SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,777
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Where to add Spam Checks?

    In another thread, I just learned some new techniques to avoid using CAPTCHA, but still discourage Spam Bots from submitting bogus Forms.

    Now I would like to know, *which* Forms on my website need such protection?

    Obviously something like a Registration Form would need that extra level of protection, but what about these other scenarios where I technically am using Forms...

    - Login Form

    - Rate This Article Form (Members-only)

    - Accept/Reject Friend-Request Form (Members-only)

    - Submit a PM (Members-only)


    I use Forms all over the place, but off the top of my head, you have to be logged in as a Registered Member to use any of them.

    The only place where *anyone* can submit a Form would be either my Registration Form or my Log-in Form.


    Obviously I don't want to have to add code - and add complexity - to places where it is not truly needed.

    What do you think?

    Sincerely,


    Debbie

  2. #2
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,187
    Mentioned
    191 Post(s)
    Tagged
    2 Thread(s)
    No Contact form?

    I think these are the most abused (to send SPAM emails) so if you have one it definately needs to be hardened.

  3. #3
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,777
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Mittineague View Post
    No Contact form?

    I think these are the most abused (to send SPAM emails) so if you have one it definately needs to be hardened.
    I don't believe in Customer Service...


    Off Topic:

    You know, Mittineague, this is why I can never get my website done...

    Because just when I am about to wrap things up, someone comes along and mentions something else I am missing, and there goes another couple of weeks!!



    What do you think about the Forms mentioned in my OP?

    Sincerely,


    Debbie

  4. #4
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,832
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    A password field it the best CAPTCHA to use for login forms. Since the spambots don't have an account (assuming that you use a decent CAPTCHA on your registration form and not one of those stupid almost obsolete image CAPTCHAs) they will not know of a password that is valid for any account to enter in to gain access.

    Members only forms don't need a CAPTCHA because spambots will never be members.

    So of the forms you list the only ones that need a CAPTCHA are the registration and login forms and all login forms already have the best possible CAPTCHA (provided that you have appropriate processing in place to prevent spambots from trying to guess passwords - a ten second lock after a wrong password or attempt to enter a password while locked would mean that if the spambot doesn't guess right on the first try and doesn't have at least a ten second delay built in between guesses that it will never get in, and if it does have the delay built in it will average many years between successful guesses).

    For the registration form the ideal would be a CAPTCHA that is not visible - such as testing the time from when the form is first displayed to when it is submitted. To allow for real people managing to fill out the form too quickly by using a tool to fill out the form you could redisplay the form with a different CAPTCHA (such as a simple math calculation CAPTCHA) if the form fails the invisible CAPTCHA.

    Any other forms available for anyone to fill out will probably need some form of CAPTCHA.

    With forms you need to monitor the amnount of spam that gets through and when it becomes significant then you replace the current CAPTCHA with a more effective one.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  5. #5
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,187
    Mentioned
    191 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    .....
    What do you think about the Forms mentioned in my OP?
    .....
    As felgall said, the members-only forms should be safe enough against outside abuse from bots.
    Of course they should still be sanitized and validated to prevent abuse from humans.

  6. #6
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,777
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    Members only forms don't need a CAPTCHA because spambots will never be members.
    Okay.


    Quote Originally Posted by felgall View Post
    So of the forms you list the only ones that need a CAPTCHA are the registration and login forms and all login forms already have the best possible CAPTCHA (provided that you have appropriate processing in place to prevent spambots from trying to guess passwords - a ten second lock after a wrong password or attempt to enter a password while locked would mean that if the spambot doesn't guess right on the first try and doesn't have at least a ten second delay built in between guesses that it will never get in, and if it does have the delay built in it will average many years between successful guesses).
    Good idea!

    Once I get done enhancing my Registration Form, my Log In Form is next.

    (I also need to figure a way to make it so that if you don't get in by the 3rd try, then you are locked out!)


    Quote Originally Posted by felgall View Post
    For the registration form the ideal would be a CAPTCHA that is not visible - such as testing the time from when the form is first displayed to when it is submitted.
    I'm working on that as we speak!


    Quote Originally Posted by felgall View Post
    To allow for real people managing to fill out the form too quickly by using a tool to fill out the form you could redisplay the form with a different CAPTCHA (such as a simple math calculation CAPTCHA) if the form fails the invisible CAPTCHA.
    Good idea.


    Quote Originally Posted by felgall View Post
    Any other forms available for anyone to fill out will probably need some form of CAPTCHA.
    Okay.

    Even though it is a Member-only area, what about Forms that allow people to post comments beneath my Articles?


    Quote Originally Posted by felgall View Post
    With forms you need to monitor the amnount of spam that gets through and when it becomes significant then you replace the current CAPTCHA with a more effective one.
    Another good idea.

    Thanks for all of the tips!!

    Sincerely,


    Debbie

  7. #7
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,777
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Mittineague View Post
    As felgall said, the members-only forms should be safe enough against outside abuse from bots.
    Of course they should still be sanitized and validated to prevent abuse from humans.
    Should I have a spam bot checker on my Log-in Form? (Felgall says, "No.")


    Also, maybe I'll have to get around to making a Contact Form too?!

    Sincerely,


    Debbie

  8. #8
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,187
    Mentioned
    191 Post(s)
    Tagged
    2 Thread(s)
    He said "No" (you don't need a [additional] CAPTCHA) under the condition that
    provided that you have appropriate processing in place to prevent spambots from trying to guess passwords - a ten second lock after a wrong password or attempt to enter a password while locked would mean that if the spambot doesn't guess right on the first try and doesn't have at least a ten second delay built in between guesses that it will never get in, and if it does have the delay built in it will average many years between successful guesses


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •