Hello, long time no see,

I have a quick question; I'm trying to make a spam-proof form that bots can't spam entries to, so I have made up a little system relying on user's memory to enter a number.

So on the Write page (where users write their message), at the bottom there is a thing saying 'please remember this number:' then a random 4 digit number. The user must remember this number (out example will be 2078) and proceed to the next page, where they can preview their message. If their message validates, they are given a text box that asks them to enter the 4 digits they saw earlier. If they get it right, their message is submitted, if not, they are answered with a polite rejection.

So my question is; can spam bots find and remember that number, then add it? It's generated randomly with PHP's rand function, here's the entire function :P

PHP Code:


$key = rand(1, 9999); 


Thanks,

-PG



BTW: Get? My 222 post LOL

If it's on the page, they can find it, especially if it's in text. The smarter bots can often do it even if it's in an image. To get past some of the dumber bots, you might consider using PHP's GD library to generate an image and then distorting it without making unreadable. However, I'd just recommend using reCaptcha.

Yes, I tried reCaptcha, but I fail at implementing that sort of thing :S

I mean, yes, of course the bot can find it, but they'd have to enter every single number from 1 to 9999, which would break my crappy bandwidth anyway :O

Thanks, though I appreciate every single reply, positive or negative!

You shouldn't have any problem using a captcha service. Once the user validates they're human once, you should set a session variable, or mark their profile as human validated, and past that point they shouldn't need to do it again.

Having a user remember a number is always going to cause trouble. Some people will skim over the text and miss it, some may not have amazing memory, some may have dyslexia or something similar and be physically unable to remember numbers like that.

In short, you should never ask the user to remember a number.

Spam bots rely on repeatability to be able to submit forms.

Changing the name of a field randomly (store the name in a session or a cookie variable) will defeat the average bot.

Adding a empty hidden field to the form also helps, because users will not see the field, but submitter bots will put some value in. So if it is not empty on submission, reject the data. Use a meaningful name for the field

Displaying a block of color (CSS or an image) and asking the user to name it is another simple way.

Alright, I've used both of your suggestions chrishirst, but what about a colourblind person? It works great for me and most others, but if the person is colourblind, then their form may not be submitted.

Any random, easy to answer question would suffice. For example.. what's the number after 6? Computers aren't able to interpret these questions - to a reasonable degree anyway.

Quote:

Originally Posted by Physicsguy

Alright, I've used both of your suggestions chrishirst, but what about a colourblind person? It works great for me and most others, but if the person is colourblind, then their form may not be submitted.

Sure, You can avoid the most common colours that are affected with colour-blindness.

If you use an image it can have the word "RED" in the middle of it (bots can't "see" pictures)
You could even use a background colour and put the colour name in the box. IF the display element is not actually a form element or inside the form (in the source) it will not be associated with the field.

Have an audio clip that says the colour on a button click.

There are inumerable ways around most problems, it just depends on how "out of the box" you can think.

Quote:

Originally Posted by chrishirst

Adding a empty hidden field to the form also helps, because users will not see the field, but submitter bots will put some value in. So if it is not empty on submission, reject the data. Use a meaningful name for the field.

This works surprisingly well.

When I first heard about it, I didn't really give it any thought. One day I was bored, so I added it into one of my forms - and it actually made a difference. Sure, it's not foolproof, but any added defense against bots is helpful.

I personally use:
http://www.phpcaptcha.org/

Its quite easy to setup if you follow the install guide and so far i havent had any issues with bots.

Also my site requires the user follow a link thats e-mailed to them.

So that puts 2 layers for the bot to have to get through before it can cause trouble.

Also,
Accounts not authed in 24days get auto deleted, so it would keep the DB clean ( if the bots got passed level1 captcha )

I always use Captcha on my forms.

I use Captcha on all my forms