jPaulB Posted September 11, 2022 Share Posted September 11, 2022 Hi Everybody, I have a simple form that mixes HTML and PHP. I thought I could get fancy and add a simple security level before the form action. I have a snippet that prepares for a random number between 1 and 99, and call that random number $entry <?php $firstnumb = rand(1,9); $secondnumb = rand(1,99); $entry = $firstnumb + $secondnumb; ?> A visitor will see a display box that asks them to add the two numbers ... <?php print "<SPAN style='color: #0000FF'><B>$firstnumb + $secondnumb</B></SPAN>"; ?> and enter the answer in a text box <input type="text" class="form-control" placeholder="Enter the answere here" id="entry1" name="entry1" required > So now I just have to compare the value of $entry to the value of entry1, and do one of two things. That's where I crash and burn. If the values compare, I just need to break and move on If the values do not compare, then I want to: Replace the value of entry1 to "0" Alert the visitor that he needs to correct their answer. Return focus to the input box and do it again. Perhaps allow a limit of 3 attempts. I don't know how to do any of this and hope someone will help me. Many Thanks, Paul Quote Link to comment Share on other sites More sharing options...
requinix Posted September 11, 2022 Share Posted September 11, 2022 Sounds like you're talking about doing this in Javascript? If you're implementing your own bot check then it can't be in Javascript because the bots can just ignore that. It has to be in PHP. Doing that means you need to "remember" $entry from before. If you put that as a hidden input in the form then guess what the bots will do. There's a really simple way to solve this, though. Don't remember $entry but a hash of it, then check the hashes. $hash = sha1(__FILE__ . $entry); <input type="hidden" name="hash" value="<?= $hash ?>"> Then your PHP does the hash the same way but using the number the user put in the form, and it checks that the result matches the hash from the form. Bots can't figure out what value generated the hash, which also means they can't successfully substitute their own hash value. But know that bots are capable of solving math problems like this... 1 Quote Link to comment Share on other sites More sharing options...
jPaulB Posted September 12, 2022 Author Share Posted September 12, 2022 Thanks for the reply, requinix. I appreciate the time you've given to my issue. It seems that using simple math to block anything but a human visitor is not a good idea, so I will need to do some research to find a method that I can understand and use. With that in mind, could you suggest a "topic" that I can google to research intelligently? Many Thanks, if you can respond Paul Quote Link to comment Share on other sites More sharing options...
Solution requinix Posted September 12, 2022 Solution Share Posted September 12, 2022 The general term is "CAPTCHA". Google's reCAPTCHA and whatever the non-Google alternative is, are the de-facto standards. It takes a little more work to implement but they're effective and reliable. Quote Link to comment Share on other sites More sharing options...
maxxd Posted September 12, 2022 Share Posted September 12, 2022 As requinix says Captcha is definitely the standard, but there's also the concept of a honeypot which is a hidden field that a bot will fill in but a human won't. So if the honeypot is filled, your script can ditch the submission. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.