Tag Archives | SQL injection

Protect Forms using Honeypot Laravel Spam Protection Technique

Laravel framework has a powerful protection from CSRF, XSS, and SQL injection, but there is no built-in Laravel spam protection. If you need to protect your form from spam bots, you can use something like Akismet or reCaptcha which provide strong spam protection. OK, but your users maybe don’t like it because of the nag images that may appear from time to time or solving those puzzles to submit the form. For me, I find that the honeypot technique much better in many cases, where there is a hidden field in the form and when submitting that field, a validation rule will validate this field if it’s zero length or not and if the field value length is not zero, that means there is a bot trying to submit the form. Well, let’s get our hands dirty.


Continue Reading →

Laravel Spam Protection

In routes.php, the routes look like this:

Route::get('register', function()
return view('app');

And in the views folder, your registration form or any kind of form will be like this:

{!! Form::open() !!}
{!! Form::label('email', 'Email') !!}
{!! Form::text('email', Input::old('email')) !!}
{!! Form::label('password', 'Password') !!}
{!! Form::password('password') !!}
{!! Form::text('honey_pot', '', array('style' =>'display:none')) !!}
{!! Form::submit('Register') !!}
{!! Form::close() !!}

In the controller file, you should write your validation rules like this:

public function store()
Validator::extend('honey_pot', function ($attribute, $value, $parameters) {
return $value == '';
$rules = array(
'email' => 'required|email',
'password' => 'required',
'honey_pot' => 'honey_pot'
$messages = array('honey_pot' => 'Nothing Here');
$validation = Validator::make(Input::all(), $rules, $messages);
if ($validation->fails()) {
return Redirect::to('register')->withErrors($validation)->withInput();
} else {
return "Awesome!!";

Don’t forget to add the use statements at the top of the controller file:

use Validator;
use Input;

In the above validation, we’ve created a new validator called honey_pot that checks for the field honey_pot and if the field is not empty, the rule will return false.

Now if any spambot tries to fill the form, it will fall in the honeypot field which should be zero length.

Creating a Middleware

You can apply this laravel spam protection technique for all Laravel forms, you can make a middleware to check for POST request if the honey_pot field is zero length or no.

First, create the middleware:

php artisan make:middleware HoneyBot

Then check for the honey_pot field in the middleware like this:

public function handle($request, Closure $next)
if($request->isMethod('POST') && count($request->honey_pot) != 0 ){
return redirect('register');
return $next($request);

And don’t forget to apply your middleware, you can apply it globally to all request by adding the middleware to the middleware array in app/HTTP/kernel.php  file.


Now you can remove the validation rules from the form and rely on the middleware Great!!

Another Solution

Some spam bots may be clever enough to detect those hidden fields and never touch it, so what is the solution for this?

Well, you can add another hidden field that carries the time of the form submission and when the user or the bot submits the form, you can check the time difference between the render time and the submissions time, if it’s less than three seconds or so, that means the submission comes from a spam bot.

There are ready to use packages for this purpose, but as you can see, the solution is in one simple line.

Again, I’m not saying that Google reCaptcha is not a good option, it’s actually an awesome option. If you have the chance to use it, don’t hesitate.

I hope you find the post useful. Keep coming back.

Thank you.



How to prevent SQL injection attacks?

Before we talk about how to prevent SQL injection, we have to know the impact of SQL Injection attack which is one of the most dangerous attacks on the web. The attacker can steal your data or even worse, the whole web server can be stolen from one SQL injection vulnerability. I wrote this post to show you how to prevent SQL injection. If you need to know more about SQL injection itself and its types and all other stuff, you can do a simple search on google if you want. The solution is to clean the request parameters coming from the user . Keep in mind that the solution that I’ll share with you is not like the most solutions on the web that go to every SQL statement and clean the request variables one by one.

Continue Reading →

My solution is preventing SQL injection without messing with your CMS files. Well, maybe someone who is using PHP would say that is easy, it is just using a function like mysql_real_escape_string or mysqli_real_escape_string. But that works only on a single dimensional array, what about a multi-dimensional array? Well, we need to iterate over array items recursively. So what we will do is preventing SQL injection against a multidimensional array.


This code does the magic for both single and multidimensional arrays using PHP:

if (!function_exists("clean")) {
//Gets the current configuration setting of magic_quotes_gpc if on or off
if (get_magic_quotes_gpc()) {
function magicquotes_Stripslashes(&$value, $key) {
$value = stripslashes($value);
$gpc = array(&$_COOKIE, &$_REQUEST);
array_walk_recursive($gpc, 'magicquotes_Stripslashes');
function clean(&$value, $key) {
//here the clean process for every array item
// use mysqli_real_escape_string instead if you use php 7
$value = mysql_real_escape_string($value);
$req = array(&$_REQUEST);
array_walk_recursive($req, 'clean');

The PHP function used to walk through the request multidimensional array is array_walk_recursive.

Just put this code on the top of your site or header file right after connecting to the database, your file could be up.php or header.php or something similar.

Because if you use this code before the connection occurs, it will show an error because you are using mysql_real_escape_string function which needs a SQL connection.

If you are using PHP 7, you’ll notice that MySQL extension is removed, so in order to make the above code working, you need to replace the function mysql_real_escape_string with mysqli_real_escape_string.

One final thing I have to mention regarding your code, you should keep your SQL parameters on all of your pages between quotes like this:

mysql_query("select * from users where email='$email' order by id");

Notice how the variable $email is quoted.

Without quoting your input like the above statement, SQL injection prevention won’t work.