TalkPHP - Simple way to protect a form from bot

Account Login

Latest Articles

The basic usage of PHPTAL, a XML/XHTML template library for PHP

by awuehr on 11-10-2008 in Tips & Tricks

Vulnerable methods and the areas they are commonly trusted in.

by Village Idiot on 11-04-2008 in Classes & Objects

Simple way to protect a form from bot

by codefreek on 10-23-2008 in Basic

The Basics On: How Session Stealing Works

by wiifanatic on 09-13-2008 in Security & Permissions

How to keep your forms from double posting data

by drewbee on 07-03-2008 in Tips & Tricks

IRC Channel

Join the friendly bunch on IRC...
(#TalkPHP on Freenode)

...Also available via a web interface.

See this thread for information on the TalkPHP Free Hugs Initiative™. Subject to availability.

Associates

TalkPHP » View Article

Simple way to protect a form from bot

So you start of with:

PHP Code:


			
$bottest = $_POST['leave_blank'];

then you include this:

PHP Code:


			
if (strlen($bottest) > 1)

{

    echo "Nice try!";

    exit;

}

And after that you include this in a pre-existent form like your register form
or other forms that need protection!

Code:

<div style='display:none;visibility:hidden;'>
	<input type='text' name='leave_blank' id='leave_blank'>
</div>

PS: I might come up with a better way to improve this or fix it if it doesn't work.
Please let me know.

Report this Article

Last 5 Article Reviews

Read All Reviews

Nice

Review added by SneakyWhoami on 10-01-2009

One improvement, if you're not going to be requiring emails, can be to name it "email", not "leave blank". There are a lot of bots out there that look for recognized fields and fill them out (like email fields). A "leave blank" field is less likely to be filled in by a bot.

It will stop automated bots, in spite of any skepticism.
Say I have a forum using SMF. People write bots that successfully target these forums. If you don't allow anonymous posting then this is probably not a problem, BUT the fact remains that there are auto bots that can do this.

Ultimately I guess if someone wrote a bot specifically to target your site, then you are no longer fighting a bot but a human.
So this article makes sense and it works.
If you check any page on howtocreate.co.uk, you can see he's got a hidden link. Click the link and get banned, a nice honeypot.

Google and such don't click the link because it's forbidden under robots exclusion.

Anyway, to nitpick with this article:
the second code block you've got will work in practice but technically it has a bug. The bot can submit useless data ;)

Try entering the value "1", it will get through.
Yes I'm being a smartass.

Somebody just had to come along and say it, didn't they?

Eh.. not really...

Review added by dschreck on 06-11-2009

This may work to prevent automated scanners... maybe... but if anyone is looking to directly bot a form for a site you're running, they will do it by hand.

Even when I've created automated login systems for Hotmail, Gmail, Yahoo, AOL, MySpace, Facebook - it takes about 30 mins of dev work to figure out all of the required fields you need to pick up and post in as hash strings, and the rest you can just ignored.

This would be one of the fields I'd ignore.

Sure this works?

Review added by hjalmar on 05-24-2009
I have found that alot of bots ignores an element that is hidden with display: none; I simply use a technique where you just push the desired element outside of the screen instead with negative values and it has worked like a charm, never got a single spam after that. So like: #element{ position: absolute; left: -9999px; }

Nice basic start

Review added by CoryMathews on 12-21-2008

This is a good way to start out but it will easily be broken a large number of times by different bots.

I had this at first but then upgraded it to have a small bit of javascript that updates the field with the time elapsed so after a reasonable amount of time when a real user submits the page it works, but when a bot comes through and submits it in under a set period of time then its no good. This seems to have worked decently so far but I'm sure there are many ways out there much better than this one.

All times are GMT. The time now is 01:07 PM.