0

Main page

$_SESSION['uniqid_mt_rand'] = uniqid(mt_rand(), true);

Then input form

<input name="hidden_field" type="hidden" id="hidden_field" 
value="<?php echo htmlspecialchars( $_SESSION['uniqid_mt_rand'] , ENT_QUOTES, "UTF-8");?>">

Then with $.post("_record_comments.php" .... send to _record_comments.php

And in _record_comments.php check if 

$_SESSION['uniqid_mt_rand'] == $_POST['hidden_field']

Does it help to prevent something? As understand in this case I can be sure, that form is filled from website. So if bot send 'form' $_POST and $_SESSION would not be the same?

Andris
  • 1,434
  • 1
  • 19
  • 34
  • Look at [CSFR](http://de.wikipedia.org/wiki/Cross-Site-Request-Forgery) - not your invention but you're quite close :-) – Axel Amthor Aug 23 '14 at 08:52
  • As @AxelAmthor noted, this looks more like CSRF protection, which serves a different (but arguably more important) purpose. You might look into [form honeypot fields](http://stackoverflow.com/q/3622433/1093087), as that is aimed more directly at spam prevention. – klenwell Aug 23 '14 at 21:14
  • Seems this text http://nedbatchelder.com/text/stopbots.html is useful – Andris Aug 24 '14 at 04:33

0 Answers0