Webform protection using PHP

toplisek · February 27, 2018, 11:13am

Is this the correct code to check all server-side values and reCaptcha values

if($response != null && $response->success && !isset($_POST['botprotection']) && empty($_POST['botprotection']) && trim($_POST["botprotection"]) == "") {
// it's human
} else {
// it's spam
}

droopsnoot · February 27, 2018, 12:08pm

Hard to say. Where do all those variables come from?

toplisek · March 1, 2018, 1:20pm

If I understand it is the correct code:

<?php

if($response != null && $response->success && !empty($_POST['botprotection']) || $_POST['botprotection'] == 0 || ($_POST['botprotection'] != trim($_POST['botprotection']))) {
// good
}
else {
// fail
}

?>

and
HTML:

<input type="hidden" name="botprotection" id="botprotection" value="Go away bot" />

SamA74 · March 1, 2018, 1:38pm

I don’t see how that would be effective. Though it looks different from the code in the OP.
What you want to check is that the hidden input has not been altered at all.

if($_POST['botprotection'] === "Go away bot") {
   // Good
}
else{ // Bad!! }

Would work better.

Gandalf · March 1, 2018, 1:54pm

I think the idea is that it’s a text field with display: none; which will be left blank by human users and filled in (with something) if it’s a bot. The idea being that a bot will fill in all fields.

SamA74 · March 1, 2018, 1:59pm

Yes, that’s normally how a “honeypot” field works. If it’s hidden by css rather than a hidden attribute, the bot doesn’t see it as hidden and fills it in anyway, when a real user never sees it, so doesn’t fill it in.

toplisek · March 3, 2018, 8:26pm

I try to add protection for attacks and it is just example. Which code is the best to protect also gainst XSS? It is wrong and just example…

<?php
//Use Javascript and ensure that the input isn't blank after submit
//Cross-Site Scripting Attacks (XSS)
$xss_bodycontent = trim($_POST["bodycontent"]);
file_put_contents("xss_bodycontent.txt", $xss_bodycon, FILE_APPEND);
$xss_bodycontent = file_get_contents("xss_bodycontent.txt");
echo htmlspecialchars($xss_bodycontent);

if($response != null && $response->success && !empty($_POST['botprotection']) && !empty($xss_bodycontent) || $_POST['botprotection'] == 0 || ($_POST['botprotection'] != trim($_POST['botprotection']))) {
// good
}
else {
// fail
}

?>

and

and
HTML:
<input" name="botprotection" id="botprotection" class="hidden input" value="hi bot!" />

John_Betong · March 3, 2018, 11:52pm

Try this in normal input method and your own XSS protection tests and spot the difference.

<?php 
echo "<pre>";
var_dump($_POST["botprotection"]);
echo "<br>":
print_r($_SERVER);
echo "</pre>";

Beware:
Tapped on a tablet and not tried.

toplisek · March 8, 2018, 3:14pm

Thank you but this is only validation. How to set in the correct way XSS protection in my example.

system · June 7, 2018, 10:14pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Need quick solution for spam submissions via PHP form PHP	7	624	November 12, 2010
How do I stop the spam on a form coded in PHP? PHP	5	416	October 8, 2014
FormMail3-40.pl - SPAM Server Config security	2	1116	October 8, 2014
Captcha code PHP security	18	4794	May 7, 2015
Need a secure PHP contact form, or a captcha PHP	5	1479	February 20, 2015

Webform protection using PHP

Related topics