One easy trap we can add is a fom element hidden by CSS. Humans won’t be able to see the element, but bots will find it in your form HTML and will submit something to it. Right there you will be able to distinguish a bot from a normal user and ignore the request.

<input type="text" name="email2" style="visibility: hidden;">

<?php if (!empty($_POST['email2'])) { return false; } ?>

Another check you can place is based on a “fingerprint” I detected from one seemingly popular spam bot. This particular bot would use your own domain in its email addresses. If it doesn’t make sense for someone within your organization to submit a form (such as a contact form) using your domain, you can ignore those posts.

<?php if (strpos($_POST['email'], 'YOURDOMAIN.COM') !== false) { return false; } ?>

Another trap we can use catches bots trying to hack your email forms. These bots will post mail headers to your email forms in an attempt to use your server to send out email spam. The way to catch these spam bots is to ensure that fields that should only be one line, particularly the email and subject fields, are in fact one line. This hack works by adding new lines into mail headers, and your form should be using one line text inputs for those fields. Any multi line data automatically gives away this attack.

<?php if (strpos($_POST['email'], "\n") !== false) { return false; } ?>

“Dumb” bots will also generally just crawl your pages to find forms, then submit to the form page using their own methods. More specifically, they won’t be actually submitting the page your form is on, they simply send their own request to make it seem like they did. This is useful to know for the next two traps.

The first trap is to use Javascript to insert elements into your form that the bot’s won’t know about. This is essentially the opposite of the first technique where we want bots to know about fields. In this case you can use Javascript to outut a real form field or hidden field that will be submitted when someone submits your form page, but not when a bot doesn’t use your form. The below code would go somewhere in between your <form></form> tags.

<script language="Javascript">document.write('<input type="text" name="Email"/>');</script>

The bot would never see this but you would expect to find it on your form page.

The next technique that takes advantage of the bots not actually submitting your form page is to set a session or cookie variable on the form page and verifying it in the submit code.

<?php
$strCode = md5($_SERVER['REMOTE_ADDR'] . date('YmdHms'));
session_start();
$_SESSION['check'] = $strCode;
?>

<input type="hidden" name="code" value="<?php echo $strCode; ?>"/>

Then on your form submit page you would check to see if the code field matched the session, like so:

<?php if ($_SESSION['code'] != $_POST['code']) { return false; } ?>

This method can be expanded upon so that the actual code isn’t being passed in the form, but pieces of it along with other identifying characteristics like User Agent. Your PHP code would then re-assemble the pieces to see if they matched the session. Another idea would be to set an expiration on the date, so that the form code is only valid for a certain period of time.

The following is an example of a page that employees several of the above techniques.

<?php
$strCode = md5($_SERVER['REMOTE_ADDR'] . date('YmdHms'));
session_start();
$_SESSION['code'] = $strCode;
?>

<html>

<head><title>Contact</title></head>

<body>

<form method="post" action="submitcontact.php">

<input type="hidden" name="code" value="<?php echo $strCode; ?>"/>

Name: <input type="text" name="Name"/><br/>
Email: <script language="Javascript">document.write('<input type="text" name="Email"/>');</script><br/>

<input type="text" name="Email2" style="visibility: hidden;"/>

Message: <textarea cols="40" rows="3"></textarea>

<input type="submit" value="Send"/>

</form>

</body>

</html>

And now the code that handles and validates your form:

<?php

Contact();

function Contact() {
 $strName = $_POST['Name'];
 $strEmail = $_POST['Email'];
 $strEmail2 = $_POST['Email2'];
 $strCode = $_POST['code'];
 
 // Catch Hidden Input
 if (!empty($strEmail2)) {
  return false;
 }
 
 // No Javascript Input?
 if (strlen($strEmail) < 1) {
  return false;
 }
 
 // Email Should be One Line
 if (strpos($strEmail, "\n") !== false) {
  return false;
 }

 // Email Shouldn't Be From Our Domain
 if (strpos($strEmail, 'infinetsoftware.com') !== false) {
  return false;
 }

 // Code Doesn't Match?
 if (empty($_SESSION['code']) || $_SESSION['code'] != $strCode) {
  return false;
 }
 
 // Passed All Tests, Carry on here...
}

?>

Other methods you can employ include Captchas like reCaptcha or tests like the Wordpress plugin Did You Pass Math? These methods are all traps to catch spam bots that crawl the internet and submit any form they find. If someone was determined to spam your particular site, some of these methods would easily be deafeted, but that little effort will deter almost all of the spam you will encounter.

