kim/defender
Composer 安装命令:
composer require kim/defender
包简介
Fend off spam bots by using randomized input names / honeypots.
README 文档
README
This package helps you fend off spam bots by using randomized input names and honeypots.
Introduction
Spam is a huge problem for the Web. Form-filling bots read the form presented to them and automatically fill out the fields. Another type of bot record the POST data and replay it back to the submission URL. This package helps fend off these bots with minimal effort.
The package randomizes the input names so that bots cannot make educated guesses. Example:
Before: <input type="text" name="username">
After: <input type="text" name="neeS9dJDeQCbNvN3lgyxIkdQ6R1l2GHEEnmt">
In addition to this, this package allows you to add a random number of hidden inputs aka "honeypots" (or bait). Your regular users would never see these, but the bots do. Bots tend to fill out all inputs so you can then easily reject any forms that have the "bait" inputs filled out.
By doing this, bots will struggle to decipher your form, record the POST data, and spam your site.
Installation
To install this package, just follow these quick and easy steps.
Composer
Pull this package through composer by opening composer.json file and adding this within require:
"kim/defender": "~1.0"
Afterward, run either composer update or composer install.
Providers and Aliases
Next, open config/app.php and add this to your providers array:
Kim\Defender\DefenderServiceProvider::class
and this to your aliases array:
'Defender' => Kim\Defender\DefenderFacade::class
Usage
Creating Input Fields
Normally, this is how you would create a username input field:
<input type="text" name="username">
However, we want to randomize the name, and to do so, we use the Defender facade:
<input type="text" name="{{ Defender::username() }}">
Here are some other common inputs (like email and password) that are all built-in to the package.
<input type="email" name="{{ Defender::email() }}"> <input type="password" name="{{ Defender::password() }}">
You can also easily create your own custom type by using the get method and passing in the name of your input.
<input type="text" name="{{ Defender::get('custom') }}"> <textarea name="{{ Defender::get('message') }}"></textarea> <input type="date" name="{{ Defender::get('some_date_field') }}">
With that said, I'm sure a lot of you are wondering how you retrieve the values if the names are all randomized. That's easy. In your controller, you can easily retrieve these values by using the same methods.
Example Controller:
// Import it at the top
use Defender;
public function example(Request $request)
{
$email = $request->input( Defender::email() );
$username = $request->input( Defender::username() );
$custom = $request->input( Defender::get('custom') );
}
Honeypots
This is all great, but to make it even more bulletproof, we need some honeypots. These are editable fields that are invisible to people. If bots fill them out, then we know to reject the submission. We can create honeypots in multiple ways.
The most basic method is by using the baitToken method. This simply creates a randomized token as bait. However, it does not hide the field. I recommend using JavaScript or CSS to hide this input.
<input type="text" name="{{ Defender::baitToken() }}"> <!-- Output: <input type="text" name="some_random_string"> -->
The baitField method creates a random type of input (text, email, password, radio, checkbox, etc.). A random styling is also applied that hides these inputs.
{{ Defender::baitField() }}
<!-- Output: <input type="random_type" name="some_random_string" style="random_styling_that_hides_this"> -->
Finally, we have the baitFields method. This not only creates a random input field, but it also creates a random number of input fields.
{{ Defender::baitFields() }}
<!-- Output x1 to x5: <input type="random_type" name="some_random_string" style="random_styling_that_hides_this"> -->
The baitFields method also accepts an integer argument. For example, Defender::baitFields(20) will output anywhere from 1 to 20 hidden baits.
Validating & Rejecting
You use the same methods to validate the fields.
// Import the Defender facade
use Defender;
// Add to the rules
public function rules()
{
return [
Defender::username() => 'required'
];
}
As for rejecting the honeypots, the simplest way to do this is by adding the packages's DefendAgainstSpam middleware. To do this, open app/Http/Kernel.php, and add the middleware to either the $middleware or $routeMiddleware arrays. If you add it to the $middleware array, then this package will check the honeypots in every single request. This is the easiest way to handle it. However, if you would like to apply the middleware to specific routes, then you need to add it to your $routeMiddleware array. Both examples are demonstrated below.
// Add here if you want to automatically check all routes
protected $middleware = [
...
\Kim\Defender\Middleware\DefendAgainstSpam::class
];
// Add here if you want to manually check specific routes
protected $routeMiddleware = [
'defend' => \Kim\Defender\Middleware\DefendAgainstSpam::class
];
If you added it to $routeMiddleware, you now need to manually check specific routes so change your routes file to reflect that.
Route::get('/example', [
'as' => 'example'
'middleware' => 'defend',
'uses' => 'ExampleController@store'
]);
If the middleware catches a potential spammer, it will throw an InvalidFormException. You can catch this inside your app/Exceptions/Handler.php file and do whatever you want.
public function render($request, Exception $e)
{
if ($e instanceof \Kim\Defender\Exceptions\InvalidFormException) {
// This example just redirect them back home. However, you probably
// also want to do other things like: log the time, ip, etc.
return redirect('/');
}
return parent::render($request, $e);
}
Finally, for those who don't want to use the middleware, you can use the custom validation rule, 'reject'.
public function rules()
{
$rules = [
// Your rules..
];
// We reject the bait here
foreach (Defender::bait() as $bait) {
$rules[$bait] = 'reject';
}
return $rules;
}
License
This package is free software distributed under the terms of the MIT license.
kim/defender 适用场景与选型建议
kim/defender 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 564 次下载、GitHub Stars 达 10, 最近一次更新时间为 2015 年 10 月 11 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「php」 「laravel」 「Honeypot」 「spam prevention」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 kim/defender 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 kim/defender 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 kim/defender 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
Provide Honeypot spam protection for SilverStripe CMS.
Security plugin for Filament v5 - Disposable email blocking, honeypot protection, and Cloudflare IP blocking
Prevent & track spam that's been submitted through public facing forms
A jQuery augmented PHP library for creating and validating HTML forms
Honeypot solution for Symfony forms.
Umfassendes Anti-SPAM Bundle für Contao Formulare mit ALTCHA Captcha, IP-Blacklist, Content-Analyse und Multi-Layer-Schutz
统计信息
- 总下载量: 564
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 10
- 点击次数: 26
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2015-10-11