SitePoint Sponsor

User Tag List

Page 2 of 3 FirstFirst 123 LastLast
Results 26 to 50 of 60
  1. #26
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,163
    Mentioned
    263 Post(s)
    Tagged
    5 Thread(s)
    Off Topic:

    Quote Originally Posted by oo7ml View Post
    What animal makes the 'gobble gobble' sound...
    A turkey - before it's gobbled by humans. of course.

  2. #27
    Community Advisor silver trophybronze trophy
    dresden_phoenix's Avatar
    Join Date
    Jun 2008
    Location
    Madison, WI
    Posts
    2,798
    Mentioned
    34 Post(s)
    Tagged
    2 Thread(s)
    The best CAPTCHA I can think of to use on a form would be one that puts the time the form displayed in a hidden field in the form and then checks that sufficient time for a person to fill out the form has passed since then when the form is submitted.
    wow , neat idea!!

    But that could cause difficulties for non-native English speakers.
    Good point, but I have also already seen non English captchas... oddly enough an accessibility issue in reverse.. what if I don't have a Cyrillic keyboard!!

    I must confess i dont have much experience with c myself, but one method I would consider would be generating an equation:
    "3 + 7 =?" easy line of text to generate in PHP but the answer you are looking for would be "10" this of course throws the bots off, with minimal fuzz

  3. #28
    Mouse catcher silver trophy Stevie D's Avatar
    Join Date
    Mar 2006
    Location
    Yorkshire, UK
    Posts
    5,888
    Mentioned
    122 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by dresden_phoenix View Post
    Good point, but I have also already seen non English captchas... oddly enough an accessibility issue in reverse.. what if I don't have a Cyrillic keyboard!!
    If you get that as part of a reCaptcha then there's no problem. Because with reCaptcha the main thing it is testing you on is whether you can decode the known and deliberately scrambled word, if you don't give the "right" answer for the scanned text (I've had mathematical formulae, upside-down text, all sorts) then all it has to compare your answer with are the answers that other people have given. And the chances are that few of them will have gone to the effort of looking up the Unicode for Cyrillic characters, so it has no way of knowing you're wrong if you give the closest approximation you can using the Latin alphabet.

  4. #29
    SitePoint Mentor silver trophybronze trophy
    Mikl's Avatar
    Join Date
    Dec 2011
    Location
    Edinburgh, Scotland
    Posts
    1,553
    Mentioned
    63 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Force Flow View Post
    "gobble gobble" is a common animal sound in North America. I didn't consider that it might not be in other English-speaking areas of the world.

    Which was exactly my point. If you decide to use that sort of challenge-response mechanism, you've got to think vary carefully about how the question will be perceived in various countries, cultures and languages. And it's not limited to "English-speaking areas". There will people from non-English speaking parts of the world who have a legitimate reason to visit your site, and who might be baffled by what, to you and me, are perfectly reasonable questions.

    Mike

  5. #30
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,168
    Mentioned
    454 Post(s)
    Tagged
    8 Thread(s)
    Quote Originally Posted by Force Flow View Post
    "gobble gobble" is a common animal sound in North America. I didn't consider that it might not be in other English-speaking areas of the world.
    I'm sure most kids are familiar with it. I know it well, but couldn't remember which animal it applied to. (Showing my age, I guess.)

    are animal sound questions better than trying to figure out the horribly distorted letters in a CAPTCHA image?
    Anything is better than that. (When I ask Captcha to sound out the words, they usually sound like animal noises to me anyway. )

  6. #31
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,606
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Mikl View Post

    Which was exactly my point. If you decide to use that sort of challenge-response mechanism, you've got to think vary carefully about how the question will be perceived in various countries, cultures and languages. And it's not limited to "English-speaking areas". There will people from non-English speaking parts of the world who have a legitimate reason to visit your site, and who might be baffled by what, to you and me, are perfectly reasonable questions.
    You also have to keep in mind what the demographics of your site(s) are and who your target audience is.

