Featured Scripts
& Tutorials

CSS Tutorials

PHP Watermark Script

PHP Automatic Thumbnail Maker

JavaScript Multiple Slideshows

Google Adwords PPC Calculator

SMTP FormMail Script with Attachments

Image Tools/Scripts

Server Log Tools

JavaScript Tools & Tutorials

No-Frames 1-File Menu

Pre-Populate Forms with Javascript

SEO Tips & Tutorials

JavaScript Form Bot Blocker

Website designers and webmasters all face continuous attacks by SPAMmers and hackers who try to abuse their sites. One such problem is attacks from bots that fill in forms on your website to either try to hack into it or to send SPAM. The solution presented here can be very effective because it relies on JavaScript to handle the blocking, which very few bots can detect or process. This JavaScript is a good option for website designers who can't control or modify the target of the form's "action" attribute - such as affilliate sites or those using other remote services.

Keeping bots, even search engine robots, from following your forms can significantly reduce the time webmasters must spend dealing with the problems they cause. Google started following forms that use the "GET" method a while ago in order to increase their coverage of websites that rely on forms for website navigation - a practice fequently used on E-Commerce Websites. But they do so by trying every possible option presented by the form, which can have unintended consequences.

The basic approach is very simple: we use a non-functional target URL for the form's "action" attribute in the HTML mark-up - which is what the vast majority of bots will blindly follow. The target page will simply display an error message so that real users are given a solution. But for everyone else, we use JavaScript to "invisibly" modify the URL so that submissions from real users are processed normally. The result should be to stop form submission from these bots. To demonstrate the script, fill out and submit the simple form shown below. Then, try it again with JavaScript disabled in your browser.

Naturally, because this method is relying on JavaScript, you need to give real users who happen to be running with JavaScript disabled a way of dealing with the situation. The easiest way is to do this is to include a noscript notice on the page where the forms reside, and to also make sure that there are appropriate navigation links on the page you display to blocked users.

The JavaScript required here is very short and simple. The code relies on two arrays to hold page-specific information: 'rdBlockedFormsIDs' to hold the id's of the forms to be blocked, 'rdBlockedActions' to hold the URLs for the desired "action" attribute values for the corresponding forms.

// List of id's of the <form>s to be blocked
 var rdBlockedFormsIDs = new Array('formbot');
// List of URLs to be used to replace the 'action's settings in the forms
 var rdBlockedActions = new Array('//www.rainbodesign.com/pub/formbot-blocker/success.html');

 function initRDFormBot() {
  var myForms = document.getElementsByTagName('form');
  var el;
   for (var i=0; i<myForms.length; i++) {
    el = myForms[i];
     for (var j=0; j<rdBlockedFormsIDs.length; j++) {
      if (el.id == rdBlockedFormsIDs[j]) {
        el.action = rdBlockedActions[j];
      } // endif
     } // end for j
   } // end for i
 }

if (window.addEventListener) { // W3C standard
  window.addEventListener('load', initRDFormBot, false);
 } else if (window.attachEvent) { // Microsoft
  window.attachEvent('onload', initRDFormBot);
}

You can simply insert this code into selected pages, or save it in an external .js file and use it throughout your website. The only modification you need to do on your pages is to set the "action" attribute of the form tags to point to a page that displays a "submission blocked" message.

This page was last modified on August 27, 2020