Welcome to WebmasterWorld Guest from 54.161.118.57

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Webform protection using PHP

     
11:10 am on Feb 27, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Oct 25, 2006
posts: 1103
votes: 1


I try to avoid empty form submission and also using reCaptcha control.
Is this the correct code to check all server-side values?
if($response != null && $response->success && !isset($_POST['botprotection']) && empty($_POST['botprotection']) && trim($_POST["botprotection"]) == "") {
// it's human
} else {
// it's spam
}
11:24 am on Feb 27, 2018 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Apr 20, 2017
posts:334
votes: 73


I might not yet be fully awaken, but this confused me

!isset($_POST['botprotection'])
&&
empty($_POST['botprotection'])
&&
trim($_POST["botprotection"]) ==""

$_POST['botprotection'] can't be unset AND empty AND equal to empty string, may be there should OR somewhere.
2:48 pm on Feb 27, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 30, 2002
posts:5008
votes: 51


You can use just if(empty($_POST['botprotection']))

empty will evaluate to false in PHP standard fashion, and will also check whether the variable exists. So if the variable is not set or a zero-length string, empty evaluates to true.

I'd go with
if(empty($_POST['botprotection']) || !($_POST['botprotection'] = trim($_POST['botprotection']))) {
// fail
}
else {
// good
}

Just be wary that if $_POST['botprotection'] = 0 ... this would also evaluate as 'empty'
4:24 pm on Feb 27, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 1, 2016
posts:2624
votes: 774


Why would you not validate the form client side, using HTML built in validation and JS?
Why not simply make the form field required? This would prevent the form from being submitting with that field being empty.
12:46 pm on Mar 1, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Oct 25, 2006
posts: 1103
votes: 1


Spam bots got smarter. They read also Javascript not only HTML inputs and send inputs. Very few spambots will have JavaScript enabled. Javascript is just the first step and reCaptcha is the second. PHP creates a server-side validation to protect inputs.

If I understand it is the correct code:
<?php

if($response != null && $response->success && !empty($_POST['botprotection']) || $_POST['botprotection'] == 0 || ($_POST['botprotection'] != trim($_POST['botprotection']))) {
// good
}
else {
// fail
}

?>
and
HTML:
<input type="hidden" name="botprotection" id="botprotection" value="Go away bot" />
1:53 pm on Mar 1, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 30, 2002
posts:5008
votes: 51


Using Google's recaptcha is the best solution to get rid of 99.9% of bot activity. There are bots that are browser-like and others that are just submitting an HTTP request. Use Google recaptcha if you are happy using Google services on your site.

Also the code you posted is slightly different to what I wrote, your != trim( would be better as = trim(
1:57 pm on Mar 1, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 1, 2016
posts:2624
votes: 774


Javascript is just the first step and reCaptcha is the second. PHP creates a server-side validation to protect inputs.

This is clear. I am not suggesting don't use PHP to validate the form fields. But what am suggesting is using the built in HTML functionality for preventing the submission of blank forms.

By making a field "required" you can prevent a form being submitted that is blank, this prevents the malicious bot from sending useless requests. With your proposed solution, by ensuring that the input isn't blank after submit prevents nothing as the form will already have been submitted and the request made, thus the damage is done. The same logic holds for the Captcha. If you need to take a request to validate the Captcha that kind of defeats the purpose of the Captcha.

Obviously if the form is submitted and the fields aren't blank, then you would want to thoroughly validate the inputs server-side to prevent and injections or other unwanted inputs.
2:11 pm on Mar 1, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Oct 25, 2006
posts: 1103
votes: 1


After reading your reply, I have added also injections control. As I understand in this moment Google service does not prevent XSS attacks and body input. Is this the correct code?
<?php
//Use Javascript and ensure that the input isn't blank after submit
//Cross-Site Scripting Attacks (XSS)
$xss_bodycontent = trim($_POST["bodycontent"]);
file_put_contents("xss_bodycontent.txt", $xss_bodycon, FILE_APPEND);
$xss_bodycontent = file_get_contents("xss_bodycontent.txt");
echo htmlspecialchars($xss_bodycontent);

if($response != null && $response->success && !empty($_POST['botprotection']) && !empty($xss_bodycontent) || $_POST['botprotection'] == 0 || ($_POST['botprotection'] != trim($_POST['botprotection']))) {
// good
}
else {
// fail
}

?>
and
HTML:
<input type="hidden" name="botprotection" id="botprotection" value="hi bot!" />

Another issue is how to protect that hidden input has not been altered at all?
Demo:
if($response != null && $response->success && !empty($_POST['botprotection']) && $_POST['botprotection'] === "hi bot!" && !empty($xss_bodycontent) || $_POST['botprotection'] == 0 || ($_POST['botprotection'] != trim($_POST['botprotection']))) {
// good
}
3:29 pm on Mar 1, 2018 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Apr 20, 2017
posts:334
votes: 73


file_put_contents("xss_bodycontent.txt", $xss_bodycon, FILE_APPEND);
$xss_bodycontent = file_get_contents("xss_bodycontent.txt");

I do not understand why you are writing to a file, to read it again. (It doesn't mean it's not right).

However, won't there be a problem to write something into the same file for each form submitted? Especially with an "append" option? What if two forms are submitted at the same time, or another form submitted before you delete the .txt file ?
3:48 pm on Mar 2, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Oct 25, 2006
posts: 1103
votes: 1


Sorry, I have never done this. Maybe you have a better solution. I kindly ask you to post code to protect against Cross-Site Scripting Attack. Maybe we will receive the best proposal.