As awesome as my pure JavaScript solution of telling human beings from human beings at the beginning of the thread? :)
BTW poes, do you have any thoughts about the accessibility of the honeypot method mentioned earlier in this thread (that you hide a field with CSS, the idea being that only bots will fill it out).
How does this play out for someone with a screen reader?
I think Felgall or someone had already mentioned it: you make sure your input's label tells users what to fill in.
One form I know of has a visible input, saying "are you a spammer? (answer no)" and then the input. They expect input, but it must be "no". (This one tripped me up the first time: it's in Dutch and it says "nee invullen" and I misread it to mean "niet invullen" (don't fill in). So I didn't fill it in, which triggered a spam trap).
Aha, I still have a screenshot of it
http://stommepoes.nl/honeypot.png
It doesn't show up if you have Javascript on, meaning the number of humans likely to screw it up are limited to those with JS off. When JS is on, the input is hidden and I assume JS fills in the "nee" answer before the form is submitted, meaning the form always requires the input to be filled, and filled with the correct answer.
You'll probably be okay with "what is 6+6?" or Eric's 2+2, but bots can do math (well, but they are rather notorious at sucking at floating-point arithmetic, aren't they? :) and the cognitively disabled can have trouble with lots of stuff. Mike Cherim's blog had a combination of Askimet and a honeypot asking "is fire hot?" (I have no idea what range of "correct" answers his form would accept). Well, and you don't have to really be very disabled: remember those picture captcha's they had where you had say 3 cats and a rat-dog and you had to fill in how many cats? Except the images were so bad it was really hard to tell. I like the idea of telling people what to fill in.
Thanks for the reply.
This is something I've seen come up a few times recently and I'm still trying to formulate my thoughts on the best way to do this.
I agree with you that captchas are horrible. For example it's not obvious that you can reload them and if done badly, they pose a real barrier to elderly users, not to mention users with any kind of impairment.
As to whether bots can do maths: If I was a spam bot author I would search forms for occurrences of plus, minus etc in the fields and then call eval() on whatever was in them. E.g. eval("document.write(6+6)"); would output the correct answer to the OP's security question.
I also liked the look of Askimet, but with Germany being Germany, it is quite problematic to use it whilst staying on the right side of the old Datenschutzbeauftragter.
BTW, I never saw one of the cat-rat-dog captchas. They sound great. Anyone got a link to one? Googling "cat rat dog captcha" didn't turn up anything other than some bizarre / amusing pictures :)
Edit:
I only had to Google "animal captcha" and came up trumps!!
http://www.teoriza.com/captcha/example.php
Edit2:
Great, now I'm gonna waste loads of time lookin at these: http://www.huffingtonpost.com/2010/0..._n_487166.html
If one of those honeypots is going to be used, I still wonder if it's better just to give a label saying "Don't fill this in!". I turned away from that at some point ... but now I think I'd rather tell users not to do something that to force them to do something unnecessary. All the same, I still prefer felgall's timer method.
A honeytrap with CSRF protection blocks pretty much all spam bots, unless they specifically target your site - in which case no amount of automated protection will stop it.
@wonshikee
your backhoe looks like it's about to drown. !!
@pullo " They sound great. Anyone got a link to one? " They were at Rackspace. Add that term to your google searches.
I tried to find the thread on another forum where people showed CAPTCHAs with... seriously... calculus questions. I was like zomg, but can't find them.
The issue with telling people not to fill in an input is that, when you're filling in a form, you're filling in everything.
My blood bank goes through a list of questions before you can give blood. There are sections you do not fill out unless you're
- above age 60
- a female
- a man who's had sex with another man
I asked a volunteer nurse there once how often people filled in those sections anyway, even if they didn't fit the criteria (they are yes/no questions so you can easily continue filling them in). She said very often.
The smartest person becomes an utter retard once they are sitting behind a computer and filling out a form. So woe to any of us who aren't super-geniuses: we're even dumber. There is a certain rhythm to filling out a form, and part of that rhythm is
next question
skim over label
fill something in
lather, rinse, repeat
So for this reason I suspect (but would love someone doing a usability test on this) that people are more inclined to try to fill something in at first, and only stopping themselves with a start when/if they realise "oh, this one needs to be left blank." So that's why I lean more towards telling them to fill in "x". Or, "are you a human?" is the type of question that easily prompts a no-thought answer (even if some would grumble that they think they are lying when filling in "yes", our site doesn't care, it's for anti-spam anyway).
How would one turn this bit of code into a random number each time shone?
// Spam Question
if ($spam == 4){
// success, continue processing
}
else{
header( "Location: $errorurl" );
exit ;
}
...And then verify the correct number correctly?
So with that bit of code the html question says "what's 2 + 2"
So the html would have to randomize too?
Hi Eric,
There are a number of ways to do this.
If the form is generated by a PHP script, for example, you could have the PHP script choose two random numbers, and generate some kind of token which it passes to the form as a hidden field.
Then, when the user submits the form, the PHP script which processes the submitted data, could use the token to validate the answer.
If you're interested in implementing this, then just let me know.
This is Greg - the originator of this thread. I just wanted to give a quick update on the success of this project. It works great! :D
I have two websites that are hosted by Yahoo. I put the new Contact Form on one site (simple 6+6 math captcha, eliminated auto-complete, gave the fields unconventional names) and it hasn't had a s/p/a/m message since. :eek:
- It also hasn't had any messages from the crappy third-world SEO services - they must like using auto-complete. :p
My other site still has the original unprotected Contact Form, and it continues to gather a stream of junk messages. :rolleyes:
Thank you again to Pullo and all others who helped :)
Very interested. Could we do 5 different random math problems? 1+1, 2+2, 3+3,4+4,5+5. Thanks!Quote:
Originally Posted by Pullo
Eric wrote:
Though you probably could do it, you don't really need to do it.Quote:
Very interested. Could we do 5 different random math problems?
Look back through the first few pages of this thread and you'll see that the spambots don't read or analyze your Contact Form - they just harvest your Contact address or form processing URL and send their own data to it. So hiding the address or URL in a PHP script is the first line of defense, and including one simple bot filter (like 6+6) is the second line of defense. As I wrote above, it works great!
The other Contact Form issue I have had is getting lots of junk messages, usually from places offering bad SEO services. My understanding is they use humans and some sort of auto-complete assistance to quickly fill in Contact Forms. Turning off auto-complete on your forms and naming your fields something besides "name", "email", "message", etc is supposed to make their systems not work properly and they will not bother to stop and think and type info into your form. Again, so far it is working wonderfully for me.
One possible future improvement would be some sort of filter for the message field so that if it contains a word you don't want to get messages about (SEO, viagra?) the submission is rejected. But at the moment, that does not seem necessary. ;)
@Greg
I'm glad you got everything working. Nice one!
Thanks for taking the time to report back!
@Eric
As Greg says, I'm not sure how effective this would be, but this script does what you want:
myForm.php
myScript.phpPHP Code:<?php $num = rand(1, 5); ?>
<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Spam filter example</title>
</head>
<body>
<form action="myScript.php" method="post">
<div>
<label for="spam_question">What is <?php echo $num ?> + <?php echo $num ?>?</label>
<input type="text" id="spam_question" name="spam_question">
<input type="hidden" value="<?php echo $num ?>" name="num">
</div>
<input type="submit">
</form>
</body>
</html>
Hope that helps.PHP Code:<?php
$num = $_POST['num'];
$spam_question = $_POST['spam_question'];
if($spam_question != 2*$num){
echo "Wrong answer!";
exit();
}
echo "It's all good brother!";
?>
If memory serves me correct, thats not all together true. They can still hijack your form in order to use it to send out thousands of emails.Quote:
Originally Posted by Greg Baka
Awesome thank you! I'll try this out and post back if I hit any problems.Quote:
Originally Posted by Pullo
Eric wrote:
I had the same concern. What I learned was that "It depends on your webhosting service"Quote:
If memory serves me correct, thats not all together true. They can still hijack your form in order to use it to send out thousands of emails.
I use Yahoo webhosting, and their system only allows forms on a website to send email to addresses in the same domain. ( a form on mysite.com can only send emails to contact@mysite.com ) So I didn't have to worry about outgoing-hijacking for the Contact Form design project we did here. We only had to worry about incoming-hijacking.
So you may want to check your web hosting company to see if they already have outgoing-hijacking blocked on their end...
@pullo I'm starting a new thread so I don't hijack this one.
OK this worked perfect. But now I need to mirror this function on my JS side. In the past when I just had one answer (not random) I did it like this using the bassistance jquery validation plugin. http://bassistance.de/jquery-plugins...in-validation/. The first statement is a custom rule to prevent urls from being submited in the textarea. So what I need is the same type of thing but using the random math question logic. It has to be possible but does anyone know how? I know this is the php forum but you guys are the best. Thanks!Quote:
Originally Posted by Pullo
Code JavaScript:
Hi Eric,
I'm not too sure what you are asking here.Quote:
Originally Posted by EricWatson
If I remember correctly, you have a PHP script which chooses one sum from a list of five, then displays it on your form for the user to answer.
It then copies the answer into a hidden field so that the script to which the form is submitted can validate the answer.
Are you saying that you want a separate JavaScript function to generate two random numbers and display them as a sum for the user to complete.
Then when the user presses submit, a function should fire that checks the answer to the sum and will only allow submission if the answer is correct?
