1

My web application has three possible input fields, two of which are required and one of which are optional. They are $_POST['name'] (required), $_POST['message'] (required), and $_POST['identity'] (optional).

In order to stop spambots from posting, I thought about making a "honeypot" of various fake inputs that a spambot might use (e.g. $_POST['username'], $_POST['url']). If some connection were to POST to these, the script would die on them. I could make something like this pretty easily, but the size of my script is a major concern and specifying dozens of honeypot inputs would require more space than I am willing to use.

Instead, I think it makes more sense in my case to have a "reverse honeypot," i.e. have the script die if anything except the three true input fields is POSTed. But I don't know a technique for that, and I don't know if it would cause other problems.

Is there a way for me to specify in PHP that the script should die if anything other than $_POST['name'], $_POST['message'], and $_POST['identity'] is sent? Would doing this cause problems I have not foreseen?

asmask
  • 35
  • 2
  • I think you should research about how spam form fillers and "honeypots" actually work. With particular attention to how to either make the spam believe it's successfully filled in a form or to return an error that the form filling failed (such as a 404) without the back end completing the transaction. – Martin Oct 13 '20 at 22:07

1 Answers1

0

Use array_keys() to get all the keys of the $_POST array. Subtract the ones that are allowed, and check if there are any keys remaining.

$allowed_fields = ["name", "message", "identity"];
if (!empty(array_diff(array_keys($_POST), $allowed_fields))) {
    die("You're a spammer!");
}
Barmar
  • 741,623
  • 53
  • 500
  • 612
  • It might be better instead of using `die` (with or without a message) to instead return an error 500, such as by this answer: https://stackoverflow.com/a/4162254/5075276 because this will give the least possible information to the spammers. – cazort Nov 06 '21 at 13:48