I am trying to stop bots from (potentially) submitting fake data to my php registration file. I am creating a site that uses a signup/login system and I want to add email verification which I am capable of. However the problem is my webhost only allows x amount of emails per minute, if a bot were to spam this not only will my database be filled with spam accounts but I will also be suspended for breaking the email limit.
I have been reading up about securing forms and CSRF came up, a term I am not familiar with.
This is my current understanding of the 'token method' of CSRF prevention;
When the page containing the form is loaded create a token. Store the token in a SESSION or cookie.
When the PHP file that handles the registration is run, it will check for the token. If the one submitted in the form doesn't match (or if the token isn't set in SESSION) the request is spam.
I don't understand why the bot can't simply get the token from the HTML form and submit it. I understand it changes every time, can it not just grab it each time?
I assume the bot would just submit the data using CurL or something of the sort to bypass the need to actually submit the HTML form and instead send the data straight to the PHP file.
My question is essentially, why and how does this method prevent against bots submitting my registration form (or any form for that matter).
My question is essentially, why and how does this method prevent against bots submitting my registration form (or any form for that matter).
It doesn't.
CSRF stands for "Cross-Site Request Forgery" and such tokens help prevent exactly that - a user being tricked into submitting a form from another site to yours, which has nothing to do with spam.
For spam prevention, you should be using a CAPTCHA challenge of some sort.