How to avoid CAPTCHA ?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: How to avoid CAPTCHA ?

Post by califdon »

onion2k wrote: CAPTCHA is not an adequate method. They're relatively easy to break, progressively more difficult for a user to enter as they get stronger, and they're usually very inaccessible for disabled users. Using a hidden form field, or randomised fields, makes life much harder for a bot and has no effect on the user at all. Much better than a CAPTCHA.
Thanks, onion2k. That's useful information.
User avatar
Mds
Forum Contributor
Posts: 110
Joined: Tue Apr 22, 2008 8:56 pm
Contact:

Re: How to avoid CAPTCHA ?

Post by Mds »

Using a hidden form field, or randomised fields, makes life much harder for a bot and has no effect on the user at all. Much better than a CAPTCHA.
I don't think so, because we can write a program that :
read (open) a website and then submit any forms of it thus if we leave a a hidden field in our forms , it will submit like another form elements. Image
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: How to avoid CAPTCHA ?

Post by onion2k »

Mds wrote:
Using a hidden form field, or randomised fields, makes life much harder for a bot and has no effect on the user at all. Much better than a CAPTCHA.
I don't think so, because we can write a program that :
read (open) a website and then submit any forms of it thus if we leave a a hidden field in our forms , it will submit like another form elements. Image
If you'd bothered to read the post above you'd notice that we're not talking about hidden form fields, we're talking about text input fields hidden using CSS. Unless you're going to go as far as writing a CSS parser for your bot it'll appear like any other text field ... in which case should your bot put text in it or not? It won't know. Let's say the input field has a name of "email" ... most bots are going to put an email address in there ... and then our PHP script rejects it because we know that field was hidden with CSS and thus won't have been filled in by a human.

You'll get on a lot better here if you read the entire thread before making incorrect assumptions.
User avatar
Mds
Forum Contributor
Posts: 110
Joined: Tue Apr 22, 2008 8:56 pm
Contact:

Re: How to avoid CAPTCHA ?

Post by Mds »

Image
text input fields hidden using CSS
Can you write a sample snippet code about it. Image
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: How to avoid CAPTCHA ?

Post by onion2k »

Code: Select all

<div style="display:none;"><label for="email">Email:</label><input type="text" name="email"></div>
Then validate the input in your PHP to make sure that field is empty because only a bot will have completed it.
User avatar
Mds
Forum Contributor
Posts: 110
Joined: Tue Apr 22, 2008 8:56 pm
Contact:

Re: How to avoid CAPTCHA ?

Post by Mds »

Excuse me Image
So if someone sees our website source and creates a program that leaves this text input fields hidden and doesn't complete it , then he/she can register many users easily.
But with CAPTCHA he/she can't do it.
Is it true ? Image
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: How to avoid CAPTCHA ?

Post by onion2k »

Mds wrote:Excuse me Image
So if someone sees our website source and creates a program that leaves this text input fields hidden and doesn't complete it , then he/she can register many users easily.
But with CAPTCHA he/she can't do it.
Is it true ? Image
That's where the other part comes in - field randomisation. If the form is different every time, with different field names, different order, etc .. then it gets very difficult to program a bot to automatically fill it in. The hidden field is to stop bots that crawl the internet filling in forms at random to try and spam them rather than someone who is specifically targeting your website.

Mind you, no matter how hard you make it you'll never stop the problem completely. Someone could just employ a few people to sit at their PCs and fill in the form by hand. No scripting is going to stop that.
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Re: How to avoid CAPTCHA ?

Post by nickvd »

What worked for me in the past (100% success so far...) is to just use placeholder field names... email becomes field_one name becomes field_two and so on... After that it is a simple matter of some defines or an array to map the real name to the placeholder...

a small snippet from a contact form..

Code: Select all

$config['Contact_Form_Validation'] = array(
   'fields' => array(
      'input_one'  => 'Name',
      'input_two'  => 'Email Address',
      'input_three' => 'Message'
   ),
   'rules' => array(
      'input_one'  => 'trim|required|alpha_dash|min_length[4]|max_length[50]',
      'input_two'  => 'trim|required|valid_email',
      'input_three' => 'trim|required|min_length[5]'
   )
);
User avatar
Mds
Forum Contributor
Posts: 110
Joined: Tue Apr 22, 2008 8:56 pm
Contact:

Re: How to avoid CAPTCHA ?

Post by Mds »

Mind you, no matter how hard you make it you'll never stop the problem completely. Someone could just employ a few people to sit at their PCs and fill in the form by hand. No scripting is going to stop that.
That's right. Image
That's where the other part comes in - field randomisation. If the form is different every time, with different field names, different order, etc .. then it gets very difficult to program a bot to automatically fill it in. The hidden field is to stop bots that crawl the internet filling in forms at random to try and spam them rather than someone who is specifically targeting your website.
I think there is an issue yet. Image
If a program open our website programmatic , random field doesn't do anything.
Because it downloaded and if the program submit the form random field will submit too.
Yes ?
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: How to avoid CAPTCHA ?

Post by onion2k »

Mds wrote:If a program open our website programmatic , random field doesn't do anything.
Because it downloaded and if the program submit the form random field will submit too.
I'm not talking about a single additional field. I'm talking about randomising all the fields in the form so when you load it 50 times in a row you never get the same fields in the same order, or with the same names, or anything. All the validation would still need to pass, which is easy for a person filling in the form, but really hard for a bot.
User avatar
Mds
Forum Contributor
Posts: 110
Joined: Tue Apr 22, 2008 8:56 pm
Contact:

Re: How to avoid CAPTCHA ?

Post by Mds »

I'm not talking about a single additional field. I'm talking about randomising all the fields in the form so when you load it 50 times in a row you never get the same fields in the same order, or with the same names, or anything. All the validation would still need to pass, which is easy for a person filling in the form, but really hard for a bot.
I've got it.
But still you don't understand me :?
I'm saying there are some programs that work like an Internet Browser. First download your website completely and then fill the Form's fields of it then submit it.
Thus it makes no difference , if we use random fields or static fields.

Do you understand what I mean :?:
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: How to avoid CAPTCHA ?

Post by onion2k »

Mds wrote:I'm saying there are some programs that work like an Internet Browser. First download your website completely and then fill the Form's fields of it then submit it.
Thus it makes no difference , if we use random fields or static fields.

Do you understand what I mean :?:
You appear to be failing to think about how you might implement this approach. There needs to be something that tells the server which form it sent to the user, what the fields were, and in what order they appeared - otherwise you won't be able to validate any of it. That's usually something in the user's session data. If they save the form and submit it over and over it won't work because they won't have any session data that matches the form that they're submitting. Well, they will the first time if their session is still active but once the form is submitted once you can wipe out the session data. So it'll still fail.
User avatar
Sindarin
Forum Regular
Posts: 521
Joined: Tue Sep 25, 2007 8:36 am
Location: Greece

Re: How to avoid CAPTCHA ?

Post by Sindarin »

hmm.. could a hidden dummy input field with css work? If robots fill all the fields with trash then that field would be too, so we check if there is any value when submitted and prohibit submission if it is.
4fit?
Forum Newbie
Posts: 6
Joined: Sat Oct 04, 2008 9:37 am
Location: Graham, NC

Re: How to avoid CAPTCHA ?

Post by 4fit? »

Sindarin wrote:hmm.. could a hidden dummy input field with css work? If robots fill all the fields with trash then that field would be too, so we check if there is any value when submitted and prohibit submission if it is.
Already been mentioned in this thread a couple times. Like here. Interesting approach that I had never thought of.
Post Reply