback form script to tell ReCAPTCHA that it is really your own legitimate feedback form that is asking it to check the answer. ReCAPTCHA needs a private key so that it can distinguish between a legitimate program running on your website from a spam bot sneakily trying to find out the CAPTCHA words.

You don't have to worry when you see your public key in your HTML form code. That's the way it's supposed to be. However, if you see your private key in your HTML form code, that means you've entered the wrong keys into the wizard. That is, you may have entered your private key into the public key field in the wizard. Note that the wizard is not omniscient. It doesn't know what your keys are supposed to be. It blindly uses whatever you enter. If you supply it the wrong keys, then your form and script will contain those wrong keys.

This item is for those who get the following message on your feedback form page:

You are at this page because you loaded the JavaScript free version of reCAPTCHA, but it looks like you have JavaScript. We need to prevent this for security reasons. If you are testing out the JavaScript-free version, turn off JavaScript in your browser.

Although this message seems to suggest to a number of people that there is a problem with their browser settings, my experience is that this is not the case. However, if you don't believe me, there's a simple way to rule out your browser as the cause: go to the CAPTCHA demo page in the same browser that showed the error. The CAPTCHA demo page uses the unmodified code that is generated by the wizard. If you don't see any error message on that page, but see one on your own feedback form, it means that it's not your browser settings that is causing the problem.

As far as I can tell, this error message is issued by the ReCAPTCHA service when you incorrectly modify important parts of the HTML form code generated by the Feedback Form Wizard. The solution is to return to the wizard and generate a fresh copy of the feedback form HTML code. Plug that pristine copy, unmodified, into your form page and test again. The error should disappear. Then, if you really must modify the form, use one of my detailed feedback form tutorials as a guide so that you don't accidentally change critical portions that are needed for it to work properly.

If the entire CAPTCHA test does not appear in your feedback form, and all you see is the plain feedback form without any CAPTCHA test at all (the whole CAPTCHA section is missing), it probably means one of two things:

You created your feedback form (at least) twice. The first time you did it, you created a form without the CAPTCHA test and tried it out on your site. Then you changed your mind and created a new form with a CAPTCHA test. However, the second time round, you failed to update everything.

If you change your mind and switch from a CAPTCHA-less form to one with a CAPTCHA, you must update everything on your website: the feedback.php and recaptchalib.php script as well as the HTML code for your feedback form. To reiterate, not only must the new php files be uploaded, you must also change the HTML form code on your web page. The code is different.

The second possibility is somewhat similar to the first. You created your feedback form at least twice, the first time without the CAPTCHA and the second with it. Your web browser could be showing you an old copy of your web page, from the time when you didn't have the CAPTCHA test. Web browsers usually save a copy of recent web pages you accessed in their internal cache. If you revisit a page you recently checked, it's possible that your browser is still displaying that cached version. You will need to reload (or refresh) the page in your browser. On most browsers, hitting Ctrl+R should do the trick (where "Ctrl+R" means to hold down the Ctrl key and type "r").

If you change the domain name of your website, you will find that ReCAPTCHA will refuse to test the CAPTCHA words on your new domain. For example, you may get an error message like "Input error: Invalid referer". This error occurs because the ReCAPTCHA service expects a different set of public and private keys for every domain. To solve this, do the following:

Log into your ReCAPTCHA account and go to the page on their system that lists all your sites using ReCAPTCHA. At the time I write this, that page can be found at this link.

Add your new domain to that list using the appropriate link on that page. At the time I write this, there is a button or link on the page that says something like "Add a new site". You will be given a new set of public and private keys that will only work on that new domain.

Return to the Feedback Form Wizard and generate a new form and script using the public and private keys for that domain.

Insert the new form code into your web page, and republish (re-upload) both that web page and the new script that is provided.

If you encounter other types of errors or problems, please check out the Frequently Asked Questions (FAQ) about the Feedback Form Wizard.

The CAPTCHA test is probably one of the most frequently requested feature for my feedback form script, probably because there are so many beleaguered webmasters struggling with spam. Following the steps given in this CAPTCHA guide will allow you to add the test to your web form without having to learn any programming at all.

Copyright © 2009-2010 by Christopher Heng. All rights reserved.
Get more free tips and articles like this, on web design, promotion, revenue and scripting, from

Do you find this article useful? You can learn of new articles and scripts that are published on by subscribing to the RSS feed. Simply point your RSS feed reader or a browser that supports RSS feeds at You can read more about how to subscribe to RSS site feeds from my RSS FAQ.

This article is copyrighted. Please do not reproduce this article in whole or part, in any form, without obtaining my written permission.

To link to this page from your website, simply cut and paste the following code to your web page.

It will appear on your page as:

How to Add a CAPTCHA Test to Your Feedback Form Script: Reducing Spam in Your Contact Form

Copyright © 2009-2010 by Christopher Heng. All rights reserved.
thesitewizard™, thefreecountry™ and HowToHaven™ are trademarks of Christopher Heng.
Last updated: 18 October 2010.

View the original article here

Niciun comentariu:

Trimiteți un comentariu