Manage behaviour when comparing values.

[jPaulB]

Hi Everybody,

 

I have a simple form that mixes HTML and PHP.  I thought I could get fancy and add a simple security level before the form action.

I have a snippet that prepares for a random number between 1 and 99, and call that random number $entry
 

<?php
$firstnumb = rand(1,9);
$secondnumb = rand(1,99);
$entry = $firstnumb + $secondnumb;
?>

A visitor will see a display box that asks them to add the two numbers ...

<?php
print "<SPAN style='color: #0000FF'><B>$firstnumb + $secondnumb</B></SPAN>";
?>

and enter the answer in a text box

<input type="text" class="form-control" placeholder="Enter the answere here" id="entry1" name="entry1" required > 

So now I just have to compare the value of $entry to the value of entry1, and do one of two things.  That's where I crash and burn.

If the values compare, I just need to break and move on

If the values do not compare, then I want to:

1. Replace the value of entry1 to "0"
2. Alert the visitor that he needs to correct their answer.
3. Return focus to the input box and do it again. Perhaps allow a limit of 3 attempts.

I don't know how to do any of this and hope someone will help me.

Many Thanks,

Paul

 

[requinix]

Sounds like you're talking about doing this in Javascript? If you're implementing your own bot check then it can't be in Javascript because the bots can just ignore that. It has to be in PHP.

Doing that means you need to "remember" $entry from before. If you put that as a hidden input in the form then guess what the bots will do.

There's a really simple way to solve this, though. Don't remember $entry but a hash of it, then check the hashes.

$hash = sha1(__FILE__ . $entry);

<input type="hidden" name="hash" value="<?= $hash ?>">

Then your PHP does the hash the same way but using the number the user put in the form, and it checks that the result matches the hash from the form. Bots can't figure out what value generated the hash, which also means they can't successfully substitute their own hash value.

 

But know that bots are capable of solving math problems like this...

[jPaulB]

Thanks for the reply, requinix.  I appreciate the time you've given to my issue.

It seems that using simple math to block anything but a human visitor is not a good idea, so I will need to do some research to find a method that I can understand and use.  

With that in mind, could you suggest a "topic" that I can google to research intelligently?

Many Thanks, if you can respond

Paul

[requinix]

The general term is "CAPTCHA". Google's reCAPTCHA and whatever the non-Google alternative is, are the de-facto standards. It takes a little more work to implement but they're effective and reliable.

[maxxd]

As requinix says Captcha is definitely the standard, but there's also the concept of a honeypot which is a hidden field that a bot will fill in but a human won't. So if the honeypot is filled, your script can ditch the submission.