There are many ways to avoid having your website being attacked by bots. I'm going to go over them
CAPTCHA
Personally I'm not a big fan of CAPTCHA'' as it annoys users (having to type randoms letters which as difficult to read) and lots of spammers have made software to read the images.
Re-CAPTCHA
Similar to CAPTCHA, but this one you have 2 words. One is known to the computer, the other is from a book thats been scanned. If the word you known to the computer is correct, you allowed though. The scanned word makes the maker of Re-CAPTCHA a small amount of moneys (the computer can't read it...so you tell them the word).
Crouching CSS, Hidden Form
This technique involves having a field that is hidden (usually with CSS), and detecting if something has been put in it. If it has got content, A bot submitted the form.
The only problem with this one is, some bots can read CSS and know if a form is hidden. If CSS is disabled in the users browser they may also fill out the field.
Below is an example of code you use:
HTML Code:
<form id="form1" name="form1" method="post" action="">
<label></label>
<p>Field 1 -
<input type="text" name="textfield" id="textfield" />
</p>
<p>
<input type="text" name="textfield2" id="textfield2" style="visibility:hidden;" />
<input type="submit" name="button" id="button" value="Submit" />
</p>
<p> </p>
</form>
Timestamp
This one is a little tricky, but can stop software submitting to you. What you need to do for this one, is generate a random number (say 999) and put it into a field and session. When the form has been submitted compare to see weather the timestamp posted matches the timestamp posted.
One of minor problems is, if the user has disabled session cookies, the session may not load. But you can overcome this with MySQL.
Below is some fancie PHP functions I have wrote:
PHP Code:
# TimeStamp Functions # Made By Rogem Networks (http://www.rogem.net) # Do Not remove Link back.
function createtimestamp(){
deletestamp();
$timestamp = md5(rand(0, 9999));
$timestamp = md5($timestamp);
$timeset = date("His").rand(0, 9999).rand(0, 9999).rand(0, 9999);
$timeset = $timeset;
$microtime = microtime().rand(0, 9999).rand(0, 9999).rand(0, 9999);
$microtime = $microtime;
$timestampsession = md5($timestamp);
$_SESSION["timestamp"."$timeset"."$microtime"] = $timestampsession;
$timestamp = $timestamp."|||".$timeset."|||".$microtime;
// now give the person two options (html or timestamp standalone).
$return[0] = $timestamp;
$return[1] = '<input type="hidden" name="timestamp" value="'.$timestamp.'">';
return $return;
}
function checktimestamp(){
if($_POST['timestamp'] == TRUE){
$timestamp = $_POST['timestamp'];
} else {
$timestamp = $_GET['timestamp'];
}
$posted = explode("|||",$timestamp);
if(md5($posted['0']) == $_SESSION["timestamp".$posted['1'].$posted['2']]){
return "safe";
} else {
return "unsafe";
}
}
function deletestamp(){
$posted = explode("|||",$_POST['timestamp']);
if(isset($_SESSION["timestamp".$posted['1']])){
unset($_SESSION["timestamp".$posted['1']]);
}
}
Scan whats sent
This is more of a 'if the above all pass' type thing, to detect if someone is physically submitting a form to you. For example:
PHP Code:
$subject = "abcdef";
$pattern = '/^porn/';
if(preg_match($pattern, $subject, $matches, PREG_OFFSET_CAPTURE, 3)){
// Found spam
} else {
// Not found
}
