Sorry for the really rough example. I just re-read my message and realized how much stuff (closing tags, etc) I forgot to include. The general idea should be fairly clear, though. ""Steve"" <steve@xxxxxxxxxxxx> wrote in message news:DD.EC.01435.E465D064@xxxxxxxxxxxxxxx > The point was to have the hidden fields that the bot would populate and > the user wouldn't. So for instance, let's use my example from before. > > (hideSpamCatcher is a reference to a javascript function that hides the > spamcatcher div. > > <body onload="hideSpamCatcher()"> > > <form method="post" action="somewhere.php"> > > <div id="spamcatcher"> > <input type="text" name="lastname" id="lastname" /> > </div> > > Name: <input type="text" id="name" name="name" /><br /> > Password: <input type="password" id="password" name="password" /><br /> > <input type="submit" name="Submit" /> > </body> > > Now, the user comes along and doesn't see the field name. They fill in > their username and password and hit submit. The information passed looks > like: > > $_POST['name'] = 'steve'; > $_POST['password'] = 'mypassword'; > $_POST['lastname'] = ''; > > All of the fields are submitted and only username and password actually > have values. > > Now the bot comes through, sees the form and submits it by parsing through > the code, finding every single field that is an input field and submitting > that. They see a field named "lastname" and it thinks it's important > enough to populate. Its logics says "I need to provide a last name for > this form to submit properly." So it goes and submits every field on the > page. The post data looks like: > > $_POST['name'] = 'john'; > $_POST['password'] = 'mybotpassword'; > $_POST['lastname'] = 'doe'; > > It fills in every field. In essence, it was tricked into doing so because > the field had a provacative name and the bot didn't know any better. > > So how does this help? > > You can do a check to make saure that $_POST['lastname'] is still blank > before processing any data. It may not work all the time, it won't trick > the more intelligent bots, and it will be easy to code a way to get around > that - but basically it will stop your general run-of-the-mill spam bots > from traversing through your site, and randomly submitting advertisements > to your comment forms, and what not. > > > <tg-php@xxxxxxxxxxxxxxxxxxxxxx> wrote in message > news:20070330165557.A96DE81638@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> Maybe I'm missing something.. if the intent is to have 'hidden' fields >> that a user would end up submitting but a bot wouldn't.. that wouldn't >> work very well. A bot could easily see the hidden fields and submit them >> along with whatever other data they were sending. >> >> If the intention is to trick a bot into sending data a user wouldn't, >> then again.. doesn't work because a user is going to send the hidden >> fields as well. >> >> It doesn't really matter if a user can 'see' or edit a form field, a bot >> can be programmed to send whatever data it finds in that form, hidden or >> not, because it's only hidden from humans from seeing and editing because >> that's how the web browsers interpret and render that HTML. Bots don't >> render HTML, just read it as a text file and parse through it looking for >> form data and whatever else they're programmed to look for. >> >> Now, if you did an onsubmit on your form that executed a function to >> modify the HTML pre-submit using JS's innerHTML command, you MIGHT be >> able to trick it a little. But again, the bots are probably programmed >> not to be too smart.. but to emulate specific CAPTCHA systems. So a >> smart bot programmer would notice this and find a way to figure out what >> form elements were included via innerHTML alteration. >> >> -TG >> >> >> = = = Original message = = = >> >> I read something (I think on Slashdot) a while back about another method >> that could be used to avoid CAPTCHAs. >> >> Basically on top of your standard form field, you place some input fields >> in >> a javascript hidden div around your page conveniently named things like >> "email", "address", or "phone." Because they're hidden, when the form >> submits they should exist as post variables but have a value untouched by >> the user. >> >> Something simple like >> <div class="spamcatcher"> >> <input type="text" name="phonenumber" id="phonenumber" /> >> </div> >> >> Then <body onload="hideSpamCatcher()"> >> >> A spam bot will generally send a value with every field they come across, >> especially ones that have really common form field names. They find these >> fields by parsing through your source for anything that looks like it's >> submitted. If you hid some "trick" fields around your page and then >> checked >> on submit whether or not they had a value, you could probably get a >> pretty >> decent turing test without the user suspecting anything. >> >> My old thrown together blog from a few years back had an unchecked >> comment >> script that caught quite a bit of spam once I stopped caring about it. >> I've >> been considering putting that back together and using this method just to >> see if the spam is cut back at all. >> >> Anyone have any experiences (good or bad) with this method? >> >> >> >> ___________________________________________________________ >> Sent by ePrompter, the premier email notification software. >> Free download at http://www.ePrompter.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
