Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 10 of 10
Like Tree1Likes
  • 1 Post By tangoforce

Thread: Alternatives to the Captcha

  1. #1
    Regular Coder LearningCoder's Avatar
    Join Date
    Jan 2011
    Location
    The Pleiades
    Posts
    924
    Thanks
    76
    Thanked 29 Times in 29 Posts

    Alternatives to the Captcha

    Good evening all,

    Well, the title says it all!

    I've implemented a captcha on my website as I was getting bots everyday submitting rubbish. Problem is it's horrible and disturbing the design of my site with it's 90's look.

    Does anyone know any good alternatives to secure my form?

    Thank you for your time.

    Kind regards,

    LC.

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Last captcha I made was based off of a concept that Firepages made years ago. Counting.
    You simply provide an image composed of every day items, and ask how many x's and y's do they see. How many banana's and apple's do you see? Switch up the questions with random images composing it, and away you go. Best to use multiple images for the same type as well, use a few different varieties for the banana's for example, clear that's what they are, but different so that the pattern can't be compared easily.

    Captchas can also be used in order to control the people posting based on knowledge of subject. I can't remember the site I saw, but there was one that used calculus equations for the captcha. Solve the equation in order to post. That's obviously for a forum that caters to mathematicians, so such a thing makes sense. Just like here we could potentially use the same for programming:
    PHP Code:
    int i 4;
    if (
    4)
    {
        --
    i;
    }
    print 
    i++; 
    What is the end value of i/what is the printed value? for example.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

  • #3
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,364
    Thanks
    61
    Thanked 530 Times in 517 Posts
    MrMarrowHead also had a rather splendid method for cutting down on their spam using random field names for each input in their form. It's rather clever as it saves the actual field names in the session so that you can still get all the required fields in your script with minimal hassle:

    How to stop form spam | PHP | Spambot | Captcha

    The idea here is that the form will always have random field names which means the bots can't submit the same fields every time. Some are smart enough simply to parse the html each time and pick out the fields but this technique reduced my spam a lot.

    For the bots that read out the field names each time you can also have two forms in the page with all the usual fields (user, email address, message) and hide it using css as a honeypot. Most spam bots will pick this up and bombard it relentlessly however you being smart and human know that it's the other form you're taking input from and so discard the normal one in your code.
    LearningCoder likes this.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #4
    New to the CF scene
    Join Date
    Mar 2014
    Posts
    3
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Try a "honey pot" technique.

    This involves placing a textarea / textbox on your form (give it a nice tempting name like "message") and hiding it using css "display:none;"

    When a genuine person fills out the form they will leave the field empty because its hidden from view. When a robot comes along they don't know any different and fill out the field.

    Before sending the email check if the field is empty, if it isn't you know its spam; so don't send anything!

  • #5
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,364
    Thanks
    61
    Thanked 530 Times in 517 Posts
    So you replied with my advice that I posted? lol

    Quote Originally Posted by tangoforce View Post
    For the bots that read out the field names each time you can also have two forms in the page with all the usual fields (user, email address, message) and hide it using css as a honeypot. Most spam bots will pick this up and bombard it relentlessly however you being smart and human know that it's the other form you're taking input from and so discard the normal one in your code.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #6
    The fat guy next door VIPStephan's Avatar
    Join Date
    Jan 2006
    Location
    Halle (Saale), Germany
    Posts
    8,793
    Thanks
    6
    Thanked 1,022 Times in 995 Posts
    Problem with the last mentioned method is that it’s not semantic and has accessibility issues because it essentially adds a meaningless field to the form that might confuse legitimate users or treat them as spammers. While a plain image captcha isn’t very accessible either there are ways to compensate that (e. g. audio captchas).

  • #7
    Regular Coder Redcoder's Avatar
    Join Date
    May 2012
    Location
    /dev/null
    Posts
    334
    Thanks
    2
    Thanked 48 Times in 47 Posts
    A simple method used in many forums is the solve a simple mathematical sum or subtraction.

    So for example, have it be the sum or difference of numbers between 1 and 10 which you can generate randomly. So say What is the sum of 8 + 2 = __

    A simple PHP code to do this:

    PHP Code:
    $num1 rand(110);

    $num2 =rand(1,10);

    $answer $num1 $num2;

    echo 
    "What is the sum of {$num1} + {$num2}"//Input box follows 
    Forum CMS systems use this and it's fairly solid and simple.

  • #8
    Regular Coder LearningCoder's Avatar
    Join Date
    Jan 2011
    Location
    The Pleiades
    Posts
    924
    Thanks
    76
    Thanked 29 Times in 29 Posts
    Good evening,

    Thank you all very much for your input, it's really interesting to see the various ways how people secure their forms.

    One way I had in mind was to create 9 images (The images would display the numbers 1-9) and doing the addition example. I would save the images as 'image1.png, image2.png'. When the form is submitted, extract the number from the image filename, check the sum against the user input and decide whether to proceed or send them back.

    Would the bots be able to crack that?

    (That Captcha is beginning to annoy me!)

    Kind regards,

    LC.

  • #9
    Regular Coder Redcoder's Avatar
    Join Date
    May 2012
    Location
    /dev/null
    Posts
    334
    Thanks
    2
    Thanked 48 Times in 47 Posts
    Yeah, that's simple enough...but if I was maybe making a spam bot specifically for your site, I would have a list which would map each number to the specific picture so I would just fetch the html, check the loaded pictures, map to the corresponding number e.g image1.png - 1, image2.png -2, do the math in my script, insert the answer.

    You could probably have a small script to serve the images for example - randomly generate a number, divide by 10 and get remainder. Use remainder to load appropriate image such that it is not imag1.png but imagescript.php?num=23213123

    So do 23213123%10, then remainder to load appropriate image. The 23213123 would off course be randomly generated.

    Off course somebody with time and nothing to do could probably crack the logic - but that should be able to fend off generic spam bots.

  • #10
    Regular Coder Redcoder's Avatar
    Join Date
    May 2012
    Location
    /dev/null
    Posts
    334
    Thanks
    2
    Thanked 48 Times in 47 Posts
    Also you can generate the logic for generating the images using Javascript so it can only be seen by users on the client-side and not spam bots.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •