Webform protection using PHP

toplisek 2018-02-27 11:13:53 UTC #1

Is this the correct code to check all server-side values and reCaptcha values

if($response != null && $response->success && !isset($_POST['botprotection']) && empty($_POST['botprotection']) && trim($_POST["botprotection"]) == "") {
// it's human
} else {
// it's spam
}

droopsnoot 2018-02-27 12:08:48 UTC #2

Hard to say. Where do all those variables come from?

toplisek 2018-03-01 13:20:22 UTC #3

If I understand it is the correct code:

<?php

if($response != null && $response->success && !empty($_POST['botprotection']) || $_POST['botprotection'] == 0 || ($_POST['botprotection'] != trim($_POST['botprotection']))) {
// good
}
else {
// fail
}

?>

and
HTML:

<input type="hidden" name="botprotection" id="botprotection" value="Go away bot" />

SamA74 2018-03-01 13:38:24 UTC #4

I don't see how that would be effective. Though it looks different from the code in the OP.
What you want to check is that the hidden input has not been altered at all.

if($_POST['botprotection'] === "Go away bot") {
   // Good
}
else{ // Bad!! }

Would work better.

gandalf458 2018-03-01 13:54:50 UTC #5

I think the idea is that it's a text field with display: none; which will be left blank by human users and filled in (with something) if it's a bot. The idea being that a bot will fill in all fields.

SamA74 2018-03-01 13:59:19 UTC #6

Yes, that's normally how a "honeypot" field works. If it's hidden by css rather than a hidden attribute, the bot doesn't see it as hidden and fills it in anyway, when a real user never sees it, so doesn't fill it in.

toplisek 2018-03-03 20:26:17 UTC #7

I try to add protection for attacks and it is just example. Which code is the best to protect also gainst XSS? It is wrong and just example...

<?php
//Use Javascript and ensure that the input isn't blank after submit
//Cross-Site Scripting Attacks (XSS)
$xss_bodycontent = trim($_POST["bodycontent"]);
file_put_contents("xss_bodycontent.txt", $xss_bodycon, FILE_APPEND);
$xss_bodycontent = file_get_contents("xss_bodycontent.txt");
echo htmlspecialchars($xss_bodycontent);

if($response != null && $response->success && !empty($_POST['botprotection']) && !empty($xss_bodycontent) || $_POST['botprotection'] == 0 || ($_POST['botprotection'] != trim($_POST['botprotection']))) {
// good
}
else {
// fail
}

?>

and

and
HTML:
<input" name="botprotection" id="botprotection" class="hidden input" value="hi bot!" />

John_Betong 2018-03-03 23:52:02 UTC #8

Try this in normal input method and your own XSS protection tests and spot the difference.

<?php 
echo "<pre>";
var_dump($_POST["botprotection"]);
echo "<br>":
print_r($_SERVER);
echo "</pre>";

Beware:
Tapped on a tablet and not tried.

toplisek 2018-03-08 15:14:24 UTC #9

Thank you but this is only validation. How to set in the correct way XSS protection in my example.

system 2018-06-07 22:14:33 UTC #10

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.

ThemesPodcastArticlesPremium