I'm having issues with one of the authors here

So, as the title says, I’m having issues with one of the authors here.

Bought a template from him some time ago and noticed that, as late as Nov. 23 it wasn’t even php 8 compatible (unfortunately, it didn’t obviously break anything but simply resulted in mail not being delivered, which lost me quite some business). Didn’t think the squabble was worth it at the time and simply replaced his version of phpmailer.php with the newest instance from a different source.

Now, however, there are problems again: Turns out there’s no decent content validation on the form (relying basically on html types, which means that, even if you use type=“number”, anyone using the Safari browser can spam me with text all they want).

The other problem is that, despite using reCaptcha as implemented by the author, I’m still receiving spam. I proved to the author that their implementation of reCaptcha is ON and gave them a snippet from the apache logs so they get a better idea of where the spam is coming from.

The surprising response was that they want FTP access (yes, that 20th century technology!) to my server. To investigate their html template. The basic reasoning being that, since they have not received any other complaints, the problem must be somewhere on my end (remember this is from the guy who can’t even provide a php8-compatible template, but hey, I’m the only one with issues). I asked if they at least have a theory or something specific they want to look into, but nope. Later in the conversation they revealed that they are no server admins and can’t even read basic apache logs, only to reiterate that, without the server keys there is just nothing they can do. (“We are not proper judge without you server access that what is actually issue there as you told. Hope, you are understand us.”) - Yes guys, I think I do.

What do you do in a situation like this. I’ve decided not to expose the author at this point, but they claim to have 10,000 users (who never complain, see above) - shouldn’t this at least be made public for THEIR benefit? Incompetence is one thing, but the absolute unwillingness to engage in a reational exchange or learn from any incidence is what has me truely worried.

Did you configure a reCAPTCHA key in the contact page’s PHP script? Creating a key is a bit complicated, so you’d also need to ensure it is correctly configured for your domain name and the type of the reCAPTCHA widget that the author used (there are multiple).

Let me know and I can advise from there.

I’m fairly sure I did everything correctly as per the implementation I was given - created the necessary keys and entered the reCaptcha secret in the script where it belongs. The contact page has this little mouse-over image that will tell you that the site is protected by reCaptcha - to my knowledge it is proof of correct implementation.

My guess is it’ll be like his php8 screwup - the moment I implement reCaptcha from scratch the spam will be gone. Only that I’d need to educate myself first and this is not why you buy somebody else’s script, that you need to invest the time to revise everything he did.

Alright, so there’s a lot going on here.

Let’s first clarify that you’re working with an HTML template. This is an important point, because those templates are focused on HTML and CSS, while a lot of the things you’re talking about are related to backend (PHP) development.

An HTML author will generally not be very well-acquainted with backend development, so I’m not surprised that you’re finding their support to be a bit lackluster in that area. If you had an issue with the HTML or CSS though, I’m sure they’d be right on it.

There’s no requirement for an HTML template to come with a working PHP script for the contact page. If a template does come with one, then it’s acceptable for it to be simple starter code rather than a full-blown implementation.

It’s not unusual for an author to ask for FTP credentials, because the vast majority of web hosts still actively provide them. And if the issue you report seems to be specific to you, then it’s fairly normal to request server access in order to debug it directly.

Now as for the spam issues, how much spam are you getting?

Even with a captcha, you will still receive spam. The captcha will just reduce the number of occurrences. Modern spam bots are becoming quite adept at masquerading as humans, and some spam could be coming from actual humans. It’s a mess out here.

The invisible reCAPTCHA will also let more spam slip through than usual – with no way to query a suspicious user for additional verification, it wouldn’t block their submission unless it has extreme confidence.

You may want to try manually integrating their checkbox captcha, or switch to something a bit more modern like Cloudflare Turnstile (the code to implement it will be pretty much identical). There are tutorials and guides out there for both of them.

Feel free to PM me a screenshot of the PHP code (with any emails or keys redacted) and I’d be happy to give it a quick look for any mistakes. It’s not impossible that it’s related to the PHP version but it should be quite unlikely.

First of all, thank you for taking the time to respond.

In my humble view, a seller should provide what they advertise. If they can only do HTML and CSS, then they should stick to that. If it’s meant as a starter code, it should be mentioned. But advertising a working contact form with Captcha protection (yay!), then shipping a faulty product, wasting the customers time and money to figure it out and finally telling them that their server needs to be “investigated” instead of admitting to one’s own shortcomings, all of this is extremely bad practice, and I find it hard to excuse. At this point, you and me are protecting that author, but at the same time, we are throwing 9999 other customers under the bus and ensuring that the author will learn nothing. Not good.

As for the spam, it’s not much - but given the nature of the form, I get more spam than legit requests, which poses the risk that my actual business will get overlooked.

I didn’t meant to say that the spam is related to the PHP version - what I meant is that I will have to replace the author’s implementation by my own and configure it (as you suggested). So I will go ahead and do just that.

I’m not sure that someone without backend experience would be knowledgeable enough to know or disclose that their code is “starter code” as this would require them to be aware of a greater implementation for comparison. I only called them “starter code” and “basic” from my own perspective as an experienced developer.

Fundamentally though, I do agree with you. We’ve ended up in a situation where a working contact form is the consumer expectation, and authors are strongly encouraged to include one even without the relevant skillset – a skillset which could take a new developer years to acquire. It’s a lose-lose situation for such authors, in a category that officially doesn’t touch PHP at all.

Receiving spam really does not indicate that the captcha or its implementation is flawed, and “captcha protection” is not the same as “spam protection.” Some spam bots will request a human if the contact page blocks them. Others can solve captchas on their own.

Personally, I avoid captchas at all costs, as there are other effective ways to stop bots with less impact on real customers. For example, bots usually submit the form within a couple of seconds, much faster than a human could. That can be tracked.

I still maintain my offer to check the PHP code for you. Good luck with your custom implementation.

I finally found the time to look into this, and as expected, the recaptcha implementation is broken. It’s the equivalent of an electrician installing a light bulb without proper wiring, and then telling you that there must be something wrong with your house, because in all the other houses he installed it the same way, the light is just fine.

I’ll be happy to send you the package so you can take a look: The html form doesn’t actually pass any kind of token, while mail.php is programmed to simply go ahead when there’s no g-recaptcha-response to begin with. And like I pointed out earlier, when you switch to php 8 the form will simply discard your mail silently.

Please also let me know if you are willing to take care of this in a way that the dude learns his lesson and the buyers of this template get what they paid for. Otherwise I’ll go ahead and post it in his comment section.

This topic was automatically closed after 365 days. New replies are no longer allowed.