PhpRiot
Become Zend Certified

Prepare for the ZCE exam using our quizzes (web or iPad/iPhone). More info...


When you're ready get 7.5% off your exam voucher using voucher CJQNOV23 at the Zend Store
Related Articles

Anti-Spam Techniques In PHP, Part 1

Technique 1: Obfuscating

This technique allows your email address to still be displayed exactly as it is on the web page, while hiding it in the HTML source of your page. Since the email harvesters don’t “see” your page, they just read the source, this is hard to write a pattern matcher again.

Smarty has built-in functionality for this, which you can read about in the Smarty manual, but is basically achieved like this:

Listing 1 listing-1.tpl
    {assign var='email' value='antispam@example.com'}
    <a href="mailto:{$email|escape:'hex'}">{$email|escape:'hexentity'}</a>

This will output:

Listing 2 listing-2.html
<a href="mailto:%61%6e%74%69%73%70%61%6d%40%65%78%61%6d%70%6c%65%2e%63%6f%6d">
    &#x61;&#x6e;&#x74;&#x69;&#x73;&#x70;&#x61;&#x6d; <!-- antispam -->
    &#x40;                                           <!-- @ -->
    &#x65;&#x78;&#x61;&#x6d;&#x70;&#x6c;&#x65;       <!-- example -->
    &#x2e;                                           <!-- . -->
    &#x63;&#x6f;&#x6d;                               <!-- com -->
</a>

The lines have been broken up and commented just for readability.

When you view it in your browser it will just appear as antispam@example.com.

To achieve this without Smarty, we just borrow Smarty’s code (from Smarty/plugins/modifier.escape.php)

Listing 3 listing-3.php
<?php
    function escapeHex($string)
    {
        $return = '';
        for ($x=0; $x < strlen($string); $x++) {
            $return .= '%' . bin2hex($string[$x]);
        }
        return $return;
    }
 
    function escapeHexEntity($string)
    {
        $return = '';
        for ($x=0; $x < strlen($string); $x++) {
            $return .= '&#x' . bin2hex($string[$x]) . ';';
        }
        return $return;
    }
 
    $email = 'antispam@example.com';
    echo '<a href="mailto:' . escapeHex($email) . '">' . escapeHexEntity($email) . '</a>';

Realistically though, it would not be terribly difficult to extend an email harvester to decode these hex entities, but hopefully that would be good enough to eliminate some of them.

The advantage of this method is that you can still keep the email linked so users can send emails directly in their email client.

In This Article