bcSpamBlock is a very simple and lightweight way to block the vast majority of spambots from completing web-based forms. For most users (those who have Javascript enabled) it is completely transparent to the visitor. For users with JavaScript disabled, they need to cut and paste a small string into a textbox (similar to a Captcha, except they can copy/paste it)

bcSpamBlock was written to be as lightweight as possible. It is 33 lines of PHP code and does not require PHP Sessions, a database, or any file access. It uses the standard PHP crypt() and md5() functions along with some salt to verify that the submission is valid. It is similar in function to TCP syncookies in that it doesn't need anything stored on the server to verify the authenticity.


The standalone include file - If you are a PHP developer and want to include bcSpamBlock on your site
View the standalone include file - With syntax highlighting
WordPress Plugin - A simple WordPress plugin to protect your WordPress blog from comment spam


A simple working example is available Here
Source code for the sample is available Here

Sample Usage

//When displaying the form, do something like this:
    <form action="whatever.php" method="POST">
    ... your normal form inputs here ...
    <?php bcspamblock_generate(); ?>
    <input type="submit">

//To validate, so something like this
    if(! bcspamblock_validate()) {
        print "Spamblock verification failed!";
        // Preferrably do something nicer here

How it works

The function generates a Random ID. It then encrypts the current timestamp and the random ID using PHP's crypt() function with some cryptographic salt that is unique to each server. All three of those values (the random ID, the timestamp, and the encrypted value) are then passed to the browser. The timestamp and the encrypted value are stored in hidden <input> fields, while the random ID displayed for the user for verification. If the user has JavaScript enabled, a few lines of JavaScript copy the random ID into another textbox, and then hide the prompt, so that it is never seen by the user. If the user doesn't have JavaScript enabled, the would have to copy/paste that random ID into the textbox themselves, similar to a captcha.

When the form is submitted, it checks to make sure that the timestamp is not too old, and then re-encrypts the passed in timestamp and random ID using the same salt value to make sure it matches the crypted value passed in from the form. If everything matches, the comment is approved, otherwise an error is displayed to the user.

This was made as simple and compatible as possible. It doesn't require PHP sessions, a database table, flat files, or any other tracking method on the server

The original idea for the javascript portions of this were taken from the excellent JS SpamBlock Wordpress plugin by Paul Butler (http://www.paulbutler.org/)


Please submit comments regarding bcSpamBlock on my blog post annonouncing it id="begin-footer">