Some of my Joomla! sites use Facile Forms to manage their forms. This extension is getting a little aged and the developer has indicated he might not upgrade the code for new versions of Joomla!.

Recently, a Facile Forms user complained they were receiving form spam. (Form spam is similar to email spam only the spammer uses website forms to insure delivery to real users.) Facile Forms has a security code CAPTCHA to block form spam but obviously it was not working. So I removed the Facile Form CAPTCHA and implemented a different CAPTCHA.

This blocked a large portion of the form spam but a few were still trickling through. I found a short post indicating a hack that might help. It seems that Facile Forms does not do a check to ensure that the post is coming from a recently served page on your site and that the fields are validated only by javascript.

Short of replacing Facile Forms, which I shall do shortly, I hacked it. The hack varies slightly from the Meyer hack above.

Oracle Hack of Facile Forms

Add a line to the file components/com_facileforms/facileforms.process.php (at line 3081)

//hack to check referer; 1 line added
if(stripos($_SERVER['HTTP_REFERER'],$_SERVER['HTTP_HOST'])===false) $this->suicide();

There are of course problems with this hack; referrer can be spoofed and not all clients send referrer headers. But it should cover my users until I get the extension replaced.