Page 2 of 2

Re: How to avoid CAPTCHA ?

Posted: Fri Oct 03, 2008 3:25 pm
by califdon
onion2k wrote: CAPTCHA is not an adequate method. They're relatively easy to break, progressively more difficult for a user to enter as they get stronger, and they're usually very inaccessible for disabled users. Using a hidden form field, or randomised fields, makes life much harder for a bot and has no effect on the user at all. Much better than a CAPTCHA.
Thanks, onion2k. That's useful information.

Re: How to avoid CAPTCHA ?

Posted: Wed Oct 08, 2008 10:46 pm
by Mds
Using a hidden form field, or randomised fields, makes life much harder for a bot and has no effect on the user at all. Much better than a CAPTCHA.
I don't think so, because we can write a program that :
read (open) a website and then submit any forms of it thus if we leave a a hidden field in our forms , it will submit like another form elements. Image

Re: How to avoid CAPTCHA ?

Posted: Thu Oct 09, 2008 2:48 am
by onion2k
Mds wrote:
Using a hidden form field, or randomised fields, makes life much harder for a bot and has no effect on the user at all. Much better than a CAPTCHA.
I don't think so, because we can write a program that :
read (open) a website and then submit any forms of it thus if we leave a a hidden field in our forms , it will submit like another form elements. Image
If you'd bothered to read the post above you'd notice that we're not talking about hidden form fields, we're talking about text input fields hidden using CSS. Unless you're going to go as far as writing a CSS parser for your bot it'll appear like any other text field ... in which case should your bot put text in it or not? It won't know. Let's say the input field has a name of "email" ... most bots are going to put an email address in there ... and then our PHP script rejects it because we know that field was hidden with CSS and thus won't have been filled in by a human.

You'll get on a lot better here if you read the entire thread before making incorrect assumptions.

Re: How to avoid CAPTCHA ?

Posted: Thu Oct 09, 2008 2:52 am
by Mds
Image
text input fields hidden using CSS
Can you write a sample snippet code about it. Image

Re: How to avoid CAPTCHA ?

Posted: Thu Oct 09, 2008 2:59 am
by onion2k

Code: Select all

<div style="display:none;"><label for="email">Email:</label><input type="text" name="email"></div>
Then validate the input in your PHP to make sure that field is empty because only a bot will have completed it.

Re: How to avoid CAPTCHA ?

Posted: Thu Oct 09, 2008 3:16 am
by Mds
Excuse me Image
So if someone sees our website source and creates a program that leaves this text input fields hidden and doesn't complete it , then he/she can register many users easily.
But with CAPTCHA he/she can't do it.
Is it true ? Image

Re: How to avoid CAPTCHA ?

Posted: Thu Oct 09, 2008 3:57 am
by onion2k
Mds wrote:Excuse me Image
So if someone sees our website source and creates a program that leaves this text input fields hidden and doesn't complete it , then he/she can register many users easily.
But with CAPTCHA he/she can't do it.
Is it true ? Image
That's where the other part comes in - field randomisation. If the form is different every time, with different field names, different order, etc .. then it gets very difficult to program a bot to automatically fill it in. The hidden field is to stop bots that crawl the internet filling in forms at random to try and spam them rather than someone who is specifically targeting your website.

Mind you, no matter how hard you make it you'll never stop the problem completely. Someone could just employ a few people to sit at their PCs and fill in the form by hand. No scripting is going to stop that.

Re: How to avoid CAPTCHA ?

Posted: Thu Oct 09, 2008 4:09 am
by nickvd
What worked for me in the past (100% success so far...) is to just use placeholder field names... email becomes field_one name becomes field_two and so on... After that it is a simple matter of some defines or an array to map the real name to the placeholder...

a small snippet from a contact form..

Code: Select all

$config['Contact_Form_Validation'] = array(
   'fields' => array(
      'input_one'  => 'Name',
      'input_two'  => 'Email Address',
      'input_three' => 'Message'
   ),
   'rules' => array(
      'input_one'  => 'trim|required|alpha_dash|min_length[4]|max_length[50]',
      'input_two'  => 'trim|required|valid_email',
      'input_three' => 'trim|required|min_length[5]'
   )
);

Re: How to avoid CAPTCHA ?

Posted: Thu Oct 09, 2008 4:14 am
by Mds
Mind you, no matter how hard you make it you'll never stop the problem completely. Someone could just employ a few people to sit at their PCs and fill in the form by hand. No scripting is going to stop that.
That's right. Image
That's where the other part comes in - field randomisation. If the form is different every time, with different field names, different order, etc .. then it gets very difficult to program a bot to automatically fill it in. The hidden field is to stop bots that crawl the internet filling in forms at random to try and spam them rather than someone who is specifically targeting your website.
I think there is an issue yet. Image
If a program open our website programmatic , random field doesn't do anything.
Because it downloaded and if the program submit the form random field will submit too.
Yes ?

Re: How to avoid CAPTCHA ?

Posted: Thu Oct 09, 2008 4:34 am
by onion2k
Mds wrote:If a program open our website programmatic , random field doesn't do anything.
Because it downloaded and if the program submit the form random field will submit too.
I'm not talking about a single additional field. I'm talking about randomising all the fields in the form so when you load it 50 times in a row you never get the same fields in the same order, or with the same names, or anything. All the validation would still need to pass, which is easy for a person filling in the form, but really hard for a bot.

Re: How to avoid CAPTCHA ?

Posted: Thu Oct 09, 2008 4:59 am
by Mds
I'm not talking about a single additional field. I'm talking about randomising all the fields in the form so when you load it 50 times in a row you never get the same fields in the same order, or with the same names, or anything. All the validation would still need to pass, which is easy for a person filling in the form, but really hard for a bot.
I've got it.
But still you don't understand me :?
I'm saying there are some programs that work like an Internet Browser. First download your website completely and then fill the Form's fields of it then submit it.
Thus it makes no difference , if we use random fields or static fields.

Do you understand what I mean :?:

Re: How to avoid CAPTCHA ?

Posted: Thu Oct 09, 2008 5:20 am
by onion2k
Mds wrote:I'm saying there are some programs that work like an Internet Browser. First download your website completely and then fill the Form's fields of it then submit it.
Thus it makes no difference , if we use random fields or static fields.

Do you understand what I mean :?:
You appear to be failing to think about how you might implement this approach. There needs to be something that tells the server which form it sent to the user, what the fields were, and in what order they appeared - otherwise you won't be able to validate any of it. That's usually something in the user's session data. If they save the form and submit it over and over it won't work because they won't have any session data that matches the form that they're submitting. Well, they will the first time if their session is still active but once the form is submitted once you can wipe out the session data. So it'll still fail.

Re: How to avoid CAPTCHA ?

Posted: Thu Oct 09, 2008 6:33 am
by Sindarin
hmm.. could a hidden dummy input field with css work? If robots fill all the fields with trash then that field would be too, so we check if there is any value when submitted and prohibit submission if it is.

Re: How to avoid CAPTCHA ?

Posted: Thu Oct 09, 2008 6:58 am
by 4fit?
Sindarin wrote:hmm.. could a hidden dummy input field with css work? If robots fill all the fields with trash then that field would be too, so we check if there is any value when submitted and prohibit submission if it is.
Already been mentioned in this thread a couple times. Like here. Interesting approach that I had never thought of.