Is this a good way to catch bots?_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2022-12-17 16:44 出处：网络

Is this method sufficient? <?php // User pressed \"Register\" if (!empty($_POST[\'name\']) && $_POST[\'email\']) {

相关专题：php

Is this method sufficient?

<?php

// User pressed "Register"
if (!empty($_POST['name']) && $_POST['email']) {


   开发者_开发问答 if (!empty($_POST['antispam'])) 
        exit("bye");

    }

?>

<form>

<input type="hidden" name="antispam" value="" />

Accname: <input type="text" name="name" value="" />
Email: <input type="text" name="email" value="" />

......

</form>

In all basic sense of the idea, sure. Only thing I would recommend for your simple implementation is that most spam scanners that you're trying to block out look for fields titled "username", "name", "user", etc ..

So, isntead of naming your honeypot "antispam" I would name it "username" or something similar that does not conflict with your existing form.

probably the best name for a form-field designed to trigger a spam bot would be url

The chances of a bot parsing the html for type=text attributes or textarea tag a and ignoring all others are quite reasonable.

Your chances of trapping a spambot can be improved with a few extra lines of code:

styles.css:

#commentUrl {
    display: none;
}

script.js:

function setFlag() {
    document.getElementById('commentUrl').value = 'Javascript check ok';
}

form.html:

<form onsubmit="setFlag();" method="post" action="comment.php">
    <label for="commentName">Accname:</label>
      <input type="text" id="commentName" name="comment_name" value="" />

    <label for="commentEmail">Email:</label>
      <input type="text" id="commentEmail" name="comment_email" value="" />

    <label for="commentUrl">Url:</label>
      <input type="text" id="commentUrl" name="comment_url" value="http://" />
</form>

comment.php:

<?php

   if ($_POST['comment_url'] <> 'Javascript check ok' && $_POST['comment_url'] <> 'http://') {
       // Let's increase their server load.
       header('Location: http://' . $_SERVER['REMOTE_ADDR'] . '/', 307); 
   }
?>

Because you use three different languages you improve the chances of catching the spammer considerably.
You could improve the javascript by dynamically appending the <link rel="stylesheet" dynamically to the DOM for example.

I wouldn't recommend making the input type hidden or let it have something with "spam" in it. The best way would be to give it a neutral name ("message" maybe) and hide it from the page via css. Additionally I would measure how long it took to fill out the form (as this will be very fast or very slow by robots) by adding a timestamp field (and again give it a neutral name and maybe encode it).

I would not use a hidden field as bots might be looking for only elements of type="text". The naming should be something common but something you have no use for, examples being:

firstname
lastname
email
username
password
bio
description

You should change your input from

<input type="hidden" name="antispam" value="" />

to something more along the lines of

<input type="text" name="username" value="" style="display:none; height: 0; width: 0; border: none; background: transparent; margin: 0; padding: 0;" />