    The math challenge questions were settled on as a standard because they require no language and no local knowledge. However, math problems are easily defeated by bots. So, essentially, these types of questions don't work anymore. CAPTCHA doesn't work well anymore either, as many bots can bypass it.

    Sometimes hidden "are you a bot?" fields help, and these don't impact visitors because they never see them anyway.

    So, the only thing that seems to be left are some sort of simple reasoning questions that bots can't answer (yet, anyway). The trick is to make them general enough for any visitors to guess, but difficult enough to stymie bots.

    What other types of challenge questions might fit the bill?
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  7. #32
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,168
    Mentioned
    454 Post(s)
    Tagged
    8 Thread(s)
    I don't know how bots work, but I wonder if you gave an instruction like "type anything here other than an email address" but in the HTML put something like type="email" or id="email", would that trip up the bots?

  8. #33
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,606
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by ralph.m View Post
    I don't know how bots work, but I wonder if you gave an instruction like "type anything here other than an email address" but in the HTML put something like type="email" or id="email", would that trip up the bots?
    Wouldn't that fail with accessibility technologies?
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  9. #34
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,168
    Mentioned
    454 Post(s)
    Tagged
    8 Thread(s)
    Quote Originally Posted by Force Flow View Post
    Wouldn't that fail with accessibility technologies?
    I'm not sure. Do they react differently to different kinds of input?

  10. #35
    SitePoint Addict
    Join Date
    Jul 2006
    Location
    Fionnphort, Isle of Mull, Scotland
    Posts
    349
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I'm surprised no-one's mentioned the 'Honeypot', which uses a hidden field to tempt a bot to insert something (typically an e-mail address).

    Ralph.m has mentioned something similar, but it's not clear to me that it's actually hidden in his version. For those not using CSS there's an instruction not to complete the field. Optionally (as web-master) I get the spam messages diverted to me so I can monitor them from time to time. As a back-up to the Honeypot I class as spam anything where the first_name and last_name fields are the same, as most of the spam messages that I do monitor these fields are full of identical gobbledy-gook (or even gobble-gobble) like 'oeafijbgp'. If Humbert Humbert wants to contact me he'll have a problem, I know.

    For timing script execution, how about PHP microtime (see PHP manual).
    Tim Dawson
    Isle of Mull, Scotland

  11. #36
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,168
    Mentioned
    454 Post(s)
    Tagged
    8 Thread(s)
    Quote Originally Posted by ramasaig View Post
    I'm surprised no-one's mentioned the 'Honeypot', which uses a hidden field to tempt a bot to insert something (typically an e-mail address).

    Ralph.m has mentioned something similar, but it's not clear to me that it's actually hidden in his version.
    Yes, I was referring to the honeypot method, where the field to catch bots is hidden from view. The only problem is that screen readers, or those with CSS off etc., may see the form field, so there needs to be some consideration of what to say to them so they know what to do.

  12. #37
    SitePoint Addict
    Join Date
    Sep 2011
    Posts
    266
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Wouldn't a combination of the honeypot and the time counter work best... so we have a hidden field and also throw an error for all forms that were completed under 5 seconds...

  13. #38
    SitePoint Mentor silver trophybronze trophy
    Mikl's Avatar
    Join Date
    Dec 2011
    Location
    Edinburgh, Scotland
    Posts
    1,553
    Mentioned
    63 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ramasaig View Post
    I'm surprised no-one's mentioned the 'Honeypot', which uses a hidden field to tempt a bot to insert something (typically an e-mail address).

    That's what I suggested, back in post #8. But I didn't know it was called Honeypot. In fact, I didn't know that it was such a well-known technique that it had a name.

    Mike

  14. #39
    SitePoint Addict FizixRichard's Avatar
    Join Date
    May 2003
    Location
    UK
    Posts
    372
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Smile

    The submission time is exactly what I do on my contact forms, it appears to work.

