I hate CAPTCHA, why can't I do this...
Posted: Wed Feb 10, 2010 10:35 pm
I have a question for everyone. I am in the process of building my business's website (I'm striking out on my own as a designer/developer). I absolutely don't want to use CAPTCHA for my form mailer section. I've come up with an alternative that I describe below, and I'd appreciate any feedback I could get as to potential security holes in my thinking.
Here it goes:
On the page where my form mailer is I capture the user's ip address, date and time they loaded the page, assign them a random number, all of which is stored in a MySQL database in addition to another column called "mail" which has a default value of "no".
The php script would also put the random number it assigned to the unique visit (which was attached to the date, time, and ip address in the database) as the value of a hidden field in my form mailer that would post to the email script. When the user posts to the email script, the email script would check all the information captured above against the database and change the value of the "mail" column from "no" to "yes". The email script would refuse to send the email if the information didn't match up or the "mail" column had a value of "yes". On the off chance someone was legitimately trying to send two emails from the form mailer in the same page load I would send a message via AJAX saying "please reload the page in order to send another email" or something like it. People can send multiple emails if they want, but they have to reload the page first, and a computer would never be able to predict what value the hidden field would have, since it would be random every time.
Why can't I do this?
Here it goes:
On the page where my form mailer is I capture the user's ip address, date and time they loaded the page, assign them a random number, all of which is stored in a MySQL database in addition to another column called "mail" which has a default value of "no".
The php script would also put the random number it assigned to the unique visit (which was attached to the date, time, and ip address in the database) as the value of a hidden field in my form mailer that would post to the email script. When the user posts to the email script, the email script would check all the information captured above against the database and change the value of the "mail" column from "no" to "yes". The email script would refuse to send the email if the information didn't match up or the "mail" column had a value of "yes". On the off chance someone was legitimately trying to send two emails from the form mailer in the same page load I would send a message via AJAX saying "please reload the page in order to send another email" or something like it. People can send multiple emails if they want, but they have to reload the page first, and a computer would never be able to predict what value the hidden field would have, since it would be random every time.
Why can't I do this?