Re: Re: Alternative/Addition to using a CAPTCHA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The point was to have the hidden fields that the bot would populate and the 
user wouldn't. So for instance, let's use my example from before.

(hideSpamCatcher is a reference to a javascript function that hides the 
spamcatcher div.

<body onload="hideSpamCatcher()">

<form method="post" action="somewhere.php">

<div id="spamcatcher">
<input type="text" name="lastname" id="lastname" />
</div>

Name: <input type="text" id="name" name="name" /><br />
Password: <input type="password" id="password" name="password" /><br />
<input type="submit" name="Submit" />
</body>

Now, the user comes along and doesn't see the field name. They fill in their 
username and password and hit submit. The information passed looks like:

$_POST['name'] = 'steve';
$_POST['password'] = 'mypassword';
$_POST['lastname'] = '';

All of the fields are submitted and only username and password actually have 
values.

Now the bot comes through, sees the form and submits it by parsing through 
the code, finding every single field that is an input field and submitting 
that. They see a field named "lastname" and it thinks it's important enough 
to populate. Its logics says "I need to provide a last name for this form to 
submit properly." So it goes and submits every field on the page. The post 
data looks like:

$_POST['name'] = 'john';
$_POST['password'] = 'mybotpassword';
$_POST['lastname'] = 'doe';

It fills in every field. In essence, it was tricked into doing so because 
the field had a provacative name and the bot didn't know any better.

So how does this help?

You can do a check to make saure that $_POST['lastname'] is still blank 
before processing any data. It may not work all the time, it won't trick the 
more intelligent bots, and it will be easy to code a way to get around 
that - but basically it will stop your general run-of-the-mill spam bots 
from traversing through your site, and randomly submitting advertisements to 
your comment forms, and what not.


<tg-php@xxxxxxxxxxxxxxxxxxxxxx> wrote in message 
news:20070330165557.A96DE81638@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Maybe I'm missing something..  if the intent is to have 'hidden' fields 
> that a user would end up submitting but a bot wouldn't.. that wouldn't 
> work very well.  A bot could easily see the hidden fields and submit them 
> along with whatever other data they were sending.
>
> If the intention is to trick a bot into sending data a user wouldn't, then 
> again.. doesn't work because a user is going to send the hidden fields as 
> well.
>
> It doesn't really matter if a user can 'see' or edit a form field, a bot 
> can be programmed to send whatever data it finds in that form, hidden or 
> not, because it's only hidden from humans from seeing and editing because 
> that's how the web browsers interpret and render that HTML.  Bots don't 
> render HTML, just read it as a text file and parse through it looking for 
> form data and whatever else they're programmed to look for.
>
> Now, if you did an onsubmit on your form that executed a function to 
> modify the HTML pre-submit using JS's innerHTML command, you MIGHT be able 
> to trick it a little.  But again, the bots are probably programmed not to 
> be too smart.. but to emulate specific CAPTCHA systems.  So a smart bot 
> programmer would notice this and find a way to figure out what form 
> elements were included via innerHTML alteration.
>
> -TG
>
>
> = = = Original message = = =
>
> I read something (I think on Slashdot) a while back about another method
> that could be used to avoid CAPTCHAs.
>
> Basically on top of your standard form field, you place some input fields 
> in
> a javascript hidden div around your page conveniently named things like
> "email", "address", or "phone." Because they're hidden, when the form
> submits they should exist as post variables but have a value untouched by
> the user.
>
> Something simple like
> <div class="spamcatcher">
> <input type="text" name="phonenumber" id="phonenumber" />
> </div>
>
> Then <body onload="hideSpamCatcher()">
>
> A spam bot will generally send a value with every field they come across,
> especially ones that have really common form field names. They find these
> fields by parsing through your source for anything that looks like it's
> submitted. If you hid some "trick" fields around your page and then 
> checked
> on submit whether or not they had a value, you could probably get a pretty
> decent turing test without the user suspecting anything.
>
> My old thrown together blog from a few years back had an unchecked comment
> script that caught quite a bit of spam once I stopped caring about it. 
> I've
> been considering putting that back together and using this method just to
> see if the spam is cut back at all.
>
> Anyone have any experiences (good or bad) with this method?
>
>
>
> ___________________________________________________________
> Sent by ePrompter, the premier email notification software.
> Free download at http://www.ePrompter.com. 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux