Webform protection using PHP

Is this the correct code to check all server-side values and reCaptcha values

if($response != null && $response->success && !isset($_POST['botprotection']) && empty($_POST['botprotection']) && trim($_POST["botprotection"]) == "") {
// it's human
} else {
// it's spam
}

Hard to say. Where do all those variables come from?

If I understand it is the correct code:

<?php

if($response != null && $response->success && !empty($_POST['botprotection']) || $_POST['botprotection'] == 0 || ($_POST['botprotection'] != trim($_POST['botprotection']))) {
// good
}
else {
// fail
}

?>

and
HTML:

<input type="hidden" name="botprotection" id="botprotection" value="Go away bot" />

I don’t see how that would be effective. Though it looks different from the code in the OP.
What you want to check is that the hidden input has not been altered at all.

if($_POST['botprotection'] === "Go away bot") {
   // Good
}
else{ // Bad!! }

Would work better.

I think the idea is that it’s a text field with display: none; which will be left blank by human users and filled in (with something) if it’s a bot. The idea being that a bot will fill in all fields.

4 Likes

Yes, that’s normally how a “honeypot” field works. If it’s hidden by css rather than a hidden attribute, the bot doesn’t see it as hidden and fills it in anyway, when a real user never sees it, so doesn’t fill it in.

3 Likes

I try to add protection for attacks and it is just example. Which code is the best to protect also gainst XSS? It is wrong and just example…

<?php
//Use Javascript and ensure that the input isn't blank after submit
//Cross-Site Scripting Attacks (XSS)
$xss_bodycontent = trim($_POST["bodycontent"]);
file_put_contents("xss_bodycontent.txt", $xss_bodycon, FILE_APPEND);
$xss_bodycontent = file_get_contents("xss_bodycontent.txt");
echo htmlspecialchars($xss_bodycontent);

if($response != null && $response->success && !empty($_POST['botprotection']) && !empty($xss_bodycontent) || $_POST['botprotection'] == 0 || ($_POST['botprotection'] != trim($_POST['botprotection']))) {
// good
}
else {
// fail
}

?>

and

and
HTML:
<input" name="botprotection" id="botprotection" class="hidden input" value="hi bot!" /> 

Try this in normal input method and your own XSS protection tests and spot the difference.

<?php 
echo "<pre>";
var_dump($_POST["botprotection"]);
echo "<br>":
print_r($_SERVER);
echo "</pre>";

Beware:
Tapped on a tablet and not tried.

Thank you but this is only validation. How to set in the correct way XSS protection in my example.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.