使用CSRF表单令牌是否有助于预防垃圾邮件？ [英] Does using CSRF form tokens help spam prevention?

问题描述

我正试图阻止机器人（可能）向我的php注册文件提交虚假数据。我正在创建一个使用注册/登录系统的网站，我想添加我能够提供的电子邮件验证。但是问题是我的虚拟主机每分钟只允许 x 电子邮件数量，如果一个机器人要发送垃圾邮件，这不仅会使我的数据库充满垃圾邮件帐户，而且我也会

我一直在阅读有关保护表单的信息，CSRF出现了，这是我不熟悉的术语。

这是我目前对CSRF预防的令牌方法的理解；

• 包含表单的页面已加载，创建令牌。将令牌存储在 SESSION 或cookie中。




• 运行处理注册的PHP文件时，它将检查令牌。如果表单中提交的表单不匹配（或者 SESSION 中未设置令牌），则请求为垃圾邮件。

我不明白为什么该漫游器不能简单地从HTML表单中获取令牌并提交。我知道它每次都会改变，难道不是每次都能抓住它吗？

我认为该机器人只会使用CurL或类似的方式提交数据来绕过需要实际提交HTML表单，而不是直接将数据发送到PHP文件。

我的问题本质上是，为什么以及如何防止bot提交我的注册？形式（或与此形式相关的任何形式）。

解决方案

我的问题本质上是，为什么以及如何

不是。

不是。

>

CSRF代表 跨站点请求伪造，此类令牌有助于防止这种情况-用户被诱骗从提交表单网站，该网站与垃圾邮件无关。

为了防止垃圾邮件，您应该使用验证码挑战某种。

I am trying to stop bots from (potentially) submitting fake data to my php registration file. I am creating a site that uses a signup/login system and I want to add email verification which I am capable of. However the problem is my webhost only allows x amount of emails per minute, if a bot were to spam this not only will my database be filled with spam accounts but I will also be suspended for breaking the email limit.

I have been reading up about securing forms and CSRF came up, a term I am not familiar with.

This is my current understanding of the 'token method' of CSRF prevention;

• When the page containing the form is loaded create a token. Store the token in a SESSION or cookie.

• When the PHP file that handles the registration is run, it will check for the token. If the one submitted in the form doesn't match (or if the token isn't set in SESSION) the request is spam.

I don't understand why the bot can't simply get the token from the HTML form and submit it. I understand it changes every time, can it not just grab it each time?

I assume the bot would just submit the data using CurL or something of the sort to bypass the need to actually submit the HTML form and instead send the data straight to the PHP file.

My question is essentially, why and how does this method prevent against bots submitting my registration form (or any form for that matter).

解决方案

My question is essentially, why and how does this method prevent against bots submitting my registration form (or any form for that matter).

It doesn't.

CSRF stands for "Cross-Site Request Forgery" and such tokens help prevent exactly that - a user being tricked into submitting a form from another site to yours, which has nothing to do with spam.

For spam prevention, you should be using a CAPTCHA challenge of some sort.

这篇关于使用CSRF表单令牌是否有助于预防垃圾邮件？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！