02-26-2016, 05:54 PM
Well, and in a way you're a little bit safer using your parser file because you only check the token on a page that isn't externally available anyway. That's a minor bonus of doing things that way.
The other thing working in your favor is that (with the exception of sign up forms) pretty much everything is behind the login wall, so that limits the attack vector dramatically. It's not like some outside bot would normally get by that.
Another honeypot type thing people do is hide inputs on the form (like do a random hidden text input on the form) and if it comes back with text on it, kill the page because it means it was filled out by a bot. The bot often doesn't really have a way of knowing that the input was hidden to begin with. That's the gist of how most forum spam preventions work from what I understand.
The other thing working in your favor is that (with the exception of sign up forms) pretty much everything is behind the login wall, so that limits the attack vector dramatically. It's not like some outside bot would normally get by that.
Another honeypot type thing people do is hide inputs on the form (like do a random hidden text input on the form) and if it comes back with text on it, kill the page because it means it was filled out by a bot. The bot often doesn't really have a way of knowing that the input was hidden to begin with. That's the gist of how most forum spam preventions work from what I understand.