protecting web forms from spambots without using (horrible) captcha INFORMATION ONLY
Spam bots can take shower you with spam or take over your unsecured form to post spam. You should use the usual techniques to stop protect your form fields from injection and malicious content.
A fantastic post about basic php form validation techniques can be found here:
The technique I am proposing is to prevent the spam bots, the ones that are not human, from repeated posts. It basically revolves around the amount of time a human takes to fill in a form compared to a spambot. The spambot would be virtually instant. Therefore we can assume that a form submitted in under, for example 7 seconds, is unlikely to be legitimate.
Simply add this hidden field to your form, it records the time the page was accessed.
<input type="hidden" name="loadtime" value="<?php echo time(); ?>" />
Then in your script that handles the form do something like this
$loadtime = $_POST['loadtime'];
$totaltime = time() - $loadtime;
if($totaltime < 7)
#do something or just kill it
header ("Location: ".$url);
basically you are subtracting the time on the handle script from the time the form was accessed and if it was less than 7 seconds you can kill it.
Hope this proves useful to someone, please feel free to post comments or if you have other suggestions.
Note to Interactive tools, it may be useful to have a non directly related section to post general help topics from forum users who would like to share tips and techniques to others?
Hi Greg, I had come across that one, the only slight downside is (although i can not verify this) that certain screen readers for visually impaired will still display items with the display:none; css. The way around this is to label it with "if you are a human leave this field blank", although the chances of people with screen readers filling in your form is as likely as winning the lottery, it just covers you for the odd eventuality.
On the forum note:
I often do research on specific problems, but never right down my solutions, they often go directly in to code on a site I build, then when I hit the same problem I have to try and remember which site I applied the solution to. If I was more organised I would do a blog or something, but since I use cmsb and I regularity frequent this forum it would be nice to stick the odd snippets up here and let the rest of the cmsb fans use and contribute.
Maybe you should set up a poll for this to see if people are interested, or just announce the idea in your next e-shot.
I added the display:none trick to our signup form 1.5 weeks ago and it's already caught over 100 spambots! I had it email me just to be sure but no false positives as of yet.
There's a risk with all these techniques, even on the 7 seconds, people who are really fast typists or who have a browser form-filler feature might get caught as well. Maybe I'll add a timer to the signup form next time I update it and we can collect some real-world data on just how fast those spammers are. If it's a software bot it might be less than a second. I started searching their ips and found there are actually sites out there that track them like this http://www.stopforumspam.com/ so lots of options for captching spammers in the future.
I also so this captcha replacement this morning, which makes people play little games instead of enter captchas: http://areyouahuman.com/
In reply to the comment on snippets, we still have a ways to go on the forum but I've been thinking about adding a "favorites" feature so people could keep a list of their own favorite posts for easy access. Maybe that and encouraging people to post their code snippets? Or a new forum for it, what do you think would work best?
The 7 second is an arbitrary amount, you can obviously set that much lower if you wish depending on the nature of the form.
With regards to the forum, I like the idea of favourites, but would also welcome a flagging method whereby your post could appear in the cmsb forum but flagged as developer tips (something you assign on entering the post),, so you can instantly view developer tips and add them to your favourites. Definitely something worth exploring. I personally wouldn't go for a separate forum as cmsb is my main home. I think its an area worth exploring because the cmsb forum is 1st class in terms of support you guys give, and it would surely help grow the community and be great for us going forward.
It would take a bit of time to implement but the flagging is an interesting idea.
I've setup a new forum for now as it's fast and easy, and there's been a few times where I wanted to post some tips but didn't really have a place.
One trick, if you want to see the latest posts from all forums, just click the search button with no keyword: