Rambling a bit off topic here, but it looks solved, so…

benanamen: benanamen: The important thing is that the submission does not succeed.

Yes, I don’t actually message the bots like that, there isn’t much point to it, it’s bot.

Anything wrong that indicates bot, it stops dead and reports the problem to me, which is interesting to see which wires they trip on.

benanamen: benanamen: And what of the case of a bot not missing any of the fields? We are still back to isset doing nothing whatsoever even though it is a bot submission. All we have done is clutter the code base.

You could say the same for any form of captcha that a bot passes. When it does not work, it is redundant code, but when it does, it serves a purpose. I use it as just one part of a multi level strategy to catch form-bots, without inconveniencing real users, and for some it works. So with multiple tests, a bot may pass one, but maybe not the next. If you throw enough different obstacles in its path, you will stop it.

In the context of your reply to the OP, I 100% agree about the use of isset there. I was merely mentioning my own use case for isset on form fields.

benanamen: benanamen: Simple solution to that is a white list of expected fields which I would highly recommend implementing.

That is exactly what I do. In my latest forms, I have a form table in the database and an input table, then form and input classes that take care of all the messy business of building the form, then validating, sanitising, etc, using the list of known inputs for a particular form, so any additional inputs that may appear are ignored, and those that should be there are checked to be present and correct.

Any anomaly that indicates a bot, does not pass validation.

Admittedly my form processing can be a bit elaborate, some may call it clutter, but the way I see it, when you make a form, you open a window in your code, into which anyone can throw anything. So you better make sure what it the other side of the window can cope with anything that is thrown at it, and if anything that comes in smells bad, the window gets closed immediately. I don’t skimp on security with forms.

For some time this has been working well, with a 100% record of no spam and no hacks.