building a basic human test with php

views:

158

answers:

building a basic human test with php

Im making a rudimentary "human test" for a form on my website.

I want to take the current date (to the minute, not second), and combine that with the users REMOTE_ADDR, then from that generate a string (perhaps use md5?) then limit that to 6 characters.

This code will then be presented to the user, which is instructed to copy it to a particular text box, upon submission will be verified and allow the form to process.

I dont know if there is an easier way to do this, but this is something i think will work for me and be a quick fix. Any suggestions?

+2 A:

Generate an MD5 from any source (inc. totally random). Put it on the screen and store it in the session. Check it. Voila.

Using a captcha library is, obv. much more secure though. There's plenty of very good and very very easy to install ones about.

Rushyo 2009-08-28 20:48:16

+1 captcha is the way to go. There are usually good reasons something becomes a defacto standard on the web.

Byron Whitlock 2009-08-28 20:49:47

Captcha are not necesseraly un-breakable by bot, and are hell for your real human users... I don't count the number of times I can't read a captcha... And if there is no button to "generate another one because this one is crap", I let you imagine the result...

Pascal MARTIN 2009-08-28 21:20:29

From the user side, I dislike Captcha as well - over 50% of the time I question if it requires me to use capital letters or it's unreadable.Just a quick thought along the lines of what Juliet suggested. Maybe add a few submit buttons that use images that direct the user to which one is the correct one to click.

fudgey 2009-08-28 21:39:12

I wasn't necessarily advocating a Captcha, but it's an option regardless of your views on it. They also happen to come in many shapes and sizes. The nice thing about Captchas is they are far more difficult to bypass from a _targeted_ attack than 'click the right button' tricks.

Rushyo 2009-08-28 22:00:28

+4 A:

I dont know if there is an easier way to do this, but this is something i think will work for me and be a quick fix. Any suggestions?

If you just need a quick fix, try for something simpler. I had a very popular website with a notoriously effective Turing Test:

Check this box if you're a human: [ ]

This little fix brought my spam count down from 10s of 1000s of messages everyday to 1 or 2 every few months. Of course, once the bots wised up, I had to make my test much more difficult:

What's the sound a cat makes? (Rhymes with 'cow') [________________]

Never had anymore problems after that. YMMV.

Juliet 2009-08-28 20:55:32

+4 A:

I would say the simplest solution would be to use a honeypot. Basically, create a hidden field called Name or something of that sort, and then check to see if the field has data upon submission. If it does, you know it is a bot! Since it is hidden, human's will not be able to populate that field, only bots will!

Jeff 2009-08-28 21:46:46

+1 for the simplicity and not making users jump through any hoops.

nickf 2009-08-28 21:52:10

Simple. If zero protection against a targeted or semi-intelligent bot.

Rushyo 2009-08-28 22:48:41

We've implemented this at my place of work, effecively eliminating all spam form submission. It will do nothing if specifically targeted, but 18 months after implementing into several dozen sites with several forms each (we do custom design and hosting), no one's bothered.

Rob Drimmie 2009-08-28 23:29:42

ansaurus

tags:

views:

answers:

building a basic human test with php

related questions