We’ll use a simple login form for our example with a hardcoded username and password to keep things short. You’re on your own for adding the code to connect to your database to check login credentials.

First we’ll assume a basic, non AJAX PHP login page with the following code:

<?php
define('Username', 'ADMIN');
define('Password', 'ADMIN');
$strAction = $_GET['Action'];
if (strtoupper($strAction) == 'LOGIN') {
 TryLogin();
}
function TryLogin() {
 global $strUsernameVal, $blnLoginErr;
 $strUsernameVal = $_POST['Username'];
 $strPasswordVal = $_POST['Password'];
 if ($strUsernameVal == Username && $strPasswordVal == Password) {
  // Success
  header('Location: index.php');
 }
 else {
  // Invalid Login
  $blnLoginErr = true;
  return false;
 }
}
?>
<html>
<body>
<?php if ($blnLoginErr) { ?>
<p>Error: Invalid login details. Please try again.</p>
<?php } ?>
<form name="Login" method="post" action="login.php?Action=Login">
Username: <input type="text" name="Username" value="<?php echo htmlspecialchars($strUsernameVal); ?>"/><br/>
Password: <input type="password" name="Password"/><br/>
<input type="submit" value="Login">
</form>
</body>
</html>

This page will submit to itself and check the form login details against the defined username and password. If the credentials don’t check, it sets a global page error which is displayed when the page is displayed.

Now to add the Ajax part, we will be using the Prototype library and its Ajax classes. Download Prototype and include the script in the <head></head> section of your login page. Next add the following Javascript also to the head section of your page:

<script language="Javascript">
function TryLogin() {
 var objForm = document.forms['Login'];
 
 if (!objForm) {
  return true;
 }
 
 var strUsernameVal = objForm.elements['Username'].value;
 var strPasswordVal = objForm.elements['Password'].value;
 
 
 if (strUsernameVal.length < 1 || strPasswordVal.length < 1) {
  var strError = 'Please fill in all required fields.';
  alert(strError);
  return false;
 }
 
 var objParams = {
  method:'post',
  parameters: 'Username=' + strUsernameVal + '&Password=' + strPasswordVal
 }
 var objRequest = new Ajax.Request('ajaxlogin.php', objParams);
 return false;
}
</script>

This script grabs the login details from your login form and uses the Prototype Ajax class to post them to an Ajax login script appropriately named ajaxlogin.php. We will now link your login form to the Javascript TryLogin() function. Add the following code inside your <form> opening tag:

onSubmit="return TryLogin();"

This will direct your form to the Javascript function or fall back on the standard login if the Javascript is not supported.

You will now need to create a new PHP script called ajaxlogin.php with basically the same login function as login.php, only it will output Javascript that will be executed by the Prototype Ajax class. The following code should be the code for ajaxlogin.php.

<?php
define('Username', 'ADMIN');
define('Password', 'ADMIN');
header('Content-type: text/javascript');
TryLogin();
function TryLogin() {
 global $strUsernameVal, $blnLoginErr;
 $strUsernameVal = $_POST['Username'];
 $strPasswordVal = $_POST['Password'];
 if ($strUsernameVal == Username && $strPasswordVal == Password) {
  // Success
  echo("location.href='index.php';");
 }
 else {
  // Invalid Login
  echo("alert('Invalid login details. Please try again.');");
 }
}
?>

If you notice, the two key differences in this script than your original login page is where the ContentType is set to Javascript and the Javascript that is outputted on login success or failure. The Prototype Ajax class will execute this Javascript on your login page. Keep in mind that anything you want to send from this script must be outputted as Javascript.

