Re: [PHP] Re: Alternative/Addition to using a CAPTCHA
- From: steve@xxxxxxxxxxxx ("Steve")
- Date: Fri, 30 Mar 2007 13:26:19 -0500
The point was to have the hidden fields that the bot would populate and the
user wouldn't. So for instance, let's use my example from before.
(hideSpamCatcher is a reference to a javascript function that hides the
spamcatcher div.
<body onload="hideSpamCatcher()">
<form method="post" action="somewhere.php">
<div id="spamcatcher">
<input type="text" name="lastname" id="lastname" />
</div>
Name: <input type="text" id="name" name="name" /><br />
Password: <input type="password" id="password" name="password" /><br />
<input type="submit" name="Submit" />
</body>
Now, the user comes along and doesn't see the field name. They fill in their
username and password and hit submit. The information passed looks like:
$_POST['name'] = 'steve';
$_POST['password'] = 'mypassword';
$_POST['lastname'] = '';
All of the fields are submitted and only username and password actually have
values.
Now the bot comes through, sees the form and submits it by parsing through
the code, finding every single field that is an input field and submitting
that. They see a field named "lastname" and it thinks it's important enough
to populate. Its logics says "I need to provide a last name for this form to
submit properly." So it goes and submits every field on the page. The post
data looks like:
$_POST['name'] = 'john';
$_POST['password'] = 'mybotpassword';
$_POST['lastname'] = 'doe';
It fills in every field. In essence, it was tricked into doing so because
the field had a provacative name and the bot didn't know any better.
So how does this help?
You can do a check to make saure that $_POST['lastname'] is still blank
before processing any data. It may not work all the time, it won't trick the
more intelligent bots, and it will be easy to code a way to get around
that - but basically it will stop your general run-of-the-mill spam bots
from traversing through your site, and randomly submitting advertisements to
your comment forms, and what not.
<tg-php@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:20070330165557.A96DE81638@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Maybe I'm missing something.. if the intent is to have 'hidden' fields.
that a user would end up submitting but a bot wouldn't.. that wouldn't
work very well. A bot could easily see the hidden fields and submit them
along with whatever other data they were sending.
If the intention is to trick a bot into sending data a user wouldn't, then
again.. doesn't work because a user is going to send the hidden fields as
well.
It doesn't really matter if a user can 'see' or edit a form field, a bot
can be programmed to send whatever data it finds in that form, hidden or
not, because it's only hidden from humans from seeing and editing because
that's how the web browsers interpret and render that HTML. Bots don't
render HTML, just read it as a text file and parse through it looking for
form data and whatever else they're programmed to look for.
Now, if you did an onsubmit on your form that executed a function to
modify the HTML pre-submit using JS's innerHTML command, you MIGHT be able
to trick it a little. But again, the bots are probably programmed not to
be too smart.. but to emulate specific CAPTCHA systems. So a smart bot
programmer would notice this and find a way to figure out what form
elements were included via innerHTML alteration.
-TG
= = = Original message = = =
I read something (I think on Slashdot) a while back about another method
that could be used to avoid CAPTCHAs.
Basically on top of your standard form field, you place some input fields
in
a javascript hidden div around your page conveniently named things like
"email", "address", or "phone." Because they're hidden, when the form
submits they should exist as post variables but have a value untouched by
the user.
Something simple like
<div class="spamcatcher">
<input type="text" name="phonenumber" id="phonenumber" />
</div>
Then <body onload="hideSpamCatcher()">
A spam bot will generally send a value with every field they come across,
especially ones that have really common form field names. They find these
fields by parsing through your source for anything that looks like it's
submitted. If you hid some "trick" fields around your page and then
checked
on submit whether or not they had a value, you could probably get a pretty
decent turing test without the user suspecting anything.
My old thrown together blog from a few years back had an unchecked comment
script that caught quite a bit of spam once I stopped caring about it.
I've
been considering putting that back together and using this method just to
see if the spam is cut back at all.
Anyone have any experiences (good or bad) with this method?
___________________________________________________________
Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.
- References:
- Prev by Date: Re: [PHP] Ide help needed
- Next by Date: Re: [PHP] Gnome and MIME types
- Previous by thread: Re: [PHP] Re: Alternative/Addition to using a CAPTCHA
- Next by thread: Re: [PHP] Re: Alternative/Addition to using a CAPTCHA
- Index(es):
Relevant Pages
|
