Doesn't PHP execute server-side, when the page is rendered? That would mean it is finished executing before the form is filled. The javascript does not need to be on the page, it can be linked from the submit button to execute when the form is submitted.

I am non code person.

Can I use sleep for php server side script? It is secure?

session_start();

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
 // Sleep for 4 seconds
 sleep(4);
}

Sorry, I've cobbled together a few PHP includes and short snippets for a task, but I am not one who knows all about PHP. Others here are far more experienced and can get back to you on this, but the sleep code looks like one that would be executed on page load also.

Is there a reason you don't want to use .js?

Because user can completely disable JavaScript from running in their web browser.

So my spam/troll prevention will not work with delay time from submission.

If the js were triggered by the "Submit" button and the user has js disabled, then nothing would happen because "Submit" only triggers the delay, it does not submit the form until/unless the script is run.

A note about js being enabled to use the form is not unusual and better than just not working with no clue about why.

Send a timestamp as a hidden form variable in the initial GET connection.
Compare it with the time during the POST processing.
Obfuscate the timestamp it so it's not obvious to the cracker.

I need to figure it out.. the ChatGpt already write the code for me. But, I need to get it work with my form submission. Since my forum has no database.

What else we can do to combat spam/troll ?

I have a file which lists a hundred or so keywords. In the form-parsing php script I compare these keywords against the form content using the regex parser. If this finds a match I email the form to my admin address in order to check for false positives. If no match then the form is sent to the normal recipient address.

I also have a honey-trap form which checks the efficacy of this mechanism and sometimes gives me more keywords.

I have honeypot too it's hidden in my form. This honeypot is work to confuse the robot spam.

What I scare is, bad human or troll account. I want to combat the troll. Maybe IP banning and DNS blocklist (proxy) can help.

@djemyjenab: a few ideas that may help you.

1. It's very difficult to suggest what you could do if you have no coding background (you mentioned this). I suggest taking the time to learn some basics, why? because it will be useful for you and this will save you time from guessing what something does, or how to do it, (or I mean this politely, in a positive way: asking questions like "how?" whenever you receive a suggestion), it's ok, we all are learning here.

2. You don't exactly need to delay the form submission, and don't aim to do this with JS, why? because it's very easy to turn Javascript off as mentioned above. Also, because many bots (robots, code running around the web, non humans) will try submitting information faking a form without even using yours, this means any javascript will be ignored.

3. You don't need to "delay" the form, you can play with the troll. This means, whenever you know this is a troll, or whenever there is a trigger (depends on you), then allow the form submission, just... provide random diff error messages, like 404 not found, or "something went wrong", or "you didn't provide your email", this in my experience has proven to be quite effective for humans and machines, as they can't identify what's wrong, they just see meaningless error messages.

4. I'm not against ChatGPT or AI, but regarding coding, if you don't know how to code and you ask AI to do something for you, the tool is going to give you code anyway, code that you wouldn't know how to implement... so you are back to square one. This is like asking a doctor about a medical explanation but you don't know what to do with it anyway.

5. If you are running a forum, consider systems that have special plugins, things like "miserable user", these things play with the patience of humans making them go away. If it's not a forum but just a contact form, then play with the suggestions given in this page.

I need to figure it out.. the ChatGpt already write the code for me.

Be very careful. AI can write code, but as a scripting language, PHP makes it easy for anyone to write bad code that will run. When you ask AI to write code it will do just what you ask, but it will often overlook things. Security for example.

I sometimes use AI to debug or write a quick function, but often the code that is produced is seriously unsafe to use in a production environment.

Depending on what type of form you have, you may be able to simply download a free contact form and use that. It would be even better if it supported reCAPTCHA. Not knowing PHP and trying to create your own solution may be asking for problems. My suggestion for now is not to reinvent the wheel, but to take time to learn the basics of PHP. In the future, you will be better prepared to create your own solutions.

Mack.

@explorador my reply

1. I do take php class before this to learn basic php. Since I almost 40s, I think lil bit hard and I need work/life and running balance.

2. Yes I know user can disable the Js in browser. That's why I want di it in Php server side.

3. Thank you, this method is good also to handle the troll. I can redirect the user by IP address or username to the error_page.php

4. I just using the AI as a tools, but it work to create code for I need. At the end of code, I will ask the AI all the meaning of the code and change accordingly to my needs.

5. Yes this I can do, I heard before "we don't need to feed the troll" 😅

Dear @mack

It would be even better if it supported reCAPTCHA

I already have reCaptcha support (and working) but don't use it yet.

I want something that no need to burden all user because of few bad human. Will consider reCaptcha too.

reCaptcha is the spawn of the devil! When I get one of them I usually go to another web site unless the site is necessary. It can take a couple of dozen tries and still fail.

other than reCaptcha what else we can do to avoid abuse user/bad human?

When I get one of them I usually go to another web site unless the site is necessary.

So if my forum for specific nichie, it's acceptable to use Captcha?

When I get one of them I usually go to another web site unless the site is necessary.

You're thinking of the old style where you had to type words or select cats. The modern V2 and V3 use a checkbox "I am not a robot".

Mack.

Currently I'm using classic Captcha, I think this will work for my forum to prevent bad human/troll.

I limit to number and 5 digit only when user want to post/reply.

> You're thinking of the old style

No, I'm thinking of the picture-matching one. I encountered an essential one only a few days ago and it took me ages to get through it. It's G's way of increasing blood pressure. Nasty things.

Maybe not an answer to your question, but this wont work. Its trival to delay form submissions.

If you want to prevent spam then add some random challenge questions that someone familiar with your business can easily answer, use a captcha or simply reject all submissions that contain a url.
All the spam i get contains some links, while legit customers never send me any links.

use a captcha or simply reject all submissions that contain a url.

What I want to do is not just Spam but troll/bad human. So, Captcha is the best right?

Now I put captcha with numbering and limit to 5 digit.

And to avoid robot Spam. I think I want to add dronebl. org to avoid robot Spam.

Anyone from webmaster know this is good or not?

Have you facing the spam/troll account?

Robots are as likely to come from random broadband IPs than from server farms and note the bl's comment "can tell you the ones it knows about". It cannot block everything. A robot should always fail a challenge such as captcha but detecting on content can also help

I think for now Captcha working great, since I moderate the forum by myself.

Other than that, what we need to do to protect the forum from bad human/troll account?

Akismet and SFS (Stop Forum Spam) are some helpful tools. They can be integrated via API in most cases.

Which one is good Akismet, Captcha or Recaptcha?

Use what works for you, they are all good, only you know what you need.