The new login.php script would look like this:

<?php
define('Username', 'ADMIN');
define('Password', 'ADMIN');
$strAction = $_GET['Action'];
if (strtoupper($strAction) == 'LOGIN') {
 TryLogin();
}
function TryLogin() {
 global $strUsernameVal, $blnLoginErr;
 $strUsernameVal = $_POST['Username'];
 $strPasswordVal = $_POST['Password'];
 if ($strUsernameVal == Username && $strPasswordVal == Password) {
  // Success
  header('Location: index.php');
 }
 else {
  // Invalid Login
  $blnLoginErr = true;
  return false;
 }
}
?>
<html>
<head>
<title>Login</title>
<script language="Javascript" src="prototype.js"></script>
<script language="Javascript">
function TryLogin() {
 var objForm = document.forms['Login'];
 
 if (!objForm) {
  return true;
 }
 
 var strUsernameVal = objForm.elements['Username'].value;
 var strPasswordVal = objForm.elements['Password'].value;
 
 
 if (strUsernameVal.length < 1 || strPasswordVal.length < 1) {
  var strError = 'Please fill in all required fields.';
  alert(strError);
  return false;
 }
 
 var objParams = {
  method:'post',
  parameters: 'Username=' + strUsernameVal + '&Password=' + strPasswordVal
 }
 var objRequest = new Ajax.Request('ajaxlogin.php', objParams);
 return false;
}
</script>
</head>
<body>
<?php if ($blnLoginErr) { ?>
<p>Error: Invalid login details. Please try again.</p>
<?php } ?>
<form name="Login" method="post" action="login.php?Action=Login">
Username: <input type="text" name="Username" value="<?php echo htmlspecialchars($strUsernameVal); ?>"/><br/>
Password: <input type="password" name="Password"/><br/>
<input type="submit" value="Login">
</form>
</body>
</html>

You should now have a working Ajax powered login form. If Javascript is supported, the form will be submitted via Ajax to your ajaxlogin.php script, which will either direct the login user to the protected area of your site or alert them of invalid credentials. If Javascript is not supported, the old, boring login will be the fallback.

From here you will need to add the code to connect to your database for login credentials. You will also want to add the cookies or session code to actually log the user in. The script in its current state simply redirects the user on a successful login or alerts them of an unsuccessful one.

The method we will be using to output Office compatible documents is simple enough - outputting standard HTML. Office has extensive HTML support and will gladly read the HTML you send to Office programs like Word or Excel. The topic we will cover in the article is how to get Word or Excel to open your documents.

The first and easiest method to outputting Word or Excel documents would be to simply save your output structured as text/HTML to a file as you normally would, giving it a Word extension of .DOC or an Excel extension of .XLS. Then you can link to this file and when the user downloads or opens it, it will open in Word or Excel on their computer if they have the program installed.

<?php
$objFile = fopen('FILENAME.DOC', 'w');
fwrite($objFile, $FILECONTENTS);
fclose($objFile);
?>

The second method will take advantage of HTTP headers to tell the browser your scipt will be outputting an Excel or Word document. The browser will then either display or download the content you output.

To tell the browser you will be outputting a Word document, use the following line of code:

header('Content-Type: application/msword');

To tell the browser you will be outputting an Excel document, use the following line of code:

header('Content-Type: application/vnd.ms-excel');

It’s important to note that headers must be sent prior to any other content, so it’s recommended to place this code at the beginning of your script. Another useful header your script can send will force the browser to download and not display the document in browser. The following line of code will do that and even prefill the filename.

header('Content-Disposition: attachment;filename=FILENAME.DOC');

And there you have it. You can now output an HTML formatted document as you normally would and Microsoft Word or Excel will parse and display it.

