Re: [PHP] Re: Alternative/Addition to using a CAPTCHA
- From: tg-php@xxxxxxxxxxxxxxxxxxxxxx
- Date: Fri, 30 Mar 2007 12:54:27 -0400
Maybe I'm missing something.. if the intent is to have 'hidden' fields that a user would end up submitting but a bot wouldn't.. that wouldn't work very well. A bot could easily see the hidden fields and submit them along with whatever other data they were sending.
If the intention is to trick a bot into sending data a user wouldn't, then again.. doesn't work because a user is going to send the hidden fields as well.
It doesn't really matter if a user can 'see' or edit a form field, a bot can be programmed to send whatever data it finds in that form, hidden or not, because it's only hidden from humans from seeing and editing because that's how the web browsers interpret and render that HTML. Bots don't render HTML, just read it as a text file and parse through it looking for form data and whatever else they're programmed to look for.
Now, if you did an onsubmit on your form that executed a function to modify the HTML pre-submit using JS's innerHTML command, you MIGHT be able to trick it a little. But again, the bots are probably programmed not to be too smart.. but to emulate specific CAPTCHA systems. So a smart bot programmer would notice this and find a way to figure out what form elements were included via innerHTML alteration.
-TG
= = = Original message = = =
I read something (I think on Slashdot) a while back about another method
that could be used to avoid CAPTCHAs.
Basically on top of your standard form field, you place some input fields in
a javascript hidden div around your page conveniently named things like
"email", "address", or "phone." Because they're hidden, when the form
submits they should exist as post variables but have a value untouched by
the user.
Something simple like
<div class="spamcatcher">
<input type="text" name="phonenumber" id="phonenumber" />
</div>
Then <body onload="hideSpamCatcher()">
A spam bot will generally send a value with every field they come across,
especially ones that have really common form field names. They find these
fields by parsing through your source for anything that looks like it's
submitted. If you hid some "trick" fields around your page and then checked
on submit whether or not they had a value, you could probably get a pretty
decent turing test without the user suspecting anything.
My old thrown together blog from a few years back had an unchecked comment
script that caught quite a bit of spam once I stopped caring about it. I've
been considering putting that back together and using this method just to
see if the spam is cut back at all.
Anyone have any experiences (good or bad) with this method?
___________________________________________________________
Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.
.
- Follow-Ups:
- Prev by Date: Re: [PHP] Gnome and MIME types
- Next by Date: Re: [PHP] simple page not found 404 script - PHP
- Previous by thread: Re: [PHP] Alternative/Addition to using a CAPTCHA
- Next by thread: Re: [PHP] Re: Alternative/Addition to using a CAPTCHA
- Index(es):
Relevant Pages
|
