Need non-recaptcha captcha check for website - javascript disabled on client browsers - fight spam orders

Question

I'm trying to figure out how to beat the robot scripts at their own game without using Re-Captcha.

What I would like to do in PHP is determine if the previous URL is from the same website and page cart.php, (i.e. https://www.thissite.com/cart.php) since I think they are submitting the form through robot script into the address page.

Is my theory right? Will this actually work?

If the previous URL is not matching the website address, dump them to google.com. Can this redirection be done without using headers?

Answer 1

In my opinion, the best way to verify if a form is submitted by a robot or not is to have a non-required form element that is positioned absolutely, and far outside of the viewport. A regular user would not attempt to fill in this field, while a bot would.

#robot {
  position: absolute;
  left: -9000px;
}

<form>
  <input type="text" name="firstname" placeholder="First Name" required><br /><br />
  <input type="text" name="lastname" placeholder="Last Name" required><br /><br />
  <input id="robot" type="text" name="robot">
  <input type="submit" value="Submit">
</form>

In the form above, a true user would only see the first and last name fields. They'd have no reason to suspect there was an invisible robot field. Conversely, a robot would read the DOM, see a named <input>, and attempt to fill it out.

You can then check for the presence of this field in your form submission:

if (!isset($_POST['robot'])) {
  // Legitimate submission
}
else {
  // You've caught a bot!
}

Hope this helps! :)