1

I have set up a rather complicated HTML form that uses the JQuery Validate plugin with several required fields and various rules. Form is working great. It POSTs to a separate PHP processor file that does a number of things such as send a couple of emails and eventually sends the user to Paypal. (It is a club membership application.) It appears that it only took about a week for some type of "bot" to find the processor file and start running it directly over and over. About 500 emails & apps were generated before I caught it and stopped it by renaming the files temporarily. At the time it was happening I wasn't quite sure exactly what was going on, but after evaluating it for most of the day I came to realize that it couldn't be as a result of the main form being executed, but by just running the processor file directly.

So...my question is this: How can I keep this from happening? There must be some type of coding to include that will ensure that the processor can't run unless it is really coming from the real HTML form...or is there a better way? I followed all of the "examples" on the 'Net in regards to forms and POSTing but nowhere did I see anything that relates to this type of problem.

RCurtis
  • 115
  • 3
  • 11
  • You could add some type of reCaptcha to the form so that it will fool 'most' bots. http://www.google.com/recaptcha – Rottingham Jan 13 '14 at 23:59
  • That's just it...the main form is not being run. I thought of adding a Captcha until I realized that that's not what was happening. Somehow the bot found the POST PHP file and is running *that* without ever running the real form. – RCurtis Jan 14 '14 at 00:19
  • The idea is that server-side form processing would require a valid Captcha value. If a bot hit the processor directly, the Captcha value would not be valid and the submission would be rejected. This might be helpful: [How To Prevent Robots From Automatically Filling Up A Form](http://stackoverflow.com/questions/2387496/how-to-prevent-robots-from-automatically-filling-up-a-form) – showdev Jan 14 '14 at 00:25

3 Answers3

1

Generally this can be reduced by adding a CSRF token to the form.

Set a random sha/md5 value to your session, and set that value in the form also as a hidden input, upon a legit user sending the form that value will be passed along too, validate and check the passed value with the one in session. if all is good process.

If its a bot, the bot would need to parse the form for the CSRF token first. Or you could step up and make that security key an image and make the user type it (captcha).

How to properly add CSRF token using PHP

Its something you should also add to your login forms ect, else your have bots brute forcing there way in.

Community
  • 1
  • 1
Lawrence Cherone
  • 46,049
  • 7
  • 62
  • 106
0

Maybe you could add a $_SESSION[] global variable on the form page. Then check it on your processing page and unset it after execution. Sounds like the simplest way to me, but you should hear out what others suggest. You can fin documentation on $_SESSION[] variables here PHP $_SESSION

de_dux
  • 11
  • 1
  • 5
0

Add a token to the form when generating the page, and save it into the session.

When you got the post data, check the token with the one in the session.

And you probably want to use CAPTCHA code to protect yourself from the bots.

msg7086
  • 461
  • 2
  • 11