ContentType

The first thing we need to do is set the appropriate file type so that the
browser knows what to do with the file. We do this using the ContentType setting
of the Response object. For Word, the content type is application/msword. For
Excel, its application/vnd.ms-excel. So we would use the either of the lines
of code below for Word or Excel documents, respectively. This line must come before ANY
data is output.

If the user is using Internet Explorer, the file will most likely be sent to
an Office plugin that will show it within the browser window. For different
reasons, this can sometimes be annoying for both the user and the programmer. If
you do not want your file to be displayed in the user’s browser window, and
instead want to force the save dialog box to pop up, use the line below right
before/after setting the ContentType.

Writing the File

Since Word and Excel will take text input, we will be outputting our data in the
same way we do with HTML. Actually, the format we will be using is HTML! Even
color formatting, CSS, and meta tags are supported.

For Word, you can just write HTML as you normally would, except you are gearing
it towards Word viewing. HTML tables, CSS, and meta tags are all supported. You
can use the meta tags to set the document properties that Word has, such as Title
and Author. Being in Word, you probably would want to stay away from images
unless you know the user will always be connected to the internet to actually see them.

The same applies for Excel as does for Word except you are writing an HTML
table to make your sheet. You can even use Excels functions by outputting the
function as the table cell value.

As you can see, with the simplicity of writing Word/Excel documents, you can
easily implement them into your site where needed. Other possible uses
include expense sheets retrieved from a database and formatted in
Excel, or printable forms in Word with dynamic user information.

<script src="prototype.js" type="text/javascript"></script>
<script src="scriptaculous.js" type="text/javascript"></script>

Now, on to create the autcompleter in your webpage. Add the following code in your page where the Autocompleter should appear:

<p>
<form>
<input type="text" name="q" id="Search" size="30"/>
<input type="submit" value="Search"/>
</form>
</p>

<div id="SuggestBox" style="border: 1px solid #808080; background-color: #FFFFFF;">&nbsp;</div>

The SuggestBox div is where the search results will appear. You don’t need to worry about CSS positioning, Scriptaculous will automatically display it appropriately below your suggest input.

You will now need to add some Javascript to your page to use the Scriptaculous AutoCompleter and link it to your form and suggest div. Place the following code at the end of your page to enable your autocompleter.

<script language="Javascript">
function AutoComp() {
  var myAutoCompleter = new Ajax.Autocompleter('Search', 'SuggestBox', 'autocompleter.php');
}
document.onLoad = AutoComp();
</script> 

This code creates a new Autocompleter and points it to the input with id “Search”, suggest div with id “SuggestBox”, and a PHP script named “autocompleter.php” located in the same folder on your site as the current page.

Now for the PHP/MySQL part of the article. Create the script named “autocompleter.php” as referenced above. Scriptaculous will use POST and the form input name to pass the search terms to your PHP script, so we will need to reference that for our search.

The following is an exampe of the PHP script you would use to search an “Articles” table in your database. Simply change the SQL as needed to search a different table.

<?php

$strSearchVal = $_POST['q'];

if (strlen($strSearchVal) < 1) {
 return false;
}

// Sanitize User Input for Security
$strSearchVal = mysql_real_escape_string($strSearchVal);

// Connect to your database here:
mysql_connect('localhost', 'user', 'pass') or die(mysql_error());
mysql_select_db('dbname');

$strSQL = 'SELECT ID, Name FROM Articles WHERE (Name LIKE \'%' . $strSearchVal . '%\')';
$result = mysql_query($strSQL);

echo '<ul>';

while ($arrThisRow = mysql_fetch_array($result)) {
 echo '<li>' . $arrThisRow['Name'] . '</li>';
}

echo '</ul>';

?>

And now you should have a working autocompleter powered by PHP and MySQL.

Tips:

• You can better style the SuggestBox list with CSS.
• When using the autocompleter as a search form, you can add links to the list items to take the user to the page when the item is selected, rather than simply populating the search input.