Something effective is to check the "dns Reverse lookup".
On your hosting provider, set up or ask to set up "dns Reverse lookup" or "reverse dns" in English.
So whenever you receive a request (POST, GET), check the "dns Reverse lookup" by IP.
In PHP there are network functions like gethostbyname, gethostbyaddr and dns_get_record with which you can extract the data to assist in "authentication".
Note that the "dns Reverse lookup" can also be circumvented, so do not trust 100% as if it were an absolute solution.
However, it is much safer than checking only HTTP_REFERER.
HTTP_REFERER is easily manipulated, including by CURL has an option to do so.
But reverse dns requires change in the server configuration that submits the data.
We can say that 99.999% of bots are unable to change the reverse dns of the servers they use because, logistically, bots target millions of servers and would need to modify millions of times the reverse dns of the servers they run their scripts for. It is something unfeasible due to the high cost.
For example, if your site has the www.seu.site address, set the reverse dns to "www.seu.site".
In shared hosting server it is not normally allowed to customize, but you can ask the company that manages the server, that at least configure the reverse dns to return a valid name. It usually looks something like "address.provedor.hopedagem".
One of the ways is to examine the HTTP_REFERER server variable, but it can still be forged easily. If you really need protection against this type of submission, it would be the case to use a session variable and an ID in a hidden field of the form, which would limit sending with that ID for a certain time. If the person takes too long in the real form, just present it again, with new hidden ID, keeping the data already filled, and asking that the submission be done again.
– Bacco
Frameworks like Laravel 5 limit the type of access of each page by get or post, and if there is a level of permission per user you can still associate the level of access to "post" by certain users only, ie only logged in users with "x" privileges can post on page "y".
– Rodrigo Mello
http://recaptcha.net
– user622
verify the ip from which the request came would not work? Limit only to the ip of your server
– Mastria
@Bacco good idea. but I think they could still get that id if they analyzed the code unless it has a 'seconds limitation' anyway.. Mastria’s response interested me, the IP can also be forged?
– Elaine
I don’t really like the idea of putting captcha or using frameworks, even more now that I’m in the middle of an extensive project, I would have to adjust everything again, nor does it scroll, but thank you!
– Elaine
@user3715916 id would be different at each session, besides changing in a short time. And it could be used just once each, I can’t imagine that any FW will do much better than that. The advantage of FW is to be ready, but if it is only for this, I think it is better to solve with own code. Even for not needing much.
– Bacco
@Elaine what is the purpose of this block? You are, for example, trying to protect a contact form?
– PeerBr
I’m trying to protect Flood/spam with a form, I don’t want third parties to use @Peerbr
– Elaine
a captcha would not need to make drastic changes.. just a simple implementation
– Daniel Omine
but I don’t like captcha.. there are other ways to solve, because in your case you want to limit to only receive if it comes from your own server..
– Daniel Omine