PHP hide_email()

1. What is it?

A PHP function to protect the E-mail address you publish on your website against bots or spiders that index or harvest E-mail addresses for sending you spam. It uses a substitution cipher with a different key for every page load. Look at the generated XHTML in the example while pressing the browsers "reload" button to see this in effect.

2. How does it work?

PHP encrypts your E-mail address and generates the javascript that decrypts it. Most bots and spiders can't execute javascript and that is what makes this work. A visitor of your web page will not notice that you used this script as long as he/she has javascript enabled. The visitor will see "[javascript protected email address]" in stead of the E-mail address if he/she has javascript disabled.

3. Example

<?php echo hide_email(''); ?>

This is the PHP code you write where you want the E-mail address on your web page.

[javascript protected email address]

This is what the E-mail address will look like for the visitor of your web page.

This is the generated XHTML that the bot or spider will see instead of your E-mail address.

4. The code

The "hide_email()" PHP function is only 9 lines of code:

function hide_email($email) { $character_set = '+-.0123456789@ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz'; $key = str_shuffle($character_set); $cipher_text = ''; $id = 'e'.rand(1,999999999); for ($i=0;$i<strlen($email);$i+=1) $cipher_text.= $key[strpos($character_set,$email[$i])]; $script = 'var a="'.$key.'";var b=a.split("").sort().join("");var c="'.$cipher_text.'";var d="";'; $script.= 'for(var e=0;e<c.length;e++)d+=b.charAt(a.indexOf(c.charAt(e)));'; $script.= 'document.getElementById("'.$id.'").innerHTML="<a href=\\"mailto:"+d+"\\">"+d+"</a>"'; $script = "eval(\"".str_replace(array("\\",'"'),array("\\\\",'\"'), $script)."\")"; $script = '<script type="text/javascript">/*<![CDATA[*/'.$script.'/*]]>*/</script>'; return '<span id="'.$id.'">[javascript protected email address]</span>'.$script; }

License: Public domain.

5. XHTML generator

You can use this generator if you have no PHP support on your web server. Change the E-mail address into your own E-mail address and press "Generate". Cut and paste the generated XHTML into your own web page.

E-mail address

Generated XHTML

Because the generator uses Javascript instead of PHP you can save this page to disk as "Web Page, complete" and use it offline.

6. Credits

The idea of javascript E-mail address obfuscation is not mine. It seems that Tim Williams came up with the idea first. Andrew Moulden improved it by adding a generated key. Ross Killen wrote a PHP version that generates a different key every page load. My implementation is much like that of Ross Killen, but I implemented a slightly different encryption algorithm, minified and obfuscated the javascript and made the script valid for javascript strict and XHTML 1.0 strict parsing.

  1. HTML generator by Tim Williams (University of Arizona)
  2. Improved HTML generator by Andrew Moulden (Site Engineering Ltd.)
  3. PHP version by Ross Killen (Celtic Productions Ltd.)

7. Considerations

8. Interesting links

Send me your ideas and comments on this subject!

Maurits van der Schee - [javascript protected email address] - August 2008 - Amsterdam - Valid XHTML 1.0 Strict