Form security posible?

Hi Duncan,
There were other form related topics, but they were very old. Hope it’s OK to start a new one.

Is it possible to add some form of Form security? I had the form up and running, and was very glad with it because the mailto link resulted in too much spam.

But my hoster warned me that the form is not protected at all. He pointed out the risk “that hackers are able to hack my site with a robot via the form. inserting scripts in the hope that they can get in somewhere… any attempt will result in a spam notification for you.” (translation).

He advised to insert this:

As we are not able to insert this in a Sparkle site, I changed all the contact links to the form into mailto links. I hate spam but also don’t want to facilitate hackers. Hope you can do something about it, because I think no-one wants to invite hackers.

Thanks and best wishes, Karin

I think your host is a being a little overly cautious. I’ve never had any real issues with form security with the Sparkle generated PHP script - maybe the odd spam email where a spammer has sat in front of a computer and completed the form manually - usually to see if there is an auto response (spammers love those).Neither am I great lover of captchas, they can be quite annoying, but a self hosted captcha is way better than say a google captcha.

If you are concerned about higher levels of security, you can always use a third-party script such as Tectite FormMail. This has a large number of security features that can be turned on or off with minor edits to the script. Personally, I would use the standard Sparkle script and see how it goes. If you start receiving significant quantities of spam, you could redirect your forms to alias email address which you should be able to set up on your server. These can be changed periodically. As for injecting code via your scripts, this is really only relevant if you use PHP applications in your website where a malicious hacker could get into your entire on-line app and wreak havoc. Sites such as wordpress, joomla and open source shopping cart applications are very susceptible to this type of hacking. In the case of a Sparkle HTML website, this is not likely to be a major issue.

1 Like

Hi Frank,

Thanks for your thoughts on this! I am not concerned of spam, as I receive it daily. I’ve had several mailto links on my site for 20 years. I considered the form as a way to finally get rid of the mailto links and besides that, it’s very neat.

It was my hoster who came up with a larger risk: hackers. Maybe because he doesn’t know Sparkle and because my mailaccount was hacked a few years ago. I will sent him your reassurance. I also hate captchas, while using a VPN they are extremely annoying, but the risk of hackers I like less.

I think your web host people have only given a very superficial look at the form. The form is indeed protected, just not with anything concerning site visitors, or in the case of recaptcha, leaking visitor activity to google.

We hate spam just as much as you all do, and actively pursue any leak of our anti spam measures. If we will come to a point where we are unable to, we will implement recaptcha, but right now we are not aware of any significant amount of spam coming through.


Hi Duncan,

I think, what Frank said, he is only afraid of this because of WP and Joomla. I think he didn’t study it thoroughly. I mailed Franks answer and now he’s OK with it. I already put the form back online, so it is an opportunity to proof Sparkle is better than the horrible WP and Joomla shizzle :smiley:

1 Like

Your hoster is right to be concerned, but from my experience not about Sparkle. WP, Joomla, and Drupal are nightmare open source software full of security and privacy holes because of their reliance on third-party plugins and how information is stored in external databases.

Tips for preventing spam with your form;

  • Make all entry fields required

  • Ask a question that requires a choice using a radio button or check box response

  • Use an email address unique to the form so you can identify if the form is the source of spam. Don’t us a common email address such as info@, sales@, or any form of your name. Easy guesses for spammers and they don’t need your form for those.

Hi Jeffrey,

Thanks for your tips! They are useful and I will adapt my form.

As stated earlier, spam is a daily routine because I’ve had a mailto link on my domain for over 20 years. Yeah, with my name in it :sweat_smile: Spam comes and goes in waves, but last week seems to be minimal. Thanks to the form, instead of mailto link…? Maybe, but that is to see on longer term.

As for the hacking, my hoster doesn’t know Sparkle (these guys never know anything that is Mac-only). He facilitates Wordpress on his servers, so, yes, probably he is afraid of WP and Joomla ghosts.
And like Duncan supposed, he also didn’t really study the form script. After I send Franks reassurance he gave me his blessing immediately :smiley:

I have the same experience Karin. I will change the email adress in my forms to discover if this is the real source of spam.
Thanks everybody for the suggestions.

Hi Ton,

However my question (or hosters fear) concerned Hacking and no Spam, it made me aware of the annoying daily routine. I digged deeper in it and found out 100% spam of the last few days were sent to an .nl account which I don’t use for at least 12 years. The only thing that kept me from deleting it, were a few old but essential accounts from before. It took me less than 1 hour to change my mail address in these accounts. After that I deleted the email address.

It is a great idea to look where the spam is sent to. In my case it certainly didn’t have anything to do with Sparkle forms or even mailto links on my site for the last 12 years, which used a different domain. I remember in the nineties there were actual people, making a business looking for email adresses to burn them on CD and sell them. Somehow these files still circulate.

So, I consider it a positive side effect of Sparkle to finally get rid of it :sweat_smile: