insrtsnhere13 Posted May 20, 2006 Share Posted May 20, 2006 Hey guys, I just thought of any idea for form security, I dont think it could be nearly as good as a CAPTCHA image but its pretty good for basic protection from automatic form fillers.Couldnt it be possible to have an extra form field, which instructs the user to enter a number between a random set of numbers that are within a certain range of each other..ie.. two random numbers are selected within say.. 13 numbers of each other. 26 and 39the form instructs users to enter a number between 26 - 39. When the user enters the number, it is compared with the two and if it is found to be between the two numbers, the form is verified and the information is allowed to be sent, if not, it is rejected and is sent back with another set of random numbers..obviously the hole in this is that a person could just keep entering random numbers until they get it right.. which is where bigger numbers come in.i understand it might be a little less convienient then a CAPTCHA but its seems a lot simpler to codelet me know what you think Quote Link to comment https://forums.phpfreaks.com/topic/10047-just-thought-of-something-security-issue/ Share on other sites More sharing options...
yonta Posted May 20, 2006 Share Posted May 20, 2006 Well, [a href=\"http://shiflett.org/\" target=\"_blank\"]Chris Shiflet[/a] who specialises in php security has a basic spam prevention technique where he just asks to write his name in an input box.Your idea is kind of the same thing. Quote Link to comment https://forums.phpfreaks.com/topic/10047-just-thought-of-something-security-issue/#findComment-37354 Share on other sites More sharing options...
insrtsnhere13 Posted May 20, 2006 Author Share Posted May 20, 2006 Yea, I mean, it really is a check and guess thing, but as long as the value remains the same, its a little easier to break, in my case, the number values always change.. there for inputting random numbers would yield far less results Quote Link to comment https://forums.phpfreaks.com/topic/10047-just-thought-of-something-security-issue/#findComment-37355 Share on other sites More sharing options...
redarrow Posted May 20, 2006 Share Posted May 20, 2006 ***************************************************************************************I thort i have my say on this, As i worked for 6 months on the solution to solve spamming on my website throw forms.From know onwards my guidelines are that all users have to be a registered user to send any information via a form.If the user is a registered user then at the bottom of the form the user has to enter there user password to send any data from any form.I dont let anyone sign up for free anymore as it encourage spamming problams with forms so that a nono for me.Also when a user wants to signup for my website services i use a paypal ipn program and the user gets a generated random number when that number is entered then they can fill in there details afther payment.I am always to be sure to be sure that a user is who they say they are before signing up or sending any information.**************************************************************************************When it comes to designing a free website for free users, I always use the CAPTCHA image code for the sign up page and then use my password method.CAPTCHA image code is more then a random number and has more securty then using only a random number aginst the database in my option depending on what code you got.But i think your idear is on the same tracks as a CAPTCHA code but i would also add more to it to check other critira.Good luck. Quote Link to comment https://forums.phpfreaks.com/topic/10047-just-thought-of-something-security-issue/#findComment-37360 Share on other sites More sharing options...
shoz Posted May 20, 2006 Share Posted May 20, 2006 [quote]the form instructs users to enter a number between 26 - 39. When the user enters the number, it is compared with the two and if it is found to be between the two numbers, the form is verified and the information is allowed to be sent, if not, it is rejected and is sent back with another set of random numbers..[/quote]Unfortunately after manually visiting your page to figure out the rules, it shouldn't be too difficult to spam it. There's nothing stopping someone from using their spamming tool to go through the page and automatically look at the numbers to generate a valid result.The reason why the CAPTCHAs using images are useful is the fact that it's difficult to write a program that can recognize the characters (numbers, letters etc) that are distorted in the picture.[a href=\"http://en.wikipedia.org/wiki/Captcha\" target=\"_blank\"]http://en.wikipedia.org/wiki/Captcha[/a] Quote Link to comment https://forums.phpfreaks.com/topic/10047-just-thought-of-something-security-issue/#findComment-37361 Share on other sites More sharing options...
dsk3801 Posted May 20, 2006 Share Posted May 20, 2006 [!--quoteo(post=375434:date=May 19 2006, 10:08 PM:name=shoz)--][div class=\'quotetop\']QUOTE(shoz @ May 19 2006, 10:08 PM) [snapback]375434[/snapback][/div][div class=\'quotemain\'][!--quotec--]Unfortunately after manually visiting your page to figure out the rules, it shouldn't be too difficult to spam it. There's nothing stopping someone from using their spamming tool to go through the page and automatically look at the numbers to generate a valid result.The reason why the CAPTCHAs using images are useful is the fact that it's difficult to write a program that can recognize the characters (numbers, letters etc) that are distorted in the picture.[a href=\"http://en.wikipedia.org/wiki/Captcha\" target=\"_blank\"]http://en.wikipedia.org/wiki/Captcha[/a][/quote]Have to agree with this one. I also recently saw an article about using a 3x3 matrix (9 images), 3 of which were kittens and the rest weren't. The user had to click the 3 kittens before it would let them submit the form. Here's the link if you want to read it over - [a href=\"http://www.thepcspy.com/articles/security/the_cutest_humantest_kittenauth\" target=\"_blank\"]http://www.thepcspy.com/articles/security/...test_kittenauth[/a] Quote Link to comment https://forums.phpfreaks.com/topic/10047-just-thought-of-something-security-issue/#findComment-37374 Share on other sites More sharing options...
insrtsnhere13 Posted May 20, 2006 Author Share Posted May 20, 2006 yea, i knew this wasnt as good as a captcha code but i think that for a minimum threat level site, this would be more then enough to prevent someone from costantly spamming, or stop a simple program Quote Link to comment https://forums.phpfreaks.com/topic/10047-just-thought-of-something-security-issue/#findComment-37407 Share on other sites More sharing options...
insrtsnhere13 Posted May 20, 2006 Author Share Posted May 20, 2006 went through this morning and wrote some code..heres what I came up with, I think it works pretty good!![code]<?phpif(!isset($_POST[submit])) {$number = rand(0, 1000);$number2 = $number + 13;echo "Please enter a number greater than ".$number." and less than ".$number2;?><form method="POST" action="<?php $_SERVER["PHP_SELF"] ?>"<input type="text" name="usernumber" size="10"><input type="hidden" name="number" value="<?php echo "$number"; ?>"<input type="hidden" name="number2" value="<?php echo "$number2"; ?>"<input type="submit" name="submit" value="Submit"></form><?php }else{ $usernumber = $_POST['usernumber']; $number = $_POST['number']; $number2 = $_POST['number2']; if ($usernumber > $number && $usernumber < $number2) { echo "Correct!! $usernumber is inbetween $number and $number2";}else { echo "Try again!!"; }}?> [/code] Quote Link to comment https://forums.phpfreaks.com/topic/10047-just-thought-of-something-security-issue/#findComment-37408 Share on other sites More sharing options...
shoz Posted May 20, 2006 Share Posted May 20, 2006 [quote]yea, i knew this wasnt as good as a captcha code but i think that for a minimum threat level site, this would be more then enough to prevent someone from costantly spamming, or stop a simple program[/quote]It wouldn't take a very complicated script to spam the site. The way you have it coded now means that the numbers are user submitted values. So, the tool can send whatever numbers it likes.Keep in mind that I'm not trying to discourage you. It's a good thing to be thinking about ways to secure your site and you should continue doing so. The "d" from the fread line has been removed to allow the post to the forum to go through.[code]<?php$host = 'yoursite.com';$path = '/path/to/script.php';$content = 'usernumber=1&number=0&number2=2&submit=Submit';$length = strlen($content);$header = "POST $path HTTP/1.0\r\n" ."Host: $host\r\n" ."Content-Length: $length\r\n" ."Connection: close\r\n" ."\r\n" ."$content";$fp = fsockopen($host, 80, $errno, $errstr, 15);if(!$fp){ print "couldn't connect<br />\n"; exit;}if (FALSE === fwrite($fp, $header)){ print "couldn't write to socket<br />\n"; exit;}$output = '';while (!feof($fp) ){ //The "d" from the end of fread has been removed here $output .= frea($fp, 2048);}print $output;?>[/code]EDIT: Btw, I do realize that you're saying that you're not trying to come up with a solution as effective as a CAPTHA but I think you're also saying that you don't want to come up with a solution thats very easy to break either. Quote Link to comment https://forums.phpfreaks.com/topic/10047-just-thought-of-something-security-issue/#findComment-37419 Share on other sites More sharing options...
insrtsnhere13 Posted May 21, 2006 Author Share Posted May 21, 2006 [!--quoteo(post=375493:date=May 20 2006, 09:34 AM:name=shoz)--][div class=\'quotetop\']QUOTE(shoz @ May 20 2006, 09:34 AM) [snapback]375493[/snapback][/div][div class=\'quotemain\'][!--quotec--]It wouldn't take a very complicated script to spam the site. The way you have it coded now means that the numbers are user submitted values. So, the tool can send whatever numbers it likes.Keep in mind that I'm not trying to discourage you. It's a good thing to be thinking about ways to secure your site and you should continue doing so. The "d" from the fread line has been removed to allow the post to the forum to go through.[code]<?php$host = 'yoursite.com';$path = '/path/to/script.php';$content = 'usernumber=1&number=0&number2=2&submit=Submit';$length = strlen($content);$header = "POST $path HTTP/1.0\r\n" ."Host: $host\r\n" ."Content-Length: $length\r\n" ."Connection: close\r\n" ."\r\n" ."$content";$fp = fsockopen($host, 80, $errno, $errstr, 15);if(!$fp){ print "couldn't connect<br />\n"; exit;}if (FALSE === fwrite($fp, $header)){ print "couldn't write to socket<br />\n"; exit;}$output = '';while (!feof($fp) ){ //The "d" from the end of fread has been removed here $output .= frea($fp, 2048);}print $output;?>[/code]EDIT: Btw, I do realize that you're saying that you're not trying to come up with a solution as effective as a CAPTHA but I think you're also saying that you don't want to come up with a solution thats very easy to break either.[/quote]Uhhh.. im not wuite sure, but i dont think this has anything to do with my post.. other than the info at the top about not trying to discourage me, and in regards to the script being able to enter whatever number it wants, since the numbers are randomly generated, a random number generator wouldnt work.. unless the script was actually made for this specific code.. and yes, this is not a maximum security code, just a thought on security thats a little easier to understand than a captcha Quote Link to comment https://forums.phpfreaks.com/topic/10047-just-thought-of-something-security-issue/#findComment-37565 Share on other sites More sharing options...
shoz Posted May 21, 2006 Share Posted May 21, 2006 [quote][code]$usernumber = $_POST['usernumber'];$number = $_POST['number'];$number2 = $_POST['number2'];[/code][/quote]All of the above are user submitted values. That means that someone can send any numbers they choose. The code posted is an example to demonstrate that.[quote]and in regards to the script being able to enter whatever number it wants, since the numbers are randomly generated, a random number generator wouldnt work.. unless the script was actually made for this specific code.[/quote]I don't quite follow the comment about being "made for this specific code", but no numbers are being randomly generated in the script I posted. The same numbers will be sent each time the script is run and with success because as mentioned previously, it's the user that determines what numbers are sent.[quote]this is not a maximum security code, just a thought on security thats a little easier to understand than a captcha[/quote]Only you can tell how difficult you want to make the process of spamming your site. From your posts however, I've gotten the impression that you think the code is more effective than it is. Which is why I've tried to show the problems with it.The use of sessions should allow the idea as I think you see it, to be realized. Using sessions should allow you to truly control what the number range is.EDIT: Clicking "Refresh/Reload" in your browser should also demonstrate the problem in another way. Quote Link to comment https://forums.phpfreaks.com/topic/10047-just-thought-of-something-security-issue/#findComment-37584 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.