I fixed it!
if ($checker != 12){
header('Location: http://easydigging.com/ohdear.html');
}
needed to be:
if ($checker != 12){
header('Location: http://easydigging.com/ohdear.html');
exit();
}
I guess that without the exit line it just kept chugging through the program?
So how would I fix this issue you mentioned:
Also when you hit the back button in the case of an error, everything which had been entered into the form vanishes.
I would change this.
Oops. Missed that. That’s correct. Good catch.
Well, on the example I made for you, the form still stayed populated when I hit the back button, so I’m guessing it’s something to do with your configuration.
Do you have some JavaScript somewhere that’s clearing all the fields?
Edit: The issue with the & and the " is bugging me. I’ll look into that later and see if I can reproduce.
Pullo asked:
Do you have some JavaScript somewhere that’s clearing all the fields?
Not that I am aware of. Unless it is the “autocomplete” in this line:
<form id=“edf” method=“post” autocomplete=“off” action=“pullo.php” >
Ah, yeah.
Remove that and the fields will still be populated when you hit back.
I’m afraid I can’t reproduce this so it is something specific to your configuration.
My next best guess would be that this is actually a security feature as these two characters can be used for bad purposes.
Try entering a message with this:
<script> ' ; -- / \\
Let me know what comes through.
Here’s what came through the email:
person = Greg
onlineaddress = test10@testing123.com
ringer = 4564561231
country = Music
reporting = testing the odd symbols
\’ ; – / \\
REMOTE_HOST: 74.6.53.181
It appears to have turned the <script> into a pair of \'s that surrond the rest of the symbols. Must be a security thing that Yahoo does. We can live with any emailed " or & being altered.
Hi Greg,
What it has done is completely strip the <script> tag, escape the apostrophe (so that it is interpreted as a normal apostrophe and not for example, the closing apostrophe in a SQL statement), leave the semi-colon, double minuses and forward slash alone and escape the backslash (again so that it is interpreted as a normal backslash which has no special meaning).
This is definitely a security feature.
Anyway, this thread has got pretty long.
Can we consider the anti-spam mission as complete?
Are you happy with the result?
Thread will be complete when we all say, with big bold letters, that
if you want your form to be accessible to human beings, especially those using a screen reader,
you will not use CAPTCHA. Not even the google one.
Glad you found a non-CAPTCHA solution. Any solution that’s non-CAPTCHA is automatically donating whole islands of kittens to little cancer kids around the world, saving the rainforest and the whales, and refusing to use FrontPage.
I improved it. To accentuate how awesome not using CAPTCHA is.
As awesome as my pure JavaScript solution of telling human beings from human beings at the beginning of the thread?
BTW poes, do you have any thoughts about the accessibility of the honeypot method mentioned earlier in this thread (that you hide a field with CSS, the idea being that only bots will fill it out).
How does this play out for someone with a screen reader?
I think Felgall or someone had already mentioned it: you make sure your input’s label tells users what to fill in.
One form I know of has a visible input, saying “are you a spammer? (answer no)” and then the input. They expect input, but it must be “no”. (This one tripped me up the first time: it’s in Dutch and it says “nee invullen” and I misread it to mean “niet invullen” (don’t fill in). So I didn’t fill it in, which triggered a spam trap).
Aha, I still have a screenshot of it
It doesn’t show up if you have Javascript on, meaning the number of humans likely to screw it up are limited to those with JS off. When JS is on, the input is hidden and I assume JS fills in the “nee” answer before the form is submitted, meaning the form always requires the input to be filled, and filled with the correct answer.
You’ll probably be okay with “what is 6+6?” or Eric’s 2+2, but bots can do math (well, but they are rather notorious at sucking at floating-point arithmetic, aren’t they? and the cognitively disabled can have trouble with lots of stuff. Mike Cherim’s blog had a combination of Askimet and a honeypot asking “is fire hot?” (I have no idea what range of “correct” answers his form would accept). Well, and you don’t have to really be very disabled: remember those picture captcha’s they had where you had say 3 cats and a rat-dog and you had to fill in how many cats? Except the images were so bad it was really hard to tell. I like the idea of telling people what to fill in.
Thanks for the reply.
This is something I’ve seen come up a few times recently and I’m still trying to formulate my thoughts on the best way to do this.
I agree with you that captchas are horrible. For example it’s not obvious that you can reload them and if done badly, they pose a real barrier to elderly users, not to mention users with any kind of impairment.
As to whether bots can do maths: If I was a spam bot author I would search forms for occurrences of plus, minus etc in the fields and then call eval() on whatever was in them. E.g. eval("document.write(6+6)"); would output the correct answer to the OP’s security question.
I also liked the look of Askimet, but with Germany being Germany, it is quite problematic to use it whilst staying on the right side of the old Datenschutzbeauftragter.
BTW, I never saw one of the cat-rat-dog captchas. They sound great. Anyone got a link to one? Googling “cat rat dog captcha” didn’t turn up anything other than some bizarre / amusing pictures
Edit:
I only had to Google “animal captcha” and came up trumps!!
http://www.teoriza.com/captcha/example.php
Edit2:
Great, now I’m gonna waste loads of time lookin at these: http://www.huffingtonpost.com/2010/03/05/funny-captchas-fails-the_n_487166.html
If one of those honeypots is going to be used, I still wonder if it’s better just to give a label saying “Don’t fill this in!”. I turned away from that at some point … but now I think I’d rather tell users not to do something that to force them to do something unnecessary. All the same, I still prefer felgall’s timer method.
A honeytrap with CSRF protection blocks pretty much all spam bots, unless they specifically target your site - in which case no amount of automated protection will stop it.
@wonshikee
your backhoe looks like it’s about to drown. !!
@pullo " They sound great. Anyone got a link to one? " They were at Rackspace. Add that term to your google searches.
I tried to find the thread on another forum where people showed CAPTCHAs with… seriously… calculus questions. I was like zomg, but can’t find them.
The issue with telling people not to fill in an input is that, when you’re filling in a form, you’re filling in everything.
My blood bank goes through a list of questions before you can give blood. There are sections you do not fill out unless you’re
I asked a volunteer nurse there once how often people filled in those sections anyway, even if they didn’t fit the criteria (they are yes/no questions so you can easily continue filling them in). She said very often.
The smartest person becomes an utter retard once they are sitting behind a computer and filling out a form. So woe to any of us who aren’t super-geniuses: we’re even dumber. There is a certain rhythm to filling out a form, and part of that rhythm is
next question
skim over label
fill something in
lather, rinse, repeat
So for this reason I suspect (but would love someone doing a usability test on this) that people are more inclined to try to fill something in at first, and only stopping themselves with a start when/if they realise “oh, this one needs to be left blank.” So that’s why I lean more towards telling them to fill in “x”. Or, “are you a human?” is the type of question that easily prompts a no-thought answer (even if some would grumble that they think they are lying when filling in “yes”, our site doesn’t care, it’s for anti-spam anyway).
How would one turn this bit of code into a random number each time shone?
// Spam Question
if ($spam == 4){
// success, continue processing
}
else{
header( “Location: $errorurl” );
exit ;
}
…And then verify the correct number correctly?
So with that bit of code the html question says “what’s 2 + 2”
So the html would have to randomize too?
Hi Eric,
There are a number of ways to do this.
If the form is generated by a PHP script, for example, you could have the PHP script choose two random numbers, and generate some kind of token which it passes to the form as a hidden field.
Then, when the user submits the form, the PHP script which processes the submitted data, could use the token to validate the answer.
If you’re interested in implementing this, then just let me know.
This is Greg - the originator of this thread. I just wanted to give a quick update on the success of this project. It works great! 
I have two websites that are hosted by Yahoo. I put the new Contact Form on one site (simple 6+6 math captcha, eliminated auto-complete, gave the fields unconventional names) and it hasn’t had a s/p/a/m message since. 
My other site still has the original unprotected Contact Form, and it continues to gather a stream of junk messages. 
Thank you again to Pullo and all others who helped
Very interested. Could we do 5 different random math problems? 1+1, 2+2, 3+3,4+4,5+5. Thanks!