If you’re looking for a smart solution to prevent your forum/guestbook/web-application/whatever from getting flooded with junk entries, I think I can help you.
A CAPTCHA is a method to fight spam robots, by requiring the user to enter a code which is displayed as a distorted image.
The bad news: CAPTCHAs are annoying to users.
The good news: You probably don’t need one. The method described here would require the spammer to sit down and adjust his scripts for your specific website. So, unless your site is an extremely attractive target for spammers, they probably won’t take that time.
The bottom line:
CAPTCHAs are needed only on very popular sites. Try less intrusive methods first.
What you do:
Why:
A spam robot will probably fill out each field it encounters.
Works, unless the spam robot is able to:
Usability drawbacks:
HTML:
<label>Leave this blank: <input type="text" class="noshow" name="leaveblank"></label><br>
<label>Do not change this: <input type="text" class="noshow" name="dontchange" value="http://" ></label>
CSS:
.noshow { display:none; }
PHP:
if ($_POST['leaveblank'] != '' or $_POST['dontchange'] != 'http://') {
// display message that the form submission was rejected
}
else {
// accept form submission
}
What you do:
Works, unless the spam robot is also able to:
Usability drawbacks:
HTML:
<input type="text" id="leaveblank" name="leaveblank">
<script type="text/javascript">
document.getElementById('leaveblank').className = "noshow";
</script>
What you do:
Works, unless the spam robot is also able to:
Usability drawbacks:
HTML:
<script type="text/javascript">
/* <![CDATA[ */
function hivelogic_enkoder(){var kode=
"kode=\")''(nioj.)(esrever.)''(tilps.edok=edok;\\\"kode=\\\"\\\\oked\\\\\\"+
"\\\\\"\\\\=document.write\\\\\\\\\\\"\\\\\\\\\\\\\\\\\\\\s(r<pc iytet\\\\"+
"\\\\\\\\\\\\p=\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\tx\\\\\\\\\\\"\\\\/eatajcvis"+
"tr\\\\\\\\\\\\\\\\p\\\\\\\\\\\\\\\\\\\\\\\\\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\"+
"\\\\\\\\\\>\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\drcnmonu.eetEge"+
"teltmyndB'Ie(vlbaaekl)nc'a.slaseN=m\\\\\\\\\\\\\\\\ \\\\\\\\\\\\\\\\\\\\"+
"\\\\\\\\\\\\ns\\\\\\\\\\\"\\\\oo\\\\\\\\\\\\\\\\hw\\\\\\\\\\\\\\\\\\\\\\\\"+
"\\\\\\\\;r\\\\\\\\\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"+
"n/\\\\\\\\\\\\\\\\c<istr\\\\\\\\\\\\\\\\p>\\\\\\\\\\\"\\\\);;\\\\\\\\\\\""+
"\\\\=x''f;roi(0=i;(<okedl.netg-h)1i;=+)2x{=+okedc.ahAr(t+i)1k+do.ehcratAi("+
"})okedx=(+<iokedl.netg?hokedc.ahAr(tokedl.netg-h)1':)';\\\"\\\\;x='';for(i"+
"=0;i<(kode.length-1);i+=2){x+=kode.charAt(i+1)+kode.charAt(i)}kode=x+(i<ko"+
"de.length?kode.charAt(kode.length-1):'');\\\"=edok\";kode=kode.split('').r"+
"everse().join('')"
;var i,c,x;while(eval(kode));}hivelogic_enkoder();
/* ]]> */
</script>
What you do:
Requires the spam robot to:
Usability drawbacks:
PHP:
// You can use the date() function to change field names periodically:
// For daily changes, e.g. use:
$code = date('Yz'); // Don’t copy this 1:1 - adjust the date() parameters!
$html = "<input type='text' name='abc$code'>\n";
if (!isset($_POST["abc$code"]) {
// reject form submission
}
What you do:
PHP:
$code = date('Yz');
$codeYesterday = date('Yz', time()-86400); // 86400 seconds are 1 day
if (isset($_POST["abc$codeYesterday"])
$code = $codeYesterday;
}
What you do:
Why:
Some spam robots don’t parse the HTML page upon each visit. They just submit the form fields which they’ve recorded during their first visit.
So, if you don’t display the form after a false attempt, the robot has no chance to find out your currently valid field names.
MySQL:
CREATE TABLE `spam` (
`ip` int(10) unsigned default NULL,
`timestamp` timestamp NOT NULL,
KEY `ip` (`ip`));
PHP:
$ip = $_SERVER['REMOTE_ADDR'];
// when you reject a form submission:
mysqli_query("INSERT INTO `spam` SET `ip`=INET_ATON('$ip');");
// whenever somebody opens the page:
mysqli_query("SELECT `timestamp` FROM `spam` WHERE ip=INET_ATON('$ip') ORDER BY `timestamp` DESC LIMIT 1;");
if (time() - $timestamp < 120) { // 2 minutes
// display error message to try again in 2 minutes
}
else {
// display HTML form
}