问题
I need your opinions on this code for implementing a anti-spam solution:
- When page/form is generated, a random string is created, eg. like
$string = md5($_SERVER['REMOTE_ADDR']) - this string is inserted in the database, and set to expire after let's say 2 hours so we don't fill up database
- On page load, the form has a hidden input field with no value, let's name it
spam_check - 10, 15 or 20 secs after the page has loaded a AJAX request automatically fires off that attempts to retrieve that
$stringfrom the db & fill outspam_checkinput value with it. - when the form is submitted, we perform a simple check between the
$stringfrom the db and$_POST['spam_check'], if they don't match the message is spam...
Is this a good idea? How secure is it? The obvious advantage is that it doesn't require any action from the visitor, like reading a captcha etc.
回答1:
Interesting. I'd be wary of thinking of it as a solution to spam / replacement for capcha, but it does make the spammers life more difficult.
However you should plan for dealing with cases where javascript is disabled (and potentially CSS too) - e.g. by assigning a div for the form, but leaving it with a default message, then writing the form into it using javascript (inline rather than waiting for onload/pageready).
$string = md5($_SERVER['REMOTE_ADDR'])
This is not a random value - and it won't change. Consider:
$string = sha1($_SERVER['REMOTE_ADDR'].rand(1000).time());
(sha1 is slightly faster than md5 despite the underlying algorithm requiring more ops).
It might be a good idea to use a session, and:
$_SERVER['string'] = sha1(session_id().rand(1000).time());
回答2:
Since that $string isn't very random, and the AJAX request will be visible to someone trying to circumvent your protection, it's easy to build an automation that retrieves $string beforehand and then fires off a gazillion of spam messages onto that form.
回答3:
One approach that I like a lot is to use CSS to hide a <input type="text"> element. A bot wouldn't know if it's hidden or not and a regular user will never see it.
Take a look at this post where this topic is already extensively discussed Practical non-image based CAPTCHA approaches?
Anyways, considering your real question is this a good idea?, I can't think of a reason why it wouldn't work... I think the database part isn't necessary though, there are other ways as you can see at the previous link...
来源:https://stackoverflow.com/questions/4470274/php-captcha-replacement