SitePoint Sponsor

User Tag List

Page 1 of 3 123 LastLast
Results 1 to 25 of 60
  1. #1
    SitePoint Addict
    Join Date
    Sep 2011
    Posts
    267
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Captcha - To Use Or Not To Use

    Hi, i am building a site at the moment and i am trying to decide whether to add Captcha to my site to protect the following:

    - create account form
    - contact form (as it is saved in the database)
    - change email form
    - change password form

    01 - do you think this will p*ss users off - i don't think it will as they really will only ever need do enter the Captcha once...

    02 - i am surprised to see that Facebook and Twitter do not use them, how do they stop robots from processing multiple forms

    03 - what is your general view / feeling on using Captcha's

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,871
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Presumably you are asking about image CAPTCHAs - there are lots of alternative CAPTCHAs that are less obvious to real people while still preventing the bots and big sites not using image CAPTCHAs would be using a more sophisticated less obtrusive one instead.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    Mouse catcher silver trophy Stevie D's Avatar
    Join Date
    Mar 2006
    Location
    Yorkshire, UK
    Posts
    5,892
    Mentioned
    123 Post(s)
    Tagged
    1 Thread(s)
    Moved to "Web Design" forum because this isn't really a PHP issue

    Quote Originally Posted by oo7ml View Post
    Hi, i am building a site at the moment and i am trying to decide whether to add Captcha to my site to protect the following:

    - create account form
    - contact form (as it is saved in the database)
    - change email form
    - change password form

    01 - do you think this will p*ss users off - i don't think it will as they really will only ever need do enter the Captcha once...

    02 - i am surprised to see that Facebook and Twitter do not use them, how do they stop robots from processing multiple forms

    03 - what is your general view / feeling on using Captcha's
    My view of using Captchas is that they should only be used where not using them would cause insurmountable problems for the site management. Where users have to be registered in order to post, there is very little need to have a Captcha, because you should have systems in place to spot bots and stop them.

    The only one on that list where I would accept a Captcha is on the account creation form, because you don't want bots to be able to sign up for accounts. Everything else just adds an unnecessary complication and potential barrier. Remember that in many cases, people find Captchas harder to solve than bots, so if you're relying on them as your sole anti-spam protection measure, you might be in for a nasty surprise.

    Any other action – for authenticated users – shouldn't need a Captcha. In the case of changing registration details (email and password) you might want the user to re-enter their current password to prevent unauthorised changes, but a Captcha won't help there at all.

    Facebook does use Captchas for some things for non-authenticated users.

  4. #4
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,331
    Mentioned
    463 Post(s)
    Tagged
    8 Thread(s)
    I always think twice about filling out a form that uses Captcha, as there's a good chance that I just won't be able to type the gobbldygood to the system's satisfaction. It is the single most annoying thing on the web, and I've aborted filling out forms many times because I couldn't be bothered fighting with the stupid Captcha.

    I still prefer putting in a hidden field which—if filled out—aborts the form. You can add a simple question to it for legitimate users who have CSS off or who are using a screen reader.

  5. #5
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,871
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    The best CAPTCHA I can think of to use on a form would be one that puts the time the form displayed in a hidden field in the form and then checks that sufficient time for a person to fill out the form has passed since then when the form is submitted.

    Bots would normally fail that invisible CAPTCHA by filling out the form too quickly.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  6. #6
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,331
    Mentioned
    463 Post(s)
    Tagged
    8 Thread(s)
    Quote Originally Posted by felgall View Post
    The best CAPTCHA I can think of to use on a form would be one that puts the time the form displayed in a hidden field in the form and then checks that sufficient time for a person to fill out the form has passed since then when the form is submitted.
    Hah, that's clever. I'd love to try that out. I wonder if I can stretch my meagre PHP skills to accommodate that. I can see how you could easily grab the time the page was loaded as the value of the hidden field ... but how to compare it with the time of submission? Hmmm ...

  7. #7
    SitePoint Addict
    Join Date
    Sep 2011
    Posts
    267
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Excellent idea felgall... maybe set it so that if the $form_submission_time is not 5 seconds greater than $form_display_time then throw error

  8. #8
    SitePoint Mentor silver trophybronze trophy
    Mikl's Avatar
    Join Date
    Dec 2011
    Location
    Edinburgh, Scotland
    Posts
    1,607
    Mentioned
    66 Post(s)
    Tagged
    0 Thread(s)
    As an end-user, I find most Captcha forms slightly irritating, but just about acceptable. However, there is one form of Captcha that I detest. It's the type where you have a single image, but with two character strings. One of the strings is perfectly clear; the other is nearly always virutally illegible. I'm sure you've all seen examples of what I mean. Google, for one, uses it on their own registration forms.

    With that type of Captcha, I frequently have to request a new image, sometimes several times, before I am able to figure it out. Often, I just abandon the attempt.

    As a developer, the only type of authentication I would use is one that the user is unaware of. I'm currently experimenting with a method which I described in the following blog post: A simple way of preventing contact form spam. I'm not yet sure how well it works, but at least it is unobtrusive.

    Mike

  9. #9
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,331
    Mentioned
    463 Post(s)
    Tagged
    8 Thread(s)
    Quote Originally Posted by Mikl View Post
    I'm currently experimenting with a method which I described in the following blog post: A simple way of preventing contact form spam. I'm not yet sure how well it works, but at least it is unobtrusive.
    I've been using that method for years, and it seems to work well. But in the end I decided to allow something simple like the number/digit 4 with an instruction to enter that for those who could see the input.

