Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Good Form Security - no CAPTCHA

Is there a good method of form security that does not involve CAPTCHA? CAPTCHA is so annoying, but I need security because I am getting form spam. My form is PHP.

like image 201
Christopher Avatar asked Apr 08 '10 20:04

Christopher


People also ask

Should I use CAPTCHA on my site?

Captcha is quite effective as an anti-spam tool. It's free, easy to install, and provides websites with an extra layer of security in 3 areas: Protecting website registration from receiving useless information and bot accounts. Preventing comment spam in the form of advertisements and unsolicited messages.

How do I add a CAPTCHA to a form?

To add a CAPTCHA field to your form, open the sidebar inside Google Sheet and expand the Advanced Settings section. Turn on the option that says "Include CAPTCHA" and save your changes.


1 Answers

Here's what I've found to be very effective (and dead simple):

  1. Put a hidden field on your form. Give it a name like "phone" or something similar/common and put in a default junk value.

  2. Put another regular text input field on your form, but hide it with CSS. Make that one empty. Again, give it a "real" sounding name (first_name, phone_number, whatever).

  3. When the form is posted, verify that the hidden field still has the default value and the field you hid with CSS is still empty.

You're basicly taking advantage of the fact that most spam bots will simply fill in every field in the form in order to avoid failing any required field validation checks. Some might be smart enough to ignore hidden fields, but I've never seen one that was smart enough to ignore fields hidden with CSS.

ETA: To address some comments - Is this a truly "secure" system? no, it certainly isn't. It would be trivially broken by anybody who wanted to specifically target your site. That said, it is still remarkably effective against the automated form spamming bots that most "low value" sites will see.

If you want to stop a determined attacker, you'll need something a bit more invasive. Another poster mentioned Akismet, which is a good option. Re-Captcha would be another. Stopping determined, targeted spammers is hard though. Even Yahoo and Google have a hard time with it.

like image 61
Eric Petroelje Avatar answered Oct 09 '22 08:10

Eric Petroelje