- IRT Division
- Vice President & Chief Information Officer
AIRC Rm 3010 (map)
Sacramento State Policies & Guidelines
- Systemwide Policies
- Information Security
- Service Request Forms
- Using Sac State Servers
- Content Management (WCM)
- Systems Status Update Procedure
- QuikRef Guides
- Workshop Handouts
- CAS Information
- Web Services Staff
Tips & Tricks
Reducing Spam that Comes from Form Submissions
Putting a form online invariably means that a spammer somewhere will flood it with bad information. Sometimes this spamming is harmless, and only an attempt to get more email addresses. Other times, it's malicious; spammers are hoping to put harmful information in an application's database, or expose a weakness in the architecture of the application.
To combat this, many sites use a CAPTCHA. Captchas are tests that, presumably, only a human being can pass.
Visual captchas like this are very common, but are inaccessible to users with visual or cognitive disabilities. Also, they require additional application programming to randomize what image is presented.
The recommended, easiest solution for forms is to use a honeypot. Essentially, the trick is to create a form field that is blank and hide it from users, but not from automated bots. If the field is blank when submitted, that means that a human filled it out, since they didn't know it was there in the first place. If the field has a value, that means a bot has filled it out.
<label for="email2" class="special">Are you a human being? (leave blank if yes)</label>
<input type="text" id="email2" name="email2" class="special" />
This is the most basic form of a honeypot. The "special" class (which shouldn't be called something like "honeypot" or "hide") is a CSS class that is simply "display:none". This hides the label and text field from visual users as well as screenreaders. If the user has CSS off, they will be able to interpret the instructions to leave the field blank, while a bot would continue to pump garbage into the form.
When processing the form, simply check for a value in the "email2" parameter. But if there is something and the form should be rejected, don't give a clue to the bot. A simple message of "Thanks for submitting your form. We'll be in contact shortly." is sufficient. If the bot thinks it's failed, it'll definitely try again (it probably will anyways, but here's hoping).
It's important to note that this is not a foolproof design - no captcha is. But honeypots are a simple, largely accessible way of reducing spam submissions to your forms.
Information Resources and Technology | Sacramento State | 6000 J St | Sacramento, CA, 95819-6065 | AIRC Building | 916.278.7337
If you have difficulty accessing content on this page, please contact the webmaster.