I am trying to stop bots (potentially) by sending fake data to php log file. I am creating a website that uses a registration / registration system, and I want to add an email check that I am capable of. However, the problem is that my web host only allows emails xper minute, if the bot needs to spam, it will not only populate my database with spam accounts, but I will also be blocked to violate the email limit.
I read about providing forms, and CSRF came up, a term I am not familiar with.
This is my current understanding of the CSRF Prevention Token Method;
When the page containing the form loads, create a token. Store the token in SESSIONor cookie.
When the PHP file that handles the registration is launched, it checks the token. If the one presented on the form does not match (or if the token is not set to SESSION), the request is spam.
I donβt understand why the bot cannot just get the marker from the HTML form and submit it. I understand that he changes every time, can he not capture him every time?
I assume that the bot will simply send data using CurL or something like this, to get around the need to submit an HTML form and instead send the data directly to a PHP file.
My question is essentially why and how this method prevents bots submitting my registration form (or any form, for that matter).