SitePoint Sponsor

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 25 of 28
  1. #1
    SitePoint Wizard
    Join Date
    Oct 2004
    Location
    Newport Beach
    Posts
    1,761
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Use PHP to Confirm Person, Not Bot

    I remember there was an easy, simple way to have PHP quickly check whether the visitor was a person (using a browser), or a bot.

    Can somebody quickly refresh my memory?

    Cheers
    Ryan
    Upcoming Movies - Movie News. Updated Daily.
    Movie Trailers - Awesome trailer site. Nuff said.

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,875
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    There is no simple way. That's why there are so many complex ways that people attempt to use which are still not 100% successful.

    Anything that you try that will block all the bots will also block a significant fraction of real people. Anything you try that lets all real people in will also let in a percentage of the bots.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    SitePoint Wizard
    Join Date
    Oct 2004
    Location
    Newport Beach
    Posts
    1,761
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Can't you just see if $_SERVER['HTTP_USER_AGENT'] exists?

    Cheers
    Ryan
    Upcoming Movies - Movie News. Updated Daily.
    Movie Trailers - Awesome trailer site. Nuff said.

  4. #4
    SitePoint Guru Ruben K.'s Avatar
    Join Date
    Jun 2005
    Location
    Alkmaar, The Netherlands
    Posts
    693
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by casbboy View Post
    I remember there was an easy, simple way to have PHP quickly check whether the visitor was a person (using a browser), or a bot.

    Can somebody quickly refresh my memory?

    Cheers
    Ryan
    Have a form field that's hidden with CSS, call it 'email' (call your actual e-mail field something else)

    Most bots will only parse the HTML and oversee that the field 'email' is actually hidden and fill it out, where 99% of the actual users will skip it because it's invisible.

    I've used this with great success

  5. #5
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,875
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by casbboy View Post
    Can't you just see if $_SERVER['HTTP_USER_AGENT'] exists?

    Cheers
    Ryan
    It always exists and it always contains whatever the browser or bot owner sets it to. Half my browsers identify themselves in that user enterable field as Internet Explorer v99 (that's 91 versions later than the latest provided from Microsoft so it must be heaps better) and the other half as googlebot (so I see what the search engines see).
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  6. #6
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,875
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Ruben K. View Post
    Have a form field that's hidden with CSS, call it 'email' (call your actual e-mail field something else)

    Most bots will only parse the HTML and oversee that the field 'email' is actually hidden and fill it out, where 99% of the actual users will skip it because it's invisible.

    I've used this with great success
    Of course blind users will fill out the field as well so they too will be blocked from being able to use your site (that sort of thing cost Target millions of dollars when someone sued).
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  7. #7
    SitePoint Wizard bronze trophy cydewaze's Avatar
    Join Date
    Jan 2006
    Location
    Merry Land, USA
    Posts
    1,096
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    I'm about to implement this method soon. It's text-based, so it's accessible, but it should (theoretically) trap bots, since bots won't read the instructions. Of course, a lot of people might not read the instructions either!

    And then of course there's always ReCaptcha.

  8. #8
    SitePoint Evangelist
    Join Date
    Aug 2009
    Posts
    406
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    casbboy, do you want to make this security check ONLY when user/bot performs some actions (submits contact form, activates login script, etc.) or do you want this check to be performed EACH TIME when someone requests for page from your website?

  9. #9
    SitePoint Guru Ruben K.'s Avatar
    Join Date
    Jun 2005
    Location
    Alkmaar, The Netherlands
    Posts
    693
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cydewaze View Post
    I'm about to implement this method soon. It's text-based, so it's accessible, but it should (theoretically) trap bots, since bots won't read the instructions. Of course, a lot of people might not read the instructions either!

    And then of course there's always ReCaptcha.
    If there's a person behind the bot he could VERY easily write a 'fix' to adjust for this (PM me if you need me to demonstrate )

  10. #10
    SitePoint Wizard bronze trophy cydewaze's Avatar
    Join Date
    Jan 2006
    Location
    Merry Land, USA
    Posts
    1,096
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Ruben K. View Post
    If there's a person behind the bot he could VERY easily write a 'fix' to adjust for this
    Obviously, but then I can change the script in 2 seconds to require the first four, or five, or every other letter. Spambots are a volume-based annoyance. I doubt that unless this captcha method becomes widely used, anyone is going to bother scripting their bots on a site-by-site basis to defeat it.

  11. #11
    SitePoint Guru
    Join Date
    Jun 2006
    Posts
    638
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You can slow "bots" down, just save the time the FORM was requested, and make sure the user spends some time on the page before they submit it.

    So, if the REQUEST time = 0, or SUBMIT time - REQUEST time < 20 sec, don't do anything (20 sec to fill in the form?).

  12. #12
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,875
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by cydewaze View Post
    I'm about to implement this method soon. It's text-based, so it's accessible, but it should (theoretically) trap bots, since bots won't read the instructions. Of course, a lot of people might not read the instructions either!
    That fails accessibility for anyone with a cognitive disorder since they may not understand the instructions either.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  13. #13
    SitePoint Wizard lorenw's Avatar
    Join Date
    Feb 2005
    Location
    was rainy Oregon now sunny Florida
    Posts
    1,104
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    I just make a form field and style it left way off the screen with the text,
    leave this blank or the form will not be sent (Takes care of vision impaired)

    I also set a session with a random number and use it the same way a captcha is used in a hidden form field.

    Also (optional) instruct them not to enter a full URL but instead just the domain name without the http:// and then PHP side filter out those emails with http:// in the fields.
    What I lack in acuracy I make up for in misteaks

  14. #14
    SitePoint Addict Iceman90's Avatar
    Join Date
    Mar 2006
    Location
    Calgary, Alberta, Canada
    Posts
    392
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Ruben K. View Post
    Have a form field that's hidden with CSS, call it 'email' (call your actual e-mail field something else)

    Most bots will only parse the HTML and oversee that the field 'email' is actually hidden and fill it out, where 99% of the actual users will skip it because it's invisible.

    I've used this with great success
    I've used a similar idea, but I use the hidden field to ask for a simple math question.

  15. #15
    SitePoint Member
    Join Date
    Apr 2008
    Posts
    4
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    Of course blind users will fill out the field as well so they too will be blocked from being able to use your site (that sort of thing cost Target millions of dollars when someone sued).
    Actually, most blind users won't see the form field either. Most current screen readers ignore any elements styled with display:none. It is this behavior that has given rise to the numerous 'off-left' techniques for visually hiding text but keeping it readable to screen readers.

  16. #16
    SitePoint Member
    Join Date
    Nov 2006
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Unfortunately, the best way to do this is with CAPTCHA, and that's not even full-proof.

  17. #17
    Floridiot joebert's Avatar
    Join Date
    Mar 2004
    Location
    Kenneth City, FL
    Posts
    823
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I like to boobytrap contact forms with things like multiple <option> items that say "I want to send you spam" and other things nobody would consciously select, email text boxes with labels that say "Enter your email address in the next text box, not this one" and stuff like that.

  18. #18
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,875
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    As I said before - anything you do to block the bots is going to block real people as well. The only way that might work is if you provide visual, aural, and cognitive options so that anyone with disabilities in one or even two of the three areas still has at least one way to prove they should be allowed in. Of course you would then still be blocking out those with disabilities in all three areas but there is nothing whatever to distinguish someone with all three types of disability from a bot except for the fact that any attempted access with all three would be more likely to be a bot.

    A more effective alternative would be to test the speed at which the form is filled out. Bots are likely to fill out forms far more quickly than even the fastest touch typist or someone copy/pasting the fields one after the other. Speed of input is probably a far more effective distinction than any visual, aural, and cognitive test.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  19. #19
    SitePoint Wizard Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,287
    Mentioned
    51 Post(s)
    Tagged
    2 Thread(s)
    Actually, most blind users won't see the form field either. Most current screen readers ignore any elements styled with display:none.
    Ah, but not form controls. For whatever reason, both JAWS and Window-Eyes will read a display: none label (also, there are quirky exceptions that aren't the same between the two... for instance, an anchor with a background colour who has a display: none span will be read out, I forget, I think it was JAWS, while something similar but not the same happened in W-E).

    Though I've never tried making the entire form display: none. Still, because not everyone has CSS (how many times have I loaded Sitepoint in this retarded version of Firefox only to get half the site loaded without CSS because either the server is retarded or Firefox is retarded or they're both retarded), it's safest to also have some text in your hidden form/form elements like lorenw mentioned.