Off Topic:
I kinda personally like JS validation to be there to help users fill in the correct data in the right place the right way. Hints. Anything more starts to inherit the problems of false-positive-spams that the back-end validation (which we *will* have, as Eric has) already has the danger of causing. Having users perform side-work to prove on the dirty client side that they are human, only to have the server do it again in the back seems to want to cause humans torment and dismay. Unless you really need to limit actual conversation with the server...
I think Eric will get a good and useful answer if he states the ultimate purpose of the JS too, and what it might need to deal with.
Hey guys:) pretty much what you said pullo. The php you gave me a while back spits out 5 random math questions - 1+1, 2+2, 3+3, 4+4,5+5 and validates their correct answer. As is they can input a wrong number and my js does not catch it. Only my php does. I'm using my php as a fall back of sorts. I would prefer the js catches the wrong or correct answer first and either displays the error or let's the form submit. In order to do this it has to exactly mirror the php function you provided earlier. You understand? As Stomme said, yes I am using the js to provide the pretty hints and such. If js is turned off, then php catches it and it just goes to the error page saying the generic "you failed to fill in all the correct information or you made a mistake while typing, please use the back button and try again".
Thanks for your help!
Furthermore, the code I showed above is how to write a custom rule for the validation plugin. And it showes how I used it in the past to only give 1 single correct answer. I instead of course need to rewrite it (rather I need help) so that it communicates with the php, or at least mirrors it's random nature.
Ok and here is the test page http://www.visibilityinherit.com/projects/formtest.php and here is the php script http://www.visibilityinherit.com/projects/formmail.txt so you can exactly see what I'm trying to do. Thanks!
Hi Eric,
No problem.
I here's a modified version of my original PHP script.
I have attached a JavaScript onsubmit handler, which will not allow the form to be submitted if the answer to the question is incorrect.
The way this works is that you use JS to check that the hidden value is equal to two times the submitted value.
Simples!
PHP Code:<?php $num = rand(1, 5); ?>
<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Spam filter example 2</title>
</head>
<body>
<form action="myScript.php" method="post" id="myForm">
<div>
<label for="spam_question">What is <?php echo $num ?> + <?php echo $num ?>?</label>
<input type="text" id="spam_question" name="spam_question">
<input type="hidden" value="<?php echo $num ?>" name="num" id="ans">
</div>
<input type="submit">
</form>
<script>
var f = document.getElementById('myForm');
f.onsubmit = function(){
if (f.spam_question.value != 2*ans.value){
alert("Incorrect answer!");
return false;
}
}
</script>
</body>
</html>
Awesome!!! Can't wait to test it out! I'll let you know how I fare. Thanks a lot Pullo :)
Although it works, @Pullo ; 's method is quite easy to reverse engineer, since the solution to cracking the 'captcha' is right there in the javascript.
So if somebody really wanted they could just look at that code and work around it in a matter of minutes.
Better would be to store the required answer server side in a session and then if you want to validate with javascript do a AJAX request to the server to check if the entered answer is correct, which you can easily do with the bassistance validator using the 'remote' method.
This keeps asking the same question as long as it isn't answered correctly. Once answered correctly it will generate a new captcha, thus lowering the chance of replay attacks.
form.php
post.phpPHP Code:<?php
session_start();
if (!isset($_SESSION['num1']) && !isset($_SESSION['num2'])) {
$_SESSION['num1'] = rand(1,5);
$_SESSION['num2'] = rand(1,5);
}
?>
<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Spam filter example 2</title>
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script>
<script src="http://ajax.aspnetcdn.com/ajax/jquery.validate/1.10.0/jquery.validate.js"></script>
</head>
<body>
<form action="post.php" method="post" id="myForm">
<div>
<label for="spam_question">What is <?php echo $_SESSION['num1'] ?> + <?php echo $_SESSION['num2'] ?>?</label>
<input type="text" id="spam_question" name="spam_question">
</div>
<input type="submit">
</form>
<script>
$("#myForm").validate({
rules: {
spam_question: {
required: true,
remote: {
url: "validate-captcha.php",
type: "post",
}
}
}
});
</script>
</body>
</html>
validate-captcha.phpPHP Code:<?php
session_start();
if (!isset($_SESSION['num1']) || !isset($_SESSION['num2'])) {
exit('Incorrect answer');
}
$sum = (int)$_SESSION['num1'] + (int)$_SESSION['num2'];
if (isset($_POST['spam_question']) && (int)$_POST['spam_question'] === $sum) {
unset($_SESSION['num1'], $_SESSION['num2']);
exit('Correct answer!');
}
exit('Incorrect answer');
PHP Code:<?php
session_start();
if (!isset($_SESSION['num1']) || !isset($_SESSION['num2'])) {
exit('"Incorrect answer."');
}
$sum = (int)$_SESSION['num1'] + (int)$_SESSION['num2'];
if (isset($_POST['spam_question']) && (int)$_POST['spam_question'] === $sum) {
exit('true');
}
exit('"Incorrect answer."');