Jump to content

Using PHP to prevent Spam

kreut

By kreut
in PHP Coding Help

 Share

Recommended Posts

kreut Member

kreut

Posted
Posted

Hello,

 

I'm currently using Captcha as a means to prevent Spam on my website for user's comments in a "Contact Us" form.  The more I think about it, the more I wonder why the heck I'd use such a difficult to read (annoying?) method as opposed to something like:

 

Create a php script that generates two random numbers between 1 and 10 (x and y).  Ask the user "Please prove you're human by telling me the sum of x and y.".  If they don't, then the form won't be submitted.

 

Also, I feel like I don't even really understand exactly HOW someone can spam my site: if, for example, there's an email form within my site on a secure page (in other words, after the user logs in), would a spamster be able to get to that?

 

Thank you,

 

Eric

Link to comment
https://forums.phpfreaks.com/topic/244682-using-php-to-prevent-spam/
Share on other sites
ZulfadlyAshBurn Regular Member

ZulfadlyAshBurn

Posted
Posted

creating a php script that generates two number is rather easy. i have done it and tested it. its working :)

 

<?php
session_start();

$maths = $_REQUEST['maths'];

if(isset($maths)) {

$sum = $_SESSION['sum'];

if($maths == $sum) {
echo "Correct ";
}
else {
echo "Wrong ";
}

}
else {
$n1 = rand(1,10);
$n2 = rand(1,10);
$sum = $n1 + $n2;
$self = $_SERVER['PHP_SELF'];
$_SESSION['sum'] = $sum;
echo "<form action='" .$self. "' method='post'/>". $n1 . " + " . $n2 . " =<input type='text' name='maths'/><input type='submit' value='submit'/></form>The correct answer would be: " . $sum;
}
?>

 

as for ppl spamming your site: if they are allowed to register on their own, they are able to do anything to the contact form. else, they can still get the url/page which sends you the data and send it :)

kreut Member

kreut

Posted
  • Author
Posted

Thanks for the response! But, can they get to things INSIDE my site?  In other words, let's say a user has to register --AND PAY-- to use my site.  Once in the site, they have a "Send me comments form".  Could the spammer spam that if the "Send me comments form" is only accessible to paying users?

 

Thanks again....

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

If the form and the form processing code is correctly testing if the current visitor is logged in and is preventing access by non-logged in visitors, then generic spammers who are not members/not logged in would not be able to submit comments to your form processing code because you form processing code would ignore form submissions by non-logged in guests.

 

What is your code that is detecting logged in members and is protecting your member only pages?

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

As to simple math and word problem captcha's. It is very easy to write a script that parses and solves math problems and simple copy/paste type of word problems. You can however make these type of captcha's more secure by dynamically outputting the question as an image, since that would require a hacker to both do accurate OCR on the image to find out the question, then solve the question. It is a lot harder to do OCR to accurately read several words, than it is to do OCR to accurately find a small number of letters/numbers that are typically used in a captcha.

kreut Member

kreut

Posted
  • Author
Posted

Thanks for responding to my post.  To detect logged in members I'm using the Zend_Auth adapter with hasIdentity() to see if a user is correctly logged in and is of the appropriate user type; this is after they log in using Zend_Auth in conjunction with matching the credentials to my database using Zend_Auth_Adapter_DbTable.

 

And, from what you said on your post, it sounds like the idea of dynamically generating a mathematical question then outputting it as an image could be an alternative to using Captcha ---do I understand you correctly?  I feel pretty comfortable with php but have never output text as an image.  Might you have a resource that could get me started? 

The Little Guy Prolific Member

The Little Guy

Posted
Posted

My cousin came up with this, now I don't know if it would work or not, but what you do is create a text field and give it this css:

"display: none;"

 

Then when you validate the form, you check to see if that field is filled in or not. if it is not filled in, it was probably submitted by a human (due to the fact that they did not see it); if it is filled in then it was probably submitted by a robot. You would probably also give the field a common name, for example if it was a login, maybe the name "url". A robot would more than likely put a url in there and submit it making that field filled out and we now assume a robot put that in there.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.