    Mike Cherim asks is fire hot? He also has some backend stuff to stop spams, if you check out his green-beast site and get to the PHP section, he has a "PHP Secure Form" script.

    Fronteers.nl has an input and the label next to it say "NEE invullen" (type in "no" which of course I missed the first time because I thought it said "Niet invullen" (don't fill in at all) lawlz).

    I can regularly add 2+2 and get 3, 4, or 5 so no matter how simple, I alwasy cringe at math problems : )

    I also hate choosing from dogs and cats. For some reason, people pick the crappiest dog and cat photos, and then you see a photo with both a cat and a dog and you're like, huh?? One cat I swear was actually a chimpanzee.

  20. #20
    SitePoint Guru
    Join Date
    Oct 2001
    Location
    USA
    Posts
    764
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Vali View Post
    You can slow "bots" down, just save the time the FORM was requested, and make sure the user spends some time on the page before they submit it.

    So, if the REQUEST time = 0, or SUBMIT time - REQUEST time < 20 sec, don't do anything (20 sec to fill in the form?).
    This sounds like a great idea, do you have a snippet of code which achieves this? Or a tutorial that might aid the members here?

  21. #21
    SitePoint Member
    Join Date
    Jan 2008
    Posts
    6
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I use a form with multiple tests and assign a score for each test failed, then I have a threshold score above which I send the mail to a "needs checking" account (gets very little traffic but helps me fine-tune) and a second threshold above which which input is trashed (but I increment a counter so I can see how active the spammers are).

    I do alert the user that the submission failed but with no diagnostics. Given my current success rate I could do away with this (spammers take it to mean "try again"). On the other hand if the spammers don't know they've failed they'll keep sending the stuff and I get unwanted server load.

    Example tests are such as:
    "is there an email address in a field other than 'email' "
    "is there a url in an inappropriate field"
    Evidence of attempted code injection.
    "is there text in a numeric field (e.g. phone number)"
    "Does input length exceed specified maximum" - which is monitored with client side javascript, spammers will kill the JS to override the client side test but it's repeated server side... Normal users will get a JS alert so won't trip the server script test but even if they have JS disabled and input a "too long" string they've got to have transgressed in other ways too to breach the threshold value.
    etc...

    I do a couple of other things too but sadly if I explain too much the bad guys will read and may find a weakness. (and as I logged on to sitepoint forums just now I found a spammy PM so we know we are in bad company here...)

    I guess the spammers are running robots to search for new forms as I have found they can attract a lot of spam attempts within hours of launch.

    I don't use captcha because the distorted text type deters "real" users though I may add a simple one of the "2 plus 3 = what?" type.

    I get no bot spam just an acceptably low level of manually completed garbage.

    My forms are probably OK for disability compliance as even if they fail one test they'll still be below the threshold for rejection.

  22. #22
    SitePoint Wizard
    Join Date
    Mar 2008
    Posts
    1,149
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I ask people to enter one simple static string. Why? It blocks bots that scan the Internet for forms to fill out. Will it defeat someone that is targeting my site? No. Will a math CAPTCHA? No. Will http://thejaffes.org/webres/captcha.php? No!

  23. #23
    SitePoint Wizard
    Join Date
    Oct 2004
    Location
    Newport Beach
    Posts
    1,761
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Whoa! This thread really took off. (sorry, no email alerts for some reason).

    Err, I wasn't doing it for security, I just have a lot of user control options that are now showcased to non-users, and some of these options link to sample media, which I didn't really need the search bots going after and hitting.

    I've just got the options showcased now, and not accessible unless the user is logged in, so shouldn't be a problem.

    THx for the help.

    Ryan
    Upcoming Movies - Movie News. Updated Daily.
    Movie Trailers - Awesome trailer site. Nuff said.

  24. #24
    SitePoint Evangelist
    Join Date
    Aug 2009
    Posts
    406
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It's great to hear you got it solved. However, your first post wasn't very informative and all of us thought you are looking for completely different protection.

  25. #25
    SitePoint Wizard
    Join Date
    Oct 2004
    Location
    Newport Beach
    Posts
    1,761
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah. Now that I see where the responses are heading, I figured that out.

    I just didn't want the search engines getting garbled all up in user options, not bots looking to auto submit and stuff like that.

    Should have said search bots.

    Ryan
    Upcoming Movies - Movie News. Updated Daily.
    Movie Trailers - Awesome trailer site. Nuff said.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •