I'm not sure whether this should be in the PHP section, or javascript, or HTML, so sorry if this is in the wrong place.
I am having trouble with bots submitting junk through my online forms. Creating profiles, posting junk messages onto my discussion boards etc.
I currently have a simple random number generated in PHP which is then checked against an input field submitted by user on submission of the form.
This has stopped the majority of the junk, but there are still some that are getting through.
What is the best approach to implementing an authentication function that holds them out. Maybe using a code-in-an-image, with some ajax functions to validate.
I try to avoid image CAPTCHA these days. I've found that a combination of techniques has totally eliminated spam without requiring the user to do anything.
Generate a unique, random key via PHP and add it to the session. This is then added to the form as a hidden field. If the keys don't match when the form is sent, the submission is rejected.
Place a text field with a nice attractive name such as 'message' and use CSS to hide it from human users. Since bots tend to fill in every form element, if this field is submitted with a value, the submission is discarded.
Add a hidden field containing the timestamp at which the form was generated. Use this to check a minimum time has elapsed before the submission is accepted. Obviously this is dependent on the nature of your form, but for something like an email form if it is submitted in under 5-10 seconds chances are it wasn't done by a human.
You can also check the $_SERVER['HTTP_REFERRER'] property to ensure the submission came directly from your page, although I would tend to only reject if the referrer was present and different, and even then this is easily spoofed so it's only a little extra check.
You should also perform general input filtering and validation. Compare the submitted fields against a whitelist. Where extra fields sent? If so the submission likely didn't come from your form. Make sure the data matches the format you expect, and be as strict as possible. If you don't allow HTML links, check for them in the submission. If you are expecting numerical data, make sure that's what you get etc.
At the moment I work on a site that gets a good few million hits a month and our online mail forms use these techniques. To date, we haven't had a single spam message get through, though obviously your mileage may vary.
I've had good luck using those first 2 bullet items, and can put up with the small amount of spam that still comes through--and which may in fact be manually entered.
"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation
Reply With Quote
Bookmarks