Ajax-Form submission, safe from SPAMS ?

[avvllvva]

If I'm calling the Action page of a Form-submission page via AJAX, what are the possibilities of getting spams?

 

I don't want to use CAPTCHA images.

 

Instead of regular on-submit POST of form, I have tried on-click POST via ajax to the action page, and there is only server side validation.

 

Is it safe ? OR Still spamers can get these POST variables ?

 

I'm unclear of these things, can anybody tell?

[dreamwest]

Its simple.

 

Just have a message saying click to confirm user then set a session, after that all forms will be processed instantly. I have this set up on my site.

 

I also found bots/spiders following ajax hyperlinks so put rel=nofollow in the hyperlink

[avvllvva]

Okay thanks, if u don't mind plz post ur URL.

[RichardRotterdam]

The chance that you will receive spam is just as big with an Ajax form as it would be with a non Ajax form. Someone could easily find the location of the script that processes the Ajax form by looking at your HTML source.

 

edit

Its simple.

 

Just have a message saying click to confirm user then set a session, after that all forms will be processed instantly. I have this set up on my site.

 

I also found bots/spiders following ajax hyperlinks so put rel=nofollow in the hyperlink

I'm sorry but I fail to see how setting a session on a onclick event will prevent spamming. I could easily write a script that sets that session and spam the hell out of you anyway.

[dreamwest]

Look and ye shall see

 

http://rapidlibrary.com/download_file_i.php?qq=fast%20plans%2012&file=329219&desc=Fast.Plans.v11.WinAll.Regged-CRD+.rar

 

Once confirmed all files are redirected .....directly

[RichardRotterdam]

Look and ye shall see

 

http://rapidlibrary.com/download_file_i.php?qq=fast%20plans%2012&file=329219&desc=Fast.Plans.v11.WinAll.Regged-CRD+.rar

 

Once confirmed all files are redirected .....directly

 

I don't want to use CAPTCHA images.

 

What I see on that page is a CAPTCHA 

[avvllvva]

The chance that you will receive spam is just as big with an Ajax form as it would be with a non Ajax form. Someone could easily find the location of the script that processes the Ajax form by looking at your HTML source.

 

How he will get the access to this page, is it by direct url entry ?

[RichardRotterdam]

Direct url entry could be one of the options. Pretty much you can apply the same spam prevention techniques as non ajax forms.

[avvllvva]

In a regular form submission spam,if it comes from direct URL, he can only pass values as GET variables and my script accept only POST variables... then it gets solved ?

what are the other ways to spaming a form?

[Garethp]

No, he can spam you with POST aswell. It's all in the Curl. I reckon the best way to prevent spam is to code it so that the form can only be submitted ever x amount of minutes

[Adam]

It doesn't matter whether you use POST or GET methods, the user wouldn't even need to go as far as cURL. With the Firebug extension you can quite literally edit the HTML for a website and use it as though it was the original (although you don't need Firebug to do this it makes it a hell of a lot quicker). This means they could simply edit your HTML, create a quick 'POST' method form containing all the parameters they liked, and then submit it.

[keldorn]

In short no it won't.  Obscuring your form with Javascript/Ajax might stop the regural spam bot from seeing your form. But if a spammer wanted to target your site they could just examine your POST or GET method and specially craft the POST or GET and execute it.

[avvllvva]

Thank you guys,

 

anyhow I have to use some anti-spam technique for this ajax form too.

 

I have another query.

 

One of the common spam check is captcha image, so that image couldn't be readable by spamers. All other form elements they can trap.

Suppose if I'm using a div tag

and which will replace the captcah image and that contains the session string and that plays the role of captcha image.(why I'm planning like this , some server doesn't have GD support)  Is this hackable ?

[kickstart]

Hi

 

Not sure anything can stop spammers totally (CAPTCHA can't although it does help).

 

You can try things to just make life difficult for them though. Check how often a link is clicked and have a limit (probably down to the ip address of the clicker). Change the form fields randomly (so the spammers can't just hard code the fields). Only accept clicks from a sent page (ie, store some marker that can be used to determine when the page was sent) and only accept those that are replied to in a certain time range (ie, not within a second, not over an hour).

 

If you want a crude CAPTCHA system without using GD then come up with a load of captcha type images yourself, save them and put out a random one. You save the name of the image you have sent, but you send the image using a php script (ie, the php reads the image file and writes it) so that they cannot just look at the image name (probably doesn't stop them checking the image details).

 

All the best

 

Keith