Jump to content

Recommended Posts

As one of a few anti-spam measures, I want to calculate the time between pageload and page/form submission. If the page/form is submitted very quickly - let's say in less than a couple of seconds - I'll assume it's a spammer and will not process the form data.

 

I thought of doing something like this:

 

<?php
$time_start = time(true);
if(isset($_POST['submit'])) {
$time_end = time(true);
$time = $time_end - $time_start;
	if($time < 2) { // form submitted in less than 2 seconds
		echo "You're a vile spammer.<br /><br />";
	} else {
		echo "Phew, you're human, I can go ahead and process your data.<br /><br />";
	}
echo $time . " seconds elapsed before hitting Submit."; // for my own info
}
?>
<form id='form1' method='POST' action=''>
<input name='submit' type='submit' value='submit'>
</form>

 

... but it won't work because the start time is reset when the page reloads after submission of the form. I'm sure there must be a simple solution but it escapes me...

 

Any thoughts?

<?php
if(isset($_POST['submit'])) {
       $time_start = $_POST['generated'];
$time_end = time(true);
$time = $time_end - $time_start;
	if($time < 2) { // form submitted in less than 2 seconds
		echo "You're a vile spammer.<br /><br />";
	} else {
		echo "Phew, you're human, I can go ahead and process your data.<br /><br />";
	}
echo $time . " seconds elapsed before hitting Submit."; // for my own info
}
?>
<form id='form1' method='POST' action=''>
        <input type='hidden' name='generated' value='<?php echo time(); ?>' />
<input name='submit' type='submit' value='submit'>
</form>

<?php
if(isset($_POST['submit'])) {
       $time_start = $_POST['generated'];
$time_end = time(true);
$time = $time_end - $time_start;
	if($time < 2) { // form submitted in less than 2 seconds
		echo "You're a vile spammer.<br /><br />";
	} else {
		echo "Phew, you're human, I can go ahead and process your data.<br /><br />";
	}
echo $time . " seconds elapsed before hitting Submit."; // for my own info
}
?>
<form id='form1' method='POST' action=''>
        <input type='hidden' name='generated' value='<?php echo time(); ?>' />
<input name='submit' type='submit' value='submit'>
</form>

 

Perfect, thanks. Never thought of using a hidden field in the form... very handy.

It would take a hacker about 10 seconds to figure out that a value in a hidden field that looks like a Unix Timestamp could be submitted as an older timestamp value to bypass this check.

 

You would need to pass the generated timestamp in a session variable for it to be secure.

You would need to pass the generated timestamp in a session variable for it to be secure.

 

.. I tried something like this earlier...

 

<?php
session_start();
$_SESSION['time_start'] = time();
if(isset($_POST['submit'])) {
...

 

... but couldn't get it to work. I couldn't figure out how to prevent the session variable from being reset when the page/form is submitted...

 

Any suggestions?

<?php
session_start();

// form processing code
if(isset($_POST['submit'])){
if(isset($_SESSION['start_time'])){ // if it is not set, the form was never visited/generated
	$time = time() - $_SESSION['start_time'];
	if($time < 2) { // form submitted in less than 2 seconds
		echo "You're a vile spammer.<br /><br />";
	} else {
		echo "Phew, you're human, I can go ahead and process your data.<br /><br />";
	}
	echo $time . " seconds elapsed before hitting Submit."; // for my own info
	unset($_SESSION['start_time']); // unset the value so that someone cannot keep submitting data without revisiting the form
} else {
	// form data submitted without visiting the form
		echo "You're a vile spammer.<br /><br />";		
}
}

// form code
$_SESSION['start_time'] = time();
?>
<form id='form1' method='POST' action=''>
<input name='submit' type='submit' value='submit'>
</form>

  • 10 months later...

Hi Peppericious
 
have you tested the anti-spam you wanted to create with elapsed time measure method? Is it measuring? Does it work? Thank you for the confirmation

 

I did the same with javascript but I discovered that (maybe) SPAM-BOTs have "javascript disabled" :facepalm:

It could be, they are not browsers...

 

So, to be sure, your approach is the correct one, the time elapsed between page load and form submission must be completely calculated on the server side.

 

Here I describe my personal version of an additional anti-spam. Thinking about what I did wrong, I've searched a php solution and by google I've found this your post.

 

My idea is to implement the two together and see what happen, either if my one is quite simple, effective and goes implemented really quickly, just a couple of lines in the php and one text field in the HTML' form portion.

 

Thank you
 
Cor
 

Thanks PFMaBiSmAd, your help is greatly appreciated.
:)

Edited by Corsari
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.