Stut wrote: > On 9 Mar 2008, at 12:47, Per Jessen wrote: > >> Like I said, it can be broken too (given sufficient effort). > > It's not much effort - you just need to request a second URL after > you've got the form. It's not hard and really doesn't really put > anything more in the way of a bot than an image-based captcha. In fact > I'd argue that parsing the text in your questions is significantly > easier than doing OCR on an image. Ah, yes, I see what you mean. > The key thing to remember when securing a form is that if you do > something that's never been seen before it's unlikely that the generic > bots will be able to get past it. Which will still get rid of most of the attacks. But then so will something that automatically monitors accesses to your form, and selective bans IP-addresses (e.g. after too many attempts during N minutes). > If someone decides to target your site then a text-based captcha will > never be good enough, and chances are nothing you do will work. If > someone is willing to put in the effort you've got no chance. Absolutely. Same goes for encryption etc. /Per Jessen, Zürich -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
