Results 1 to 4 of 4

Thread: How to authenticate human-submitted forms

  1. #1
    Join Date
    Jun 2008

    How to authenticate human-submitted forms


    I'm not sure whether this should be in the PHP section, or javascript, or HTML, so sorry if this is in the wrong place.

    I am having trouble with bots submitting junk through my online forms. Creating profiles, posting junk messages onto my discussion boards etc.

    I currently have a simple random number generated in PHP which is then checked against an input field submitted by user on submission of the form.

    This has stopped the majority of the junk, but there are still some that are getting through.

    What is the best approach to implementing an authentication function that holds them out. Maybe using a code-in-an-image, with some ajax functions to validate.

    Any recommendations would be greatly appreciated

  2. #2
    Join Date
    Nov 2008
    I try to avoid image CAPTCHA these days. I've found that a combination of techniques has totally eliminated spam without requiring the user to do anything.

    • Generate a unique, random key via PHP and add it to the session. This is then added to the form as a hidden field. If the keys don't match when the form is sent, the submission is rejected.
    • Place a text field with a nice attractive name such as 'message' and use CSS to hide it from human users. Since bots tend to fill in every form element, if this field is submitted with a value, the submission is discarded.
    • Add a hidden field containing the timestamp at which the form was generated. Use this to check a minimum time has elapsed before the submission is accepted. Obviously this is dependent on the nature of your form, but for something like an email form if it is submitted in under 5-10 seconds chances are it wasn't done by a human.
    • You can also check the $_SERVER['HTTP_REFERRER'] property to ensure the submission came directly from your page, although I would tend to only reject if the referrer was present and different, and even then this is easily spoofed so it's only a little extra check.
    • You should also perform general input filtering and validation. Compare the submitted fields against a whitelist. Where extra fields sent? If so the submission likely didn't come from your form. Make sure the data matches the format you expect, and be as strict as possible. If you don't allow HTML links, check for them in the submission. If you are expecting numerical data, make sure that's what you get etc.

    At the moment I work on a site that gets a good few million hits a month and our online mail forms use these techniques. To date, we haven't had a single spam message get through, though obviously your mileage may vary.
    Last edited by Mindzai; 10-23-2009 at 04:08 AM.

  3. #3
    Join Date
    Jun 2008
    Those are some great suggestions. Glad i posted the comment. Thanks Mindzai

  4. #4
    Join Date
    Aug 2004
    I've had good luck using those first 2 bullet items, and can put up with the small amount of spam that still comes through--and which may in fact be manually entered.
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
HTML5 Development Center



X vBulletin 4.2.2 Debug Information

  • Page Generation 0.15633 seconds
  • Memory Usage 2,862KB
  • Queries Executed 15 (?)
More Information
Template Usage (32):
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_global_above_footer
  • (1)ad_global_below_navbar
  • (1)ad_global_header1
  • (1)ad_global_header2
  • (1)ad_navbar_below
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)ad_thread_first_post_content
  • (1)ad_thread_last_post_content
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)headinclude_bottom
  • (4)memberaction_dropdown
  • (1)navbar
  • (4)navbar_link
  • (1)navbar_moderation
  • (1)navbar_noticebit
  • (1)navbar_tabs
  • (2)option
  • (4)postbit
  • (4)postbit_onlinestatus
  • (4)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available (6):
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files (26):
  • ./showthread.php
  • ./global.php
  • ./includes/class_bootstrap.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/functions_navigation.php
  • ./includes/class_friendly_url.php
  • ./includes/class_hook.php
  • ./includes/class_bootstrap_framework.php
  • ./vb/vb.php
  • ./vb/phrase.php
  • ./includes/functions_facebook.php
  • ./includes/functions_calendar.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_notice.php
  • ./packages/vbattach/attach.php
  • ./vb/types.php
  • ./vb/cache.php
  • ./vb/cache/db.php
  • ./vb/cache/observer/db.php
  • ./vb/cache/observer.php 

Hooks Called (70):
  • init_startup
  • friendlyurl_resolve_class
  • init_startup_session_setup_start
  • database_pre_fetch_array
  • database_post_fetch_array
  • init_startup_session_setup_complete
  • global_bootstrap_init_start
  • global_bootstrap_init_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • load_show_variables
  • load_forum_show_variables
  • global_state_check
  • global_bootstrap_complete
  • global_start
  • style_fetch
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • strip_bbcode
  • friendlyurl_clean_fragment
  • friendlyurl_geturl
  • forumjump
  • cache_templates
  • cache_templates_process
  • template_register_var
  • template_render_output
  • fetch_template_start
  • fetch_template_complete
  • parse_templates
  • fetch_musername
  • notices_check_start
  • notices_noticebit
  • process_templates_complete
  • friendlyurl_redirect_canonical
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • memberaction_dropdown
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • build_navigation_data
  • build_navigation_array
  • check_navigation_permission
  • process_navigation_links_start
  • process_navigation_links_complete
  • set_navigation_menu_element
  • build_navigation_menudata
  • build_navigation_listdata
  • build_navigation_list
  • set_navigation_tab_main
  • set_navigation_tab_fallback
  • navigation_tab_complete
  • fb_like_button
  • showthread_complete
  • page_templates