    As someone asked for code; its really easy, in PHP (this has no security, its bare bones code):


    On the PHP script that loads the form;
    Code:
    <input type="hidden" name="loadtime" value="time();" />
    So literally insert a timestamp into a hidden field. (with a javascript loading form you'll want to populate this when the user clicks your contact button)

    Then on your post php script (where you send the email):

    Code:
    $loadtime = $_POST['loadtime'];
    
    $totaltime = time() - $loadtime;
    
    if($totaltime < 7)
    {
       echo("You took less than 7 seconds to complete the form, blah blah blah");
       exit;
    }
    So grab the post time timestamp from the form, get the current time in a timestamp, get the load time as current_time - post_time, if the load time is less than 7, spring an error.


    If your using a javascript form that opens in an overlay, have the javascript complete the timestamp; then do any time conversion if necessary.


    It may not be 100% foolproof, but it definitely helps. I don't use the honeypot exactly because of screen readers. You don't want anything obstructing legitimate users, especially not those stuck behind accessibility software.

    My timer is set to 7 seconds, which when you consider they have to enter an email address, name and a message is reasonable. The only way I can make the timer error appear on my forms is to hit the keyboard with 4 fingers on the first field, have the email ready populated via double clicking and selecting quickly and hitting the keyboard with 4 fingers again in the message and hitting submit. I have to do that like a hyperactive 3 year old to get the error, so I'm pretty confident that nobody legitimate will ever see that error unless they sit there trying to get it.

    Now I have revealed it... please don't
    Last edited by FizixRichard; Jul 1, 2012 at 14:36. Reason: Typo
    FIZIX - Full Service Digital Agency - Engaging websites, apps and games.
    Follow us @FIZIXAgency

  15. #40
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,168
    Mentioned
    454 Post(s)
    Tagged
    8 Thread(s)
    Thanks for this, FizixRichard. I looks forward to giving it a try. I wasn't sure if you could do something like

    Code:
    $totaltime = time() - $loadtime;
    but glad to know you can.

  16. #41
    SitePoint Member
    Join Date
    Jul 2012
    Posts
    10
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Smile Use captcha in account creation only

    I think you should use Captcha for account creation only.For other Forms instead of using captcha images you can use other techniques like mathematical operations to confirm whether the person isn't a bot.

  17. #42
    Foozle Reducer ServerStorm's Avatar
    Join Date
    Feb 2005
    Location
    Burlington, Canada
    Posts
    2,699
    Mentioned
    89 Post(s)
    Tagged
    6 Thread(s)
    Quote Originally Posted by TechnoBear View Post
    Except those with visual and other problems that can't use the wretched things. Make sure you have a system in place to accommodate such visitors.
    Why not use Fegall's idea and not include the captcha. The form will have a minimum time rather than almost immediate that the bots will do, so allow an account that waits the specified period. If this is the 'minimum' time allowed to create the form, then it is pretty equal for the sited and non-sited users and no annoying CAPTCHA's and would stop most spam bots from creating multiple accounts. Love this idea!
    ictus==""

  18. #43
    SitePoint Addict FizixRichard's Avatar
    Join Date
    May 2003
    Location
    UK
    Posts
    372
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ServerStorm View Post
    Why not use Fegall's idea and not include the captcha. The form will have a minimum time rather than almost immediate that the bots will do, so allow an account that waits the specified period. If this is the 'minimum' time allowed to create the form, then it is pretty equal for the sited and non-sited users and no annoying CAPTCHA's and would stop most spam bots from creating multiple accounts. Love this idea!
    As I said previously, we use a timer system and it does work. Now the occasional bot does get through, its not 100%, but it really is occasional; we converted to the timer method to solve a problem; which was that bots started to figure out how to get past the captcha so we decided to try something else. The timer method is far more effective.
    FIZIX - Full Service Digital Agency - Engaging websites, apps and games.
    Follow us @FIZIXAgency

  19. #44
    Non-Member
    Join Date
    Jul 2012
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Why not lol? When it's a question of security for your site then to avoid spamming you should use Captcha...

