PHP hide_email()

PHP hide_email()

1. What is it?

A PHP function to protect the E-mail address you publish on your website against bots or spiders that index or harvest E-mail addresses for sending you spam. It uses a substitution cipher with a different key for every page load. Look at the generated XHTML in the example while pressing the browsers “reload” button to see this in effect.

2. How does it work?

PHP encrypts your E-mail address and generates the javascript that decrypts it. Most bots and spiders can’t execute javascript and that is what makes this work. A visitor of your web page will not notice that you used this script as long as he/she has javascript enabled. The visitor will see “[javascript protected email address]” in stead of the E-mail address if he/she has javascript disabled.

3. Example

<?php echo hide_email(''); ?>

This is the PHP code you write where you want the E-mail address on your web page.

This is what the E-mail address will look like for the visitor of your web page.

<span id="e365384372">[javascript protected email address]</span><script type="text/javascript">/*<![CDATA[*/eval("var a=\"0XuhK3xIk_D1sc2895f+VZY-Fw.Wr4nySHgQNRC@jqevmaMUPLAboEldTiJzBtG6p7O\";var b=a.split(\"\").sort().join(\"\");var c=\"BazBcBazBuvdE\";var d=\"\";for(var e=0;e<c.length;e++)d+=b.charAt(a.indexOf(c.charAt(e)));document.getElementById(\"e365384372\").innerHTML=\"<a href=\\\"mailto:\"+d+\"\\\">\"+d+\"</a>\"")/*]]>*/</script>

This is the generated XHTML that the bot or spider will see instead of your E-mail address.

4. The code

The “hide_email()” PHP function is only 9 lines of code:

function hide_email($email) { $character_set = '+-.0123456789@ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz'; $key = str_shuffle($character_set); $cipher_text = ''; $id = 'e'.rand(1,999999999); for ($i=0;$i<strlen($email);$i+=1) $cipher_text.= $key[strpos($character_set,$email[$i])]; $script = 'var a="'.$key.'";var b=a.split("").sort().join("");var c="'.$cipher_text.'";var d="";'; $script.= 'for(var e=0;e<c.length;e++)d+=b.charAt(a.indexOf(c.charAt(e)));'; $script.= 'document.getElementById("'.$id.'").innerHTML="<a href=\\"mailto:"+d+"\\">"+d+"</a>"'; $script = "eval(\"".str_replace(array("\\",'"'),array("\\\\",'\"'), $script)."\")"; $script = '<script type="text/javascript">/*<![CDATA[*/'.$script.'/*]]>*/</script>'; return '<span id="'.$id.'">[javascript protected email address]</span>'.$script; }

License: Public domain.

5. XHTML generator

You can use this generator if you have no PHP support on your web server. Change the E-mail address into your own E-mail address and press “Generate”. Cut and paste the generated XHTML into your own web page.

E-mail address
Generated XHTML

Because the generator uses Javascript instead of PHP you can save this page to disk as “Web Page, complete” and use it offline.

6. Credits

The idea of javascript E-mail address obfuscation is not mine. It seems that Tim Williams came up with the idea first. Andrew Moulden improved it by adding a generated key. Ross Killen wrote a PHP version that generates a different key every page load. My implementation is much like that of Ross Killen, but I implemented a slightly different encryption algorithm, minified and obfuscated the javascript and made the script valid for javascript strict and XHTML 1.0 strict parsing.

  1. HTML generator by Tim Williams (University of Arizona)
  2. Improved HTML generator by Andrew Moulden (Site Engineering Ltd.)
  3. PHP version by Ross Killen (Celtic Productions Ltd.)

7. Considerations

  • Users must have javascript enabled to see your E-mail address.
  • This does not protect you against bots and spiders that can execute javascript.
  • The position of the key and the cipher text in the javascript are constant.
  • If this script gets very popular bots and spiders might get taught decoding it.
  • Line 7 of the PHP code complicates decoding (due to “eval”), but can be left out.
  • The main reason for not adding much more complexity is wanting few lines of code.
  • I chose the “span” tag over the semantically more correct “noscript” tag;
    the XHTML 1.0 strict schema says the “noscript” tag may only contain “Block” elements.

Source :