How to implement verification code and prevent bot attacks in PHP project?

How to implement verification code and prevent robot attacks in PHP projects?

With the development and popularity of the Internet, more and more websites and applications are beginning to be threatened by robot attacks. In order to protect user information security and provide a good user experience, developers need to implement verification codes and measures to prevent bot attacks in their projects. This article will introduce how to implement verification codes and prevent bot attacks in PHP projects.

1. Implementation of verification code
Verification code is a common method to prevent robot attacks. Users need to enter a verification code when logging in or registering to confirm their identity.

1. Generate verification code images
   PHP provides a wealth of graphics processing functions that can be used to generate verification code images. The following is a sample code:

session_start();
$code = rand(1000,9999);
$_SESSION['code'] = $code;

$width = 100; // 验证码图片宽度
$height = 30; // 验证码图片高度
$image = imagecreatetruecolor($width, $height);

$bgColor = imagecolorallocate($image, 255, 255, 255);
$textColor = imagecolorallocate($image, 0, 0, 0);

imagefilledrectangle($image, 0, 0, $width, $height, $bgColor);

imagettftext($image, 20, 0, 10, $height/2, $textColor, 'path/to/font.ttf', $code);

header('Content-Type: image/png');
imagepng($image);
imagedestroy($image);

2. Verify user input
   When the user submits the form, compare the verification code entered by the user with the generated verification code to determine whether the user has entered correct. The following is a sample code:

session_start();
$code = $_SESSION['code'];

$userInput = $_POST['code'];

if ($userInput == $code) {
    // 验证码输入正确，继续处理用户提交的数据
} else {
    // 验证码输入错误，给用户一个提示
    echo "验证码输入错误";
}

2. Implementation of preventing robot attacks
The verification code can only prevent simple robot attacks. In order to better prevent robot attacks, we can also take the following measures :

1. Add hidden field
   Add a hidden field in the form, and then check on the server side whether the value of the field is empty. Since bots often automatically populate form fields, they populate this field as well, revealing their identity as bots.

<input type="hidden" name="isHuman" value="">

if (!empty($_POST['isHuman'])) {
    // 非机器人提交，继续处理用户提交的数据
} else {
    // 机器人提交，停止处理并给用户一个提示
    echo "请不要使用机器人进行提交";
}

2. Check request frequency
   Determine whether the user is a robot based on the frequency of user requests. For example, if an IP address continuously sends a large number of requests in a short period of time, it can be determined to be a robot. You can record the timestamp and IP address of user requests, and then formulate corresponding policies based on actual needs.

session_start();
$ip = $_SERVER['REMOTE_ADDR'];
$timestamp = time();

$requests = $_SESSION['requests'];
if (!$requests) {
    $requests = [];
}

// 添加新的请求记录
$requests[] = ['ip' => $ip, 'timestamp' => $timestamp];

// 清理过期的请求记录
foreach ($requests as $key => $request) {
    if ($timestamp - $request['timestamp'] > 60) {
        unset($requests[$key]);
    }
}

$_SESSION['requests'] = $requests;

if (count($requests) > 10) {
    // 用户请求频率过高，判定为机器人攻击，给用户一个提示
    echo "您的请求过于频繁，请稍后再试";
} else {
    // 用户请求正常，继续处理用户提交的数据
}

Through the combined application of the above measures, the effect of verification code and preventing robot attacks can be better achieved in PHP projects. Developers can flexibly adjust the form and verification rules of the verification code, as well as the determination conditions of robot attacks, according to specific needs, to improve system security and user experience.

The above is the detailed content of How to implement verification code and prevent bot attacks in PHP project?. For more information, please follow other related articles on the PHP Chinese website!