Hide action location in html form

I have a form that someone keeps spoofing.  I am using PHP to process the form.  I am using JavaScript to validate the form.  After I applied the validation, I still received a couple of blank messages.  I believe what is happening is the person or program is creating their own form and using my PHP script to process whatever it is they are doing.  My form is <FORM action= 'mail.php'   method='post' name="request_form">.  Is there a way I can disguise or hide the action="mail.php" so they do not know where to process the form?  I'm also open to other solutions.
LVL 16
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

not really,

thats why people use captcha form validation

that's where you see an image and have to type the numbers, letters in order for it to submit.

These spoofs are easy to do, disable javascript then your form validation doesn't work.

You can also do Server side validation instead of javascript.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Not really,

The whole point behind a form is that the information on how to submit it must be present in the browser, and it will always be possible for someone to extract that and submit the form. Itwould  be possible to obfuscate the action url using some javascript hocus pocus, but that probably isn't a good idea - aside from the fact that it  is more prone to failure, they just need to break it once and can start spamming you again.

I think you'd be better off building some checks into the form processor itself. You could make sure it contains all the data you need to be certain the form has been sent from your site, and if it doesn't, just drop it there instead of sending it to you or recording it in a database.

If you're getting *lots* of spoofed forms, then he is probably using a machine to send them automatically. This type of attack can be guarded against pretty effectively using a captcha (one of those images with quiggly text on that humans can read but machines can't). Take a look at http://recaptcha.net/ they have one that is quite easy to set up and will help make sure that every form submitted is at least submitted by a human rather than a script.
Although its not the best way, one of the simpliest could be to place a cookie on the users machine or create a session variable of a unique code, say date and time in an MD5 hash i.e. MD5(date('Y-m-d H:i:s', time()))

Write this to the session variable or cookie, and pass it through to the processing script as a hidden file.  First thing the processing script does is to check the pass through value against the session variable or cookie.  If they match, its come from your system, if not don't process the form.

Like I say, not the best way, but it could be the quickest and simpliest.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

For one you need to validate the input server side. So lets say you make the page contactUs.php then for validation in the form action make it $_SERVER[PHP_SELF] then verify the fields and for the email entered with checkdnsrr(). Now once everything is getting verified server side if your issue is someone sending spam you can make a table in your DB to record an IP and a timestamp then only allow a second email from that IP after a certain amount of time has passed. :)
checkdnsrr() that wouldn't work in this case,

if they are using a spam spider bot, the bot is using the form but ignoring the javascript validation.

checkdnsrr() will always give him the ip address of his own server.

In this case that is.

if they were sending from their own form that they created then yes it would work.

but not typically how spammers work.
Checking the DNS of the email address is only to verify the email address supplied is as valid as you can check after regex testing. Now on the bot then thats when checking ip's and setting a timestamp against how often you want each ip to be able to send an email. Now you could also time the interval between requests and if you decide that its a bot then block the ip for 24 hours at a time and if it occurs multiple times block it forever.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.