peppericious Posted June 30, 2012 Share Posted June 30, 2012 As one of a few anti-spam measures, I want to calculate the time between pageload and page/form submission. If the page/form is submitted very quickly - let's say in less than a couple of seconds - I'll assume it's a spammer and will not process the form data. I thought of doing something like this: <?php $time_start = time(true); if(isset($_POST['submit'])) { $time_end = time(true); $time = $time_end - $time_start; if($time < 2) { // form submitted in less than 2 seconds echo "You're a vile spammer.<br /><br />"; } else { echo "Phew, you're human, I can go ahead and process your data.<br /><br />"; } echo $time . " seconds elapsed before hitting Submit."; // for my own info } ?> <form id='form1' method='POST' action=''> <input name='submit' type='submit' value='submit'> </form> ... but it won't work because the start time is reset when the page reloads after submission of the form. I'm sure there must be a simple solution but it escapes me... Any thoughts? Quote Link to comment Share on other sites More sharing options...
jcbones Posted June 30, 2012 Share Posted June 30, 2012 <?php if(isset($_POST['submit'])) { $time_start = $_POST['generated']; $time_end = time(true); $time = $time_end - $time_start; if($time < 2) { // form submitted in less than 2 seconds echo "You're a vile spammer.<br /><br />"; } else { echo "Phew, you're human, I can go ahead and process your data.<br /><br />"; } echo $time . " seconds elapsed before hitting Submit."; // for my own info } ?> <form id='form1' method='POST' action=''> <input type='hidden' name='generated' value='<?php echo time(); ?>' /> <input name='submit' type='submit' value='submit'> </form> Quote Link to comment Share on other sites More sharing options...
peppericious Posted June 30, 2012 Author Share Posted June 30, 2012 <?php if(isset($_POST['submit'])) { $time_start = $_POST['generated']; $time_end = time(true); $time = $time_end - $time_start; if($time < 2) { // form submitted in less than 2 seconds echo "You're a vile spammer.<br /><br />"; } else { echo "Phew, you're human, I can go ahead and process your data.<br /><br />"; } echo $time . " seconds elapsed before hitting Submit."; // for my own info } ?> <form id='form1' method='POST' action=''> <input type='hidden' name='generated' value='<?php echo time(); ?>' /> <input name='submit' type='submit' value='submit'> </form> Perfect, thanks. Never thought of using a hidden field in the form... very handy. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted June 30, 2012 Share Posted June 30, 2012 It would take a hacker about 10 seconds to figure out that a value in a hidden field that looks like a Unix Timestamp could be submitted as an older timestamp value to bypass this check. You would need to pass the generated timestamp in a session variable for it to be secure. Quote Link to comment Share on other sites More sharing options...
peppericious Posted June 30, 2012 Author Share Posted June 30, 2012 You would need to pass the generated timestamp in a session variable for it to be secure. .. I tried something like this earlier... <?php session_start(); $_SESSION['time_start'] = time(); if(isset($_POST['submit'])) { ... ... but couldn't get it to work. I couldn't figure out how to prevent the session variable from being reset when the page/form is submitted... Any suggestions? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted June 30, 2012 Share Posted June 30, 2012 <?php session_start(); // form processing code if(isset($_POST['submit'])){ if(isset($_SESSION['start_time'])){ // if it is not set, the form was never visited/generated $time = time() - $_SESSION['start_time']; if($time < 2) { // form submitted in less than 2 seconds echo "You're a vile spammer.<br /><br />"; } else { echo "Phew, you're human, I can go ahead and process your data.<br /><br />"; } echo $time . " seconds elapsed before hitting Submit."; // for my own info unset($_SESSION['start_time']); // unset the value so that someone cannot keep submitting data without revisiting the form } else { // form data submitted without visiting the form echo "You're a vile spammer.<br /><br />"; } } // form code $_SESSION['start_time'] = time(); ?> <form id='form1' method='POST' action=''> <input name='submit' type='submit' value='submit'> </form> Quote Link to comment Share on other sites More sharing options...
peppericious Posted June 30, 2012 Author Share Posted June 30, 2012 Thanks PFMaBiSmAd, your help is greatly appreciated. Quote Link to comment Share on other sites More sharing options...
Corsari Posted May 10, 2013 Share Posted May 10, 2013 (edited) Hi Peppericious have you tested the anti-spam you wanted to create with elapsed time measure method? Is it measuring? Does it work? Thank you for the confirmation I did the same with javascript but I discovered that (maybe) SPAM-BOTs have "javascript disabled" It could be, they are not browsers... So, to be sure, your approach is the correct one, the time elapsed between page load and form submission must be completely calculated on the server side. Here I describe my personal version of an additional anti-spam. Thinking about what I did wrong, I've searched a php solution and by google I've found this your post. My idea is to implement the two together and see what happen, either if my one is quite simple, effective and goes implemented really quickly, just a couple of lines in the php and one text field in the HTML' form portion. Thank you Cor Thanks PFMaBiSmAd, your help is greatly appreciated. Edited May 10, 2013 by Corsari Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.