  10. #10
    SitePoint Mentor silver trophybronze trophy
    Mikl's Avatar
    Join Date
    Dec 2011
    Location
    Edinburgh, Scotland
    Posts
    1,607
    Mentioned
    66 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ralph.m View Post
    I've been using that method for years, and it seems to work well. But in the end I decided to allow something simple like the number/digit 4 with an instruction to enter that for those who could see the input.

    That's interesting, Ralph. But I'm curious to know why you prefer a method that requires the user to actually do something, rather than one that's completely passive?

  11. #11
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,331
    Mentioned
    463 Post(s)
    Tagged
    8 Thread(s)
    Quote Originally Posted by Mikl View Post

    That's interesting, Ralph. But I'm curious to know why you prefer a method that requires the user to actually do something, rather than one that's completely passive?
    Some years ago I came across a discussion that was recommending against having a form field with an instruction not to do anything. But yes, it's much of a muchness, I guess. I used to have a label that said—"Don't fill in this field. It's for catching spammers!" ... or something like that ... but unfortunately the client got a glimpse of this code and wanted it removed, as the mention of spam freaked him out.

  12. #12
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,871
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by ralph.m View Post
    Some years ago I came across a discussion that was recommending against having a form field with an instruction not to do anything.
    The CAPTCHA I suggested earlier in the thread shouldn't require instructions in order for the person to comply with the CAPTCHA requirements unless there are any thousand words a second typists out there.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  13. #13
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,331
    Mentioned
    463 Post(s)
    Tagged
    8 Thread(s)
    Quote Originally Posted by felgall View Post
    The CAPTCHA I suggested earlier in the thread shouldn't require instructions in order for the person to comply with the CAPTCHA requirements unless there are any thousand words a second typists out there.
    Indeed. It's a much nicer solution. I just haven't quite figured out how to implement it yet. I'm not sure of the best way to grab the time at which the form is submitted, and how best to measure the time difference between two moments and set a condition for the results.

  14. #14
    SitePoint Addict
    Join Date
    Sep 2011
    Posts
    267
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i didn't think this would be that difficult for you php pros

    I know this is only pseudo code but wouldn't this work:

    IF $form_submission_time is not 5 seconds greater than $form_display_time then throw error

  15. #15
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,331
    Mentioned
    463 Post(s)
    Tagged
    8 Thread(s)
    Quote Originally Posted by oo7ml View Post
    wouldn't this work:

    IF $form_submission_time is not 5 seconds greater than $form_display_time then throw error
    I'm sure it would ... but one has to know how to say that in computer language.

  16. #16
    SitePoint Addict
    Join Date
    Sep 2011
    Posts
    267
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ralph.m View Post
    I'm sure it would ... but one has to know how to say that in computer language.
    It's simple for you guys... even i could do that or maybe not then...

    Would it make sense to record the $form_display_time in a session variable and then when the form is processed check it against the current time to make sure 5 seconds have a elapsed...

  17. #17
    Non-Member
    Join Date
    Jun 2012
    Posts
    160
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Most people are used to Captcha by now so I don't think it will piss anyone off really.
    The benefit to you is tremendous in keeping out the lazy people and the spammers. Those spam bots are annoying and this feature really curbs out the bots.

  18. #18
    SitePoint Addict
    Join Date
    Sep 2011
    Posts
    267
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Cool, thanks... i also think a lot of people are used to CAPTCHAs...

  19. #19
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,444
    Mentioned
    274 Post(s)
    Tagged
    5 Thread(s)
    Quote Originally Posted by shanshan View Post
    Most people are used to Captcha by now so I don't think it will piss anyone off really.
    Except those with visual and other problems that can't use the wretched things. Make sure you have a system in place to accommodate such visitors.
    Don't serve your porridge and then go out for a walk.

  20. #20
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,617
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    I've actually be successful with verification questions. You may have seen these in the form of addition questions. Unfortunately, bots can easily bypass those now.

    I came up with animal sound questions instead, such as:

    What animal says "meow"?
    I also use "woof", "gobble gobble", and "moo".

    They're tougher for bots to answer, but real users shouldn't have too much trouble with them.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  21. #21
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,331
    Mentioned
    463 Post(s)
    Tagged
    8 Thread(s)
    Off Topic:

    Quote Originally Posted by Force Flow View Post
    I came up with animal sound questions instead, such as: What animal says "meow"?
    Don't ask meow you're supposed to answer that.

    It would be funny to see that question on a business site.

  22. #22
    SitePoint Mentor silver trophybronze trophy
    Mikl's Avatar
    Join Date
    Dec 2011
    Location
    Edinburgh, Scotland
    Posts
    1,607
    Mentioned
    66 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Force Flow View Post
    What animal says "meow"?
    But that could cause difficulties for non-native English speakers.

    Actually, I'm a native English speaker, but I'd have to think hard about "gobble gobble".

    Mike

  23. #23
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,331
    Mentioned
    463 Post(s)
    Tagged
    8 Thread(s)
    Quote Originally Posted by Mikl View Post
    I'd have to think hard about "gobble gobble".
    Likewise. Nothing is ever straightforward.

  24. #24
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,617
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    "gobble gobble" is a common animal sound in North America. I didn't consider that it might not be in other English-speaking areas of the world.

    But then also consider this: are animal sound questions better than trying to figure out the horribly distorted letters in a CAPTCHA image?
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  25. #25
    SitePoint Addict
    Join Date
    Sep 2011
    Posts
    267
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What animal makes the 'gobble gobble' sound...


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •