[eluser]Moon 111[/eluser]
[quote author="HdotNET" date="1222458049"]Most bots harvest your form and post to it remotely. You can do checks on referrer etc, but these can be spoofed. I've been using this for years:
Code:
<input type="hidden" name="HASHCODE" value="1" />
HASHCODE is created as follows:
Code:
$hashcode = md5(date('Y-m-d').'some_string');
After post just look for
Code:
$_POST[md5(date('Y-m-d').'some_string')];
This way, any harvested form will only work for a maximum of 24 hours.
The downside is that if a visitor loads the form at 23:59 and posts it at 01:01 then it will fail.[/quote]
Easily bypassed I'm afraid... Hidden fields aren't as hidden as you think.