Based on recent discussions in other threads, I thought up this technique to prevent ‘bot submissions that directly call the page (instead of first requesting the form page) and also prevents repeat form submissions via the browser refresh function. Just curious if anyone sees any possible problems with this, or any useful enhancem

==========================================

<?php
session_start
();
$errors = array();
$result = null;
// handle form submissions
if(isset($_POST['test']))
{
// make sure the hidden field value matches the session value:
if(empty($_POST['nogdog'])
or empty(
$_SESSION['nogdog'])
or
$_POST['nogdog'] != $_SESSION['nogdog'])
{
$errors[] = "Either this was a duplicate submission, your browser " .
"does not support cookies, or you are a robot script " .
"trying to spam me.";
}
// go ahead and process the form
else
{
$result = trim($_POST['test']);
}
}
// set a new random value for the session and hidden field values:
$nogdog = uniqid();
$_SESSION['nogdog'] = $nogdog;
?><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
<title>Test Form</title>
</head>
<body>
<form action="<?php
echo $_SERVER['SCRIPT_NAME'];
?>" method="post">
<fieldset>
<legend>test</legend>
<input type="text" name="test" size="20" maxlength="20">
<input type="submit" value="Submit">
<input type="hidden" name="nogdog" value="<?php
echo $nogdog;
?>">
</fieldset>
</form>
<?php
// show results:
if(!empty($errors))
{
foreach(
$errors as $err)
{
echo
"<p class='error'>$err</p>\n";
}
}
if(!empty(
$result))
{
echo
"<p>You entered: '".htmlentities($result)."'</p>\n";
}
?>
</body>
</html>

Advertisements