Banning Words After Form Has Submitted

For forms, JavaScript can be used to ban the submission of certain words or phrases.

That is, until a bot gets hold of the form. Or the form user has JavaScript turned off.

When the form is submitted by a bot — or by a browser with JavaScript disabled — the software the form is submitted to can still check for banned words and phrases. That's what this article is about.

The ban-check code is for PHP scripts that forms are submitted to.

The Two Lists

The ban-check code contains two lists that you update as needed.

1. A list of form fields to check.

   The list is inserted between the lines containing FIELDSLIST — one form field name per line. Example:

   $FormFieldList = <<<FIELDSLIST
   name
   comment
   Comment
   FIELDSLIST;
   

   List all form field names that may contain banned content. Field names are case-sensitive.

   If this code is to work for several forms and they have different form field names, list them all. The ban-check code will ignore the field names that are not present when a form is submitted.

2. A list of banned words and phrases.

   The list is inserted between the lines containing BANNEDLIST — one banned word or phrase per line. Example:

   $BannedList = <<<BANNEDLIST
   drip
   "adv"
   http
   BANNEDLIST;
   

   If the word or phrase is either by itself or is part of other words, the submission will be banned. As an example, if you list drip then "dripping" and "nondrip" will also match and be banned.

   If a word or phrase must be independent — not be part of other words — put quotation marks (double quotes) around the banned word or phrase in the list. As an example, "adv" won't match "advertisement".

   All matches are done case-insensitive. In other words, http will match "http", "HTTP", and "Http" — even if the word or phrase in the list is within quotation marks.

So, what happens when a banned word or phrase is found in the form submission? Whatever you want to happen.

As found in this article, the ban-check code simply exits the script. It's a silent exit. No explanation. Just a blank page.

That may be what you want for intentional spammers.

On the other hand, if legitimate users of the form might inadvertently trigger a banned word or phrase, it may be prudent to provide a message saying something like, "Unfortunately, a banned word or phrase was used in the form. To redo the form, tap 'back' and revise."

I'll show you how to make that change. And also show you how to redirect to a different web page when a ban is triggered.

But first, let's get the ban-check code ready for installation. Here is the source code. See the Updating the Ban-Check Code section that follows.

function CheckFormSubmissionForBanned()
{
   // List the form fields to scan.
   // These are case-sensitive.
   // Listed field names may be indented.
   $FormFieldList = <<<FIELDSLIST
      name
      comment
      Comment
FIELDSLIST;
// The above "FIELDSLIST;" must be flush left, no indent, and by itself on the line.

   // List the banned words and phrases to check for, one word/phrase per line.
   // These are case-insensitive.
   // Listed banned words and phrases may be indented.
   $BannedList = <<<BANNEDLIST
      free
      advertis
      100% guaranteed
      keyword
      domain
      "SEO"
      suck
      traffic
      sex
      http
      porn
      girl
      Russian women
      prescription
BANNEDLIST;
// The above "BANNEDLIST;" must be flush left, no indent, and by itself on the line.

   $fields = array();
   foreach( preg_split('/[\r\n]+/',trim($FormFieldList)) as $item )
   {
      if( preg_match('/\w/',$item) ) { $fields[] = trim($item); }
   }
   $bans = array();
   foreach( preg_split('/[\r\n]+/',trim($BannedList)) as $item )
   {
      if( preg_match('/\w/',$item) ) { $bans[] = trim($item); }
   }
   $SubmissionIsBad = false;
   foreach( $fields as $field )
   {
      if( empty($_POST[$field]) ) { continue; }
      foreach( $bans as $ban )
      {
         $ends = array('^','$');
         if( substr($ban,0,1)!='"' or substr($ban,-1)!='"' ) { $ends = array('',''); }
         if( preg_match('/'.$ends[0] . preg_quote($ban,'/') . $ends[1].'/i', $_POST[$field] ) )
         {
            $SubmissionIsBad = true;
            break;
         }
      }
      if( $SubmissionIsBad ) { break; }
   }
   if( $SubmissionIsBad )
   {
      exit;
   }
}
CheckFormSubmissionForBanned();
// The above calls the function so the function runs.

Updating the Ban-Check Code

Updating the lists —

See The Two Lists, further above, for details about the lists you will be updating.

The list of form field names (colored blue) needs to be updated for your forms. List each field that needs to be checked for banned words or phrases. If you have more than one form, list all unique fields from both forms.

The list of banned words and phrases (colored red) needs to be updated for your particular requirements.

Updating the banned-match action —

With the above ban-check code, when there is a match with a banned word or phrase, the script exits. No warning. No message. Just a silent exit with a blank page.

If you want to change that, locate this near the bottom of the ban-check code:

   if( $SubmissionIsBad )
   {
      exit;
   }

To do any of the following updates, you'll be inserting additional code. Inserts need to be done immediately above the exit; line — between the line composed of the { curly brace and the line composed of the command exit;.

Displaying a message when a banned word or phrase is encountered —

Determine the message you want to display and insert it above the command exit; — something like this:

   if( $SubmissionIsBad )
   {
echo("Unfortunately, a banned word or phrase was used in the form. To redo the form, tap 'back' and revise.");
      exit;
   }

Do not use any double-quote characters (") within the message itself. If you really must, precede the double-quote character with a backslash character, like: \"

Redirecting the browser when a banned word or phrase is encountered —

Determine the URL the browser should be redirected to. For the example, we'll assume the URL is https://example.com/page.php

Three lines are inserted the command exit;. The first line contains the URL to redirect to.

   if( $SubmissionIsBad )
   {
$RedirectURL = "https://example.com/page.php";
if( headers_sent() ) { echo "<script>location.href='$RedirectURL'</script>"; }
else { headers("Location: $RedirectURL"); }
      exit;
   }

Using the Ban-Check Code

When the ban-check code updates have been done, it is ready for use.

To use, put the ban-check code into the PHP script that handles the form submission. Generally, the location of the script can be found in the form tag's action value.

When you determine which PHP script handles the form submission, make a copy of the file. The copy is made so you can restore the script with the back-up in case something doesn't work right with the updated script.

Because I don't know what PHP script you will be using, I'm unable to provide specific instructions on how to update the script.

Here are general probably-will-work instructions:

1. Open the form handling script and find the line that begins with the <? pair of characters or the the <?php set of characters. It may be the first line of the file or it may be lower down.

2. Immediately below that line, insert the updated ban-check code.

   Unless —
   If the same line also contains the ?> pair of characters, then insert a line feed to put ?> a line by itself. And only then insert the updated ban-check code. (In other words, ?> or ?>php must be somewhere above the ban-check code and ?> must be somewhere in the file below the ban-check code.)

3. Test to verify it works as expected.

With the ban-check code installed, bots and JavaScript-disabled browsers will be unable to bypass your banned words and phrases check.

(This article first appeared with an issue of the Possibilities newsletter.)

Will Bontrager