Toughen Forms' Security with an Image

**ArticleBot** · Nov 8, 2005 16:45

This is an article discussion thread for discussing the SitePoint article, "Toughen Forms' Security with an Image"

**ejeliot** · Nov 9, 2005 01:00

Thanks for all the feedback everyone - much appreciated.

Redux - I should have named them as Captchas, thanks for adding the link to the wiki page though.

I did think about the lack of accessibility for blind users but for this example I didn't want to over complicate things - particularly I wanted to demonstrate the PHP/GD side of creating them. I'll look to produce a follow up to this article which addresses the accessibility issue.

**a.dotty.dot** · Nov 9, 2005 10:40

Richard Heyes' solution to the usability issue is to print out a number as a word on the page and require the user to enter it as a number. For example, if the captcha is "two thousand five hundred twenty eight", the user would type "2528".

**Mike Borozdin** · Nov 13, 2005 13:31

Damn, I guess we should discuss the article and not whether to use it or not!!!!

Good article, I use the same way, I evenw as gonna write an article about that, but had not time.

**PHPCamp.com** · Nov 19, 2005 23:18

Nice tutorial. I agree with some of the comments pointing out some shortcomings but the article was useful nonetheless. There needs to be more tutorials for beginners.

**djlove** · Dec 12, 2005 07:52

duh! didn't see all the other posts before posting the last post..

Surely writing the text in the alt tag would make the whole exercise completely pointless?

**kigoobe** · Feb 24, 2007 04:00

Well, i found that u modified the article > http://www.ejeliot.com/pages/php-captcha

I have tried this, while everything is working, I am not getting the fonts. Just the scratches are coming. Any idea why this is happening?

Thanks for sharing the code.
Best.

**kigoobe** · Feb 24, 2007 04:19

working now ...

**kigoobe** · Mar 1, 2007 06:20

Just a quick note. I was visiting a forum, and saw that they are doing something else along with the captcha image. They are generating random text and a random number (less than the the length of that text). Say the word is SitePoint, they chose a number randomly < 10, and then ask to fill up the nth character of the word.

So, if the random word comes as SitePoint, and the random number as 5, user will have to type P, and it is case sensitive. Seems to be a nice idea ...

**Dan Grossman** · Jul 11, 2007 14:38

No way am I going to sit there and read the frames to submit a form. Your CAPTCHA is anti-human.

**jstorz** · Jul 12, 2007 00:40

Originally Posted by Dan Grossman

No way am I going to sit there and read the frames to submit a form. Your CAPTCHA is anti-human.

Anti-impatient people perhaps. To be fair it does take ~5 seconds for the frames to roll through start to finish. But then again the text is not distorted to the point where people cannot read what it says either, I say 5 seconds well spent.

As a site owner, your users will never have to guess what the characters are and will never again answer incorrectly (assuming their IQ is > 70) regardless of what language they speak.

I also never have to waste another minute erasing automated spam either. So I guess I value my time a bit more than yours ... but only by 5 seconds. How long did it take you to post that reply again?

**Dan Grossman** · Jul 12, 2007 00:44

Less than 5 seconds. Akismet can filter 99% of your spam, it's free, and your users don't have to fill out *any* type of mini-quiz. Combine it with a simple CAPTCHA to filter even more. Anything that reduces the likelihood of a human filling out a form is lost customers.

**zheng220yi** · Jul 12, 2007 04:46

thank you very much,

**rjm1982** · Jul 12, 2007 08:20

You want a simple way to keep bots out? Do you want it to be transparent to the user? Want it to be accessible still?

Create a text input field. Make it's label say "Leave this field blank". Name the field something obvious like "address" or "phone_number" (obviously not one you've already used in the form).

Then, hide the field and the label with CSS. Most users wont see it. Those who do will see the label saying to leave it blank. However, giving it a name with email or phone etc in it will make most bots fill it out ...

On the server side, just check to see that its blank. If something was put there, you have a bot (or a complete idiot).

Simple, effective, accessible, and most of all, transparent to the user.

Detailed a little more here: http://www.omgpotato.com/2007/07/12/...-bot-stopping/

**danman** · Oct 17, 2007 05:31

Originally Posted by rjm1982

You want a simple way to keep bots out? Do you want it to be transparent to the user? Want it to be accessible still?

Create a text input field. Make it's label say "Leave this field blank". Name the field something obvious like "address" or "phone_number" (obviously not one you've already used in the form).

Then, hide the field and the label with CSS. Most users wont see it. Those who do will see the label saying to leave it blank. However, giving it a name with email or phone etc in it will make most bots fill it out ...

On the server side, just check to see that its blank. If something was put there, you have a bot (or a complete idiot).

Simple, effective, accessible, and most of all, transparent to the user.

Detailed a little more here: http://www.omgpotato.com/2007/07/12/...-bot-stopping/

I have to warn anyone from using this approach instead of a captcha,
because it does not stop anyone from manually creating a malicious script that could do many postings in the form...
But still better than nothing..

User Tag List

Thread: Toughen Forms' Security with an Image

Thread Tools

Display

Hybrid View

Article Discussion

Bookmarks

Bookmarks

Posting Permissions