Protecting web forms from spam without CAPTCHA - 2: Botobor

    Three years ago, an article was published on Habr “Form Spam Bot Blocker: Protecting Web forms without CAPTCHA!” , which talks about a fundamentally different solution from CAPTCHA for PHP to protect forms from spambots. This decision is based on the ideas outlined in their articles by Phil Haack - Honeypot Captcha and Ned Batchelder - Stopping spambots with hashes and honeypots . Unfortunately, the class proposed in the article was written for PHP4 and has not been developed since 2007. I want to bring to your attention its counterpart in PHP5.


    Botobor - a library written in PHP 5.0, designed to protect against filling web forms with robots. The methods used by her are invisible to human visitors.

    To identify robots, Botobor uses the following checks:

    • mismatch of the REFERER value with the URL on which the form is located;
    • too small a gap between the display of the form and its submission (customizable);
    • the gap between showing the form and sending it is too large (customizable);
    • filling the bait field.

    By default, all checks are used, but the developer has the ability to disable any of them.


    Simple example

    A snippet of code that creates the form:
    require 'botobor.php';
    // Get the markup of the form in the way that is provided for in your project, for example:
    $ html = $ form-> getHTML ();
    // Create a wrapper object:
    $ bform = new Botobor_Form ($ html);
    // Get the new markup of the form
    $ html = $ bform-> getCode ();

    A snippet of code that processes form data:
    require 'botobor.php';
    if (Botobor_Keeper :: isHuman ())
      // The form is submitted by a person, you can process it.

    Form customization example

    A snippet of code that creates the form:
    // let $ html contain the form code
    $ bform = new Botobor_Form ($ html);
    // disable bait fields
    $ bform-> setCheck ('honeypots', false);
    // set the lower limit for filling out the form in 2 seconds
    $ bform-> setDelay (2); 
    // set the upper limit for filling out the form in 60 minutes
    $ bform-> setLifetime (60);
    $ html = $ bform-> getCode ();

    Otherwise, everything is the same as in the first example.

    What is inside her?

    What does Botbor do with form code

    The constructor Botobor_Formaccepts the HTML code of the form. In this code, after the opening tag
    , add hidden (display: none)
    containing input [type = hidden] with the meta data of the form. This meta-data stores the signed information about the time the form was created, the options installed, etc. In the same hidden block, Botobor can insert bait fields.

    Bait Fields

    Bait fields are designed to catch spider robots that find their own forms. Such robots, as a rule, look for familiar fields in the form (for example, name) and fill them. Botobor can add fields with such names hidden from the person (using CSS) into the form. A person will leave these fields empty (because he simply will not see it), and the robot will fill in and thereby give himself away.

    By default, the form code looks for fields with any of the following names: "name", "mail", "email" (the list is customizable). For each field found, the name is changed to a randomly generated combination of characters and a field hidden with CSS is created with the original name.

    The reverse name conversion will be done during the call to the Botobor_Keeper :: handleRequest () or Botobor_Keeper :: isHuman () method.

    I would be glad if someone comes in handy.

    Also popular now: