TalkPHP - Simple way to protect a form from bot

Account Login

Latest Articles

The basic usage of PHPTAL, a XML/XHTML template library for PHP

by awuehr on 11-10-2008 in Tips & Tricks

Vulnerable methods and the areas they are commonly trusted in.

by Village Idiot on 11-04-2008 in Classes & Objects

Simple way to protect a form from bot

by codefreek on 10-23-2008 in Basic

The Basics On: How Session Stealing Works

by wiifanatic on 09-12-2008 in Security & Permissions

How to keep your forms from double posting data

by drewbee on 07-03-2008 in Tips & Tricks

IRC Channel

Join the friendly bunch on IRC...
(#TalkPHP on Freenode)

...Also available via a web interface.

See this thread for information on the TalkPHP Free Hugs Initiative™. Subject to availability.

Associates

TalkPHP » View Article

Simple way to protect a form from bot

So you start of with:

PHP Code:


			
$bottest = $_POST['leave_blank'];

then you include this:

PHP Code:


			
if (strlen($bottest) > 1)

{

    echo "Nice try!";

    exit;

}

And after that you include this in a pre-existent form like your register form
or other forms that need protection!

Code:

<div style='display:none;visibility:hidden;'>
	<input type='text' name='leave_blank' id='leave_blank'>
</div>

PS: I might come up with a better way to improve this or fix it if it doesn't work.
Please let me know.

Report this Article

Last 5 Article Reviews

Read All Reviews

testing

Review added by SagaciousDev on 11-08-2012

This is what I do to stop bots

Review added by Stryker on 05-21-2010

Alright, before I begin, I am terrible at English and grammar.

Say your using a form to forum post method. What I do to secure the form page is phpbb3(or similiar) integration into the page.

//Tells PhpBB we're not hackers. Includes the common.php file from the forums.
define('IN_PHPBB', true);
$phpbb_root_path = './PATH TO FORUMS/';
$phpEx = substr(strrchr(__FILE__, '.'), 1);
include($phpbb_root_path . 'common.' . $phpEx);

// Start session management. This allows us access to some of the user's information when they are logged in.
$user->session_begin();
$auth->acl($user->data);
$user->setup();

//Some common thing's you'll use. $username gives the username, and $userid gives the unique ID of the loggedin user.
$username = $user->data['username'];
$userid = $user->data['user_id'];

if($user->data['user_id'] == ANONYMOUS){
echo '
';
exit();
} else {
}

?>
// The page below will show if user is logged in, if not, the below information will not even load

See my drift?

Nice but an old trick...

Review added by SoN9ne on 02-16-2010

Well, I have just noticed the dates on the reviews...

This method still works but it is not a good method anymore. I have found it to be more useful and more difficult to bypass by leaving a hash in the form and in their session.

For example, I take an md5 hash of their useragent concated with their IP, I will then save this hash in the form as a hidden field; on submission, I check to ensure that the current useragent and IP match the hash, else I assume foulplay and kick them out.

Still a good post and worth a read.

Nice

Review added by SneakyWhoami on 09-30-2009

One improvement, if you're not going to be requiring emails, can be to name it "email", not "leave blank". There are a lot of bots out there that look for recognized fields and fill them out (like email fields). A "leave blank" field is less likely to be filled in by a bot.

It will stop automated bots, in spite of any skepticism.
Say I have a forum using SMF. People write bots that successfully target these forums. If you don't allow anonymous posting then this is probably not a problem, BUT the fact remains that there are auto bots that can do this.

Ultimately I guess if someone wrote a bot specifically to target your site, then you are no longer fighting a bot but a human.
So this article makes sense and it works.
If you check any page on howtocreate.co.uk, you can see he's got a hidden link. Click the link and get banned, a nice honeypot.

Google and such don't click the link because it's forbidden under robots exclusion.

Anyway, to nitpick with this article:
the second code block you've got will work in practice but technically it has a bug. The bot can submit useless data ;)

Try entering the value "1", it will get through.
Yes I'm being a smartass.

Somebody just had to come along and say it, didn't they?

Eh.. not really...

Review added by dschreck on 06-11-2009

This may work to prevent automated scanners... maybe... but if anyone is looking to directly bot a form for a site you're running, they will do it by hand.

Even when I've created automated login systems for Hotmail, Gmail, Yahoo, AOL, MySpace, Facebook - it takes about 30 mins of dev work to figure out all of the required fields you need to pick up and post in as hash strings, and the rest you can just ignored.

This would be one of the fields I'd ignore.

All times are GMT. The time now is 10:27 PM.