Protecting Online Forms Using HashCash

What is HashCash?

HashCash refers to a ‘proof of work’ anti-spam measure originally proposed by Adam Beck in 1997. It was originally intended to fight e-mail spam, but the concept has been adapted for spam on Web based forms as well.

HashCash works by requiring the client (the user’s computer) to spend a modest amount of CPU time computing a value. This value is then submitted to the server and checked with negligible work. Since spambots profit from their ability to send a great deal of spam in a short amount of time, requiring them to spend up to several seconds computing a value is a deal-breaker. A well balanced HashCash implementation requires a complicated enough calculation to make spamming unprofitable, but not to inconvenience human users.

Advantages of HashCash

  • Currently 100% effective against spambots, since almost none have the ability to read and execute Javascript.
  • Easy to implement
  • Invisible to users
  • Can be scaled to increased difficulty as hardware becomes faster and faster

Disadvantages of HashCash

  • Requires a browser with Javascript enabled (this is standard, but some people disable Javascript for security reasons)
  • Can take up to several seconds to compute on a slow machine

Implementing HashCash on your Web based form

  1. Download and extract our HashCash package (in Zip format).
  2. Copy the files to the directory where your online form is.
  3. In the head of your HTML form, add the following line:

    <script language=”Javascript” src=”hashcash.php”></script>

  4. Add an ID to your form tag.


    You should have something similar to this:

    <form action=”submit.php” id=”checkForm” method=”post”>

  5. Replace the body tag of your Web page with:

    <body onload=”find_salt(‘checkForm’);”>

  6. In the script part of your form (the script that processes your form specified in the form action), add the following lines just before the main part of your script (within the php tag)

    $hex_key = “2:”.$_SERVER[“REMOTE_ADDR”].’:’.$_SESSION[“request_time”].’:’.$_POST[‘hashcash’];
    $pattern = ‘/^0{‘.$_SESSION[‘level’].’}/’;
    if ( preg_match($pattern, sha1($hex_key) ) ) {

  7. Add the following lines at the end of your script:

    } else {
    print “An error has occured. Please go back, refresh the form page and please try again.”;
    } unset ($_SESSION[‘request_time’]);

You are all set! Whenever a user comes to your form, their system will automatically start calculating the secure HashCode value, which makes spamming impossible without causing inconveniences for human users.

Using HashCash on more than one form

In some instances, you might want to protect more than one form on your Web page with the HashCash script. This script has the flexibility to fulfill more than one form with the following modifications.

  1. Create another form with a different ID. For instance, if we were to add on to the example above:

    <form action=”submit.php” id=”checkForm2″ method=”post”>

  2. In the body tag, add another function to the “onLoad” attribute, enclosing the ID of the form in single quotes. You should have something similar to this:

    <body onload=”find_salt(‘checkForm’);

You can have as many scripts as you would like just by appending additions to the code.

Enhancing your form with Javascripts (Optional)

To further protect your form, you may also add additional Javascripts to check and validate required fields. You can easily customize it to match your unique form.

  1. In the head of your HTML form, add the following line to specify which fields are required:

    <script language=”Javascript” src=”required_fields.js”></script>

  2. In the head of your HTML form, add the following line to check for correctly formed emails:

    <script language=”Javascript” src=”emailCheck.js”></script>

  3. In your Submit button, change the following attributes:
    • Change type from “submit” to “button
    • Add onclick=”CheckRequiredFields();”
  4. In the required_fields Javascript, customize the CheckRequiredFields() function to customize your form name and field names and to check which fields are required for your script. You can add additional functions to perform more specific kinds of checks, if desired. The default fields are phone, e-mail (both checked for validity), affiliation, department and comment.

You are done! Whenever a user forgets to fill out a required field, an alert box will appear to remind them which fields they missed. The form will not submit unless all the required fields are filled out.

Think Big We Do

Copyright © 2017 University of Rhode Island.