  20. #45
    SitePoint Addict FizixRichard's Avatar
    Join Date
    May 2003
    Location
    UK
    Posts
    372
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by mkt008 View Post
    Why not lol? When it's a question of security for your site then to avoid spamming you should use Captcha...
    Who said anything about neglecting site security and not stopping spammers? This thread is discussing alternative methods to resolve the same problems that captcha's resolve.

    It's a perfectly valid discussion when you consider that Captcha's:

    1. Are of limited effectiveness, bot's are continually evolving their recognition skills and learn how to get past them. I've had to update captcha image sets many, many times as bots have figured them out.

    2. They are often difficult to read and sometimes illegible.

    3. They are an accessibility nightmare, even with audio recognition

    4. End users hate them


    Therefore, other solutions that catch bots out have been outlined in this thread.
    FIZIX - Full Service Digital Agency - Engaging websites, apps and games.
    Follow us @FIZIXAgency

  21. #46
    SitePoint Wizard
    Join Date
    Oct 2005
    Posts
    1,832
    Mentioned
    5 Post(s)
    Tagged
    1 Thread(s)
    CAPTCHA is a modern day necessity. You will get tons of spam without it. Even a contact form I had got spammed until I added visual verification.

    If anyone needs an incredibly easy to integrate CAPTCHA that is also free and open source, you should check out Securimage at this site:

    http://www.phpcaptcha.org/

    I use it and it works very good. You can integrate it into your site with only a few lines of code. I can't recommend it highly enough.

  22. #47
    SitePoint Addict FizixRichard's Avatar
    Join Date
    May 2003
    Location
    UK
    Posts
    372
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cheesedude View Post
    CAPTCHA is a modern day necessity. You will get tons of spam without it. Even a contact form I had got spammed until I added visual verification.

    If anyone needs an incredibly easy to integrate CAPTCHA that is also free and open source, you should check out Securimage at this site:

    http://www.phpcaptcha.org/

    I use it and it works very good. You can integrate it into your site with only a few lines of code. I can't recommend it highly enough.
    This is untrue, you need some kind of bot protection however captcha's are not the beginning nor the end, there are other solutions to stop spam bots as has been discussed extensively in this thread.

    So "CAPTCHA is a modern day necessity. You will get tons of spam without it." is simply untrue, other traps such as form timers and honeypots work just as well.
    FIZIX - Full Service Digital Agency - Engaging websites, apps and games.
    Follow us @FIZIXAgency

  23. #48
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,168
    Mentioned
    454 Post(s)
    Tagged
    8 Thread(s)
    Quote Originally Posted by FizixRichard View Post
    other traps such as form timers and honeypots work just as well.
    And they are also much kinder on legitimate visitors. Captcha may make a site owner feel secure, but it's a misery for users.

  24. #49
    Foozle Reducer ServerStorm's Avatar
    Join Date
    Feb 2005
    Location
    Burlington, Canada
    Posts
    2,699
    Mentioned
    89 Post(s)
    Tagged
    6 Thread(s)
    Just to note, I've converted 15 sites, some old ones with CAPTCHA's and some with Honey Pots to the timer suggestion. It works great and I am getting about 30% less spam on these sites, plus they are far more accessible as people have indicated throughout this thread. I know that bots could be built to pause to beat timers but nothing works forever, so while it works well I will use it.

    Steve
    ictus==""

  25. #50
    Non-Member
    Join Date
    Jun 2012
    Posts
    160
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by TechnoBear View Post
    Except those with visual and other problems that can't use the wretched things. Make sure you have a system in place to accommodate such visitors.
    I was under the assumption most Captcha's now a days have a read out feature. So as long as those you have issues can hear, they can have the Captcha read out the letters or phrase to them.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •