Jump to content


Photo

calculating elapsed time between pageload and page submission


  • Please log in to reply
7 replies to this topic

#1 peppericious

peppericious

    Advanced Member

  • Members
  • PipPipPip
  • 120 posts

Posted 30 June 2012 - 05:27 AM

As one of a few anti-spam measures, I want to calculate the time between pageload and page/form submission. If the page/form is submitted very quickly - let's say in less than a couple of seconds - I'll assume it's a spammer and will not process the form data.

I thought of doing something like this:

<?php
$time_start = time(true);
if(isset($_POST['submit'])) {
	$time_end = time(true);
	$time = $time_end - $time_start;
		if($time < 2) { // form submitted in less than 2 seconds
			echo "You're a vile spammer.<br /><br />";
		} else {
			echo "Phew, you're human, I can go ahead and process your data.<br /><br />";
		}
	echo $time . " seconds elapsed before hitting Submit."; // for my own info
	}
?>
<form id='form1' method='POST' action=''>
	<input name='submit' type='submit' value='submit'>
</form>

... but it won't work because the start time is reset when the page reloads after submission of the form. I'm sure there must be a simple solution but it escapes me...

Any thoughts?

#2 jcbones

jcbones

    Advanced Member

  • Gurus
  • 2,491 posts
  • LocationNorth Carolina

Posted 30 June 2012 - 07:50 AM

<?php
if(isset($_POST['submit'])) {
       $time_start = $_POST['generated'];
	$time_end = time(true);
	$time = $time_end - $time_start;
		if($time < 2) { // form submitted in less than 2 seconds
			echo "You're a vile spammer.<br /><br />";
		} else {
			echo "Phew, you're human, I can go ahead and process your data.<br /><br />";
		}
	echo $time . " seconds elapsed before hitting Submit."; // for my own info
	}
?>
<form id='form1' method='POST' action=''>
        <input type='hidden' name='generated' value='<?php echo time(); ?>' />
	<input name='submit' type='submit' value='submit'>
</form>


#3 peppericious

peppericious

    Advanced Member

  • Members
  • PipPipPip
  • 120 posts

Posted 30 June 2012 - 08:09 AM

<?php
if(isset($_POST['submit'])) {
       $time_start = $_POST['generated'];
	$time_end = time(true);
	$time = $time_end - $time_start;
		if($time < 2) { // form submitted in less than 2 seconds
			echo "You're a vile spammer.<br /><br />";
		} else {
			echo "Phew, you're human, I can go ahead and process your data.<br /><br />";
		}
	echo $time . " seconds elapsed before hitting Submit."; // for my own info
	}
?>
<form id='form1' method='POST' action=''>
        <input type='hidden' name='generated' value='<?php echo time(); ?>' />
	<input name='submit' type='submit' value='submit'>
</form>


Perfect, thanks. Never thought of using a hidden field in the form... very handy.

#4 PFMaBiSmAd

PFMaBiSmAd

    Advanced Member

  • Staff Alumni
  • 16,767 posts
  • LocationColorado, U.S.A.

Posted 30 June 2012 - 08:29 AM

It would take a hacker about 10 seconds to figure out that a value in a hidden field that looks like a Unix Timestamp could be submitted as an older timestamp value to bypass this check.

You would need to pass the generated timestamp in a session variable for it to be secure.
Signature: (not a comment about anything you posted unless specifically indicated)
Debugging step #1: To get past the garbage-out equals garbage-in stage in your code, you must check that the inputs to your code are what you expect.

Programming is just problem solving, but it is done in another language. You must learn enough of the programming language you are using to be able to read and write code.

#5 peppericious

peppericious

    Advanced Member

  • Members
  • PipPipPip
  • 120 posts

Posted 30 June 2012 - 08:51 AM

You would need to pass the generated timestamp in a session variable for it to be secure.


.. I tried something like this earlier...

<?php
session_start();
$_SESSION['time_start'] = time();
if(isset($_POST['submit'])) {
...

... but couldn't get it to work. I couldn't figure out how to prevent the session variable from being reset when the page/form is submitted...

Any suggestions?

#6 PFMaBiSmAd

PFMaBiSmAd

    Advanced Member

  • Staff Alumni
  • 16,767 posts
  • LocationColorado, U.S.A.

Posted 30 June 2012 - 09:48 AM

<?php
session_start();

// form processing code
if(isset($_POST['submit'])){
	if(isset($_SESSION['start_time'])){ // if it is not set, the form was never visited/generated
		$time = time() - $_SESSION['start_time'];
		if($time < 2) { // form submitted in less than 2 seconds
			echo "You're a vile spammer.<br /><br />";
		} else {
			echo "Phew, you're human, I can go ahead and process your data.<br /><br />";
		}
		echo $time . " seconds elapsed before hitting Submit."; // for my own info
		unset($_SESSION['start_time']); // unset the value so that someone cannot keep submitting data without revisiting the form
	} else {
		// form data submitted without visiting the form
			echo "You're a vile spammer.<br /><br />";		
	}
}

// form code
$_SESSION['start_time'] = time();
?>
<form id='form1' method='POST' action=''>
	<input name='submit' type='submit' value='submit'>
</form>

Signature: (not a comment about anything you posted unless specifically indicated)
Debugging step #1: To get past the garbage-out equals garbage-in stage in your code, you must check that the inputs to your code are what you expect.

Programming is just problem solving, but it is done in another language. You must learn enough of the programming language you are using to be able to read and write code.

#7 peppericious

peppericious

    Advanced Member

  • Members
  • PipPipPip
  • 120 posts

Posted 30 June 2012 - 10:26 AM

Thanks PFMaBiSmAd, your help is greatly appreciated.
:)

#8 Corsari

Corsari

    Newbie

  • New Members
  • Pip
  • 1 posts

Posted 10 May 2013 - 04:47 PM

Hi Peppericious
 
have you tested the anti-spam you wanted to create with elapsed time measure method? Is it measuring? Does it work? Thank you for the confirmation

 

I did the same with javascript but I discovered that (maybe) SPAM-BOTs have "javascript disabled" :facepalm:

It could be, they are not browsers...

 

So, to be sure, your approach is the correct one, the time elapsed between page load and form submission must be completely calculated on the server side.

 

Here I describe my personal version of an additional anti-spam. Thinking about what I did wrong, I've searched a php solution and by google I've found this your post.

 

My idea is to implement the two together and see what happen, either if my one is quite simple, effective and goes implemented really quickly, just a couple of lines in the php and one text field in the HTML' form portion.

 

Thank you
 
Cor
 

Thanks PFMaBiSmAd, your help is greatly appreciated.
:)


Edited by Corsari, 10 May 2013 - 05:00 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Cheap Linux VPS from $5
SSD Storage, 30 day Guarantee
1 TB of BW, 100% Network Uptime

AlphaBit.com