Protecting web forms from spam without CAPTCHA - 2: Botobor

Three years ago, an article “Form Spam Bot Blocker: Protecting Web Forms without CAPTCHA!” Was published on Habré, which tells about a PHP solution for protecting forms against spam bots that is fundamentally different from CAPTCHA. This decision is based on the ideas outlined in his articles by Phil Haack - Honeypot Captcha and Ned Batchelder - Stopping spambots with hashes and honeypots . Unfortunately, the class proposed in the article was written for PHP4 and has not been developed since 2007. I want to bring to your attention its counterpart in PHP5.

Botobor

Botobor - a library written in PHP 5.0, designed to protect against filling out web forms with robots. The methods used by her are invisible to human visitors.
')
To identify robots Botobor uses the following checks:

• the discrepancy between the REFERER value and the URL where the form is located;
• Too small interval between showing the form and sending it (configurable);
• Too big a gap between showing the form and sending it (configurable);
• filling the bait field.

By default, all checks are used, but the developer has the ability to disable any of them.

Examples

Simple example

Code snippet creating the form:

require 'botobor.php' ;
...
// Get the markup of the form in the way that you have in the project, for example:
$ html = $ form -> getHTML ( ) ;
// Create a wrapper object:
$ bform = new Botobor_Form ( $ html ) ;
// Get new form markup
$ html = $ bform -> getCode ( ) ;

Fragment of the code processing the form data:

require 'botobor.php' ;
...
if ( Botobor_Keeper :: isHuman ( ) )
{
// The form was sent by a person, you can process it.
}

Form Setup Example

Code snippet creating the form:

// let $ html contain the form code
$ bform = new Botobor_Form ( $ html ) ;
// disable bait fields
$ bform -> setCheck ( 'honeypots' , false ) ;
// set the lower limit of the form filling in 2 seconds
$ bform -> setDelay ( 2 ) ;
// set the upper limit of the form filling in 60 minutes
$ bform -> setLifetime ( 60 ) ;
$ html = $ bform -> getCode ( ) ;

Otherwise, everything is the same as in the first example.

What does she have inside?

What does Botbor do with the form code?

In the constructor, Botobor_Form accepts HTML form code. This code, after the opening <form> tag, adds a hidden (display: none) <div> containing input [type = hidden] with form data. This metadata stores signed information about the time the form was created, the options installed, etc. Botobor can insert bait fields in the same hidden block.

Bait fields

The bait fields are designed to capture spider robots that find their own forms. Such robots, as a rule, look for familiar fields (for example, name) in the form and fill them. Botobor can add to the form hidden from a person (using CSS) fields with such names. The person will leave these fields empty (since they simply will not see), and the robot will fill in and thereby give itself away.

By default, the code in the form searches for fields with any of the following names: “name”, “mail”, “email” (the list is customizable). For each field that is found, the name is changed to a randomly generated combination of characters and a field with the original name hidden by means of CSS is created.

The reverse name conversion will be done during the call to the Botobor_Keeper :: handleRequest () method or Botobor_Keeper :: isHuman () method.

I would be glad if someone come in handy.