Jump to content

Manage behaviour when comparing values.


Go to solution Solved by requinix,

Recommended Posts

Hi Everybody,

 

I have a simple form that mixes HTML and PHP.  I thought I could get fancy and add a simple security level before the form action.

I have a snippet that prepares for a random number between 1 and 99, and call that random number $entry
 

<?php
$firstnumb = rand(1,9);
$secondnumb = rand(1,99);
$entry = $firstnumb + $secondnumb;
?>

A visitor will see a display box that asks them to add the two numbers ...

<?php
print "<SPAN style='color: #0000FF'><B>$firstnumb + $secondnumb</B></SPAN>";
?>

and enter the answer in a text box

<input type="text" class="form-control" placeholder="Enter the answere here" id="entry1" name="entry1" required > 

So now I just have to compare the value of $entry to the value of entry1, and do one of two things.  That's where I crash and burn.

If the values compare, I just need to break and move on

If the values do not compare, then I want to:

  1. Replace the value of entry1 to "0"
  2. Alert the visitor that he needs to correct their answer.
  3. Return focus to the input box and do it again. Perhaps allow a limit of 3 attempts.

I don't know how to do any of this and hope someone will help me.

Many Thanks,

Paul

 

Link to comment
https://forums.phpfreaks.com/topic/315312-manage-behaviour-when-comparing-values/
Share on other sites

Sounds like you're talking about doing this in Javascript? If you're implementing your own bot check then it can't be in Javascript because the bots can just ignore that. It has to be in PHP.

Doing that means you need to "remember" $entry from before. If you put that as a hidden input in the form then guess what the bots will do.

There's a really simple way to solve this, though. Don't remember $entry but a hash of it, then check the hashes.

$hash = sha1(__FILE__ . $entry);
<input type="hidden" name="hash" value="<?= $hash ?>">

Then your PHP does the hash the same way but using the number the user put in the form, and it checks that the result matches the hash from the form. Bots can't figure out what value generated the hash, which also means they can't successfully substitute their own hash value.

 

But know that bots are capable of solving math problems like this...

  • Like 1

Thanks for the reply, requinix.  I appreciate the time you've given to my issue.

It seems that using simple math to block anything but a human visitor is not a good idea, so I will need to do some research to find a method that I can understand and use.  

With that in mind, could you suggest a "topic" that I can google to research intelligently?

Many Thanks, if you can respond

Paul

  • Solution

The general term is "CAPTCHA". Google's reCAPTCHA and whatever the non-Google alternative is, are the de-facto standards. It takes a little more work to implement but they're effective and reliable.

As requinix says Captcha is definitely the standard, but there's also the concept of a honeypot which is a hidden field that a bot will fill in but a human won't. So if the honeypot is filled, your script can ditch the submission.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.