PHP-验证码替换
【腾讯云】亏本大甩卖,服务器4核16G 1年370元(带宽12M,系统盘120GB SSD盘,月流量2000GB)!!!!!!
云产品 配置 价格
服务器 1核2G,带宽5M,系统盘50GB SSD盘,月流量500GB 38元/年
MySQL 1核1G 19元/年
服务器 16核32G,带宽18M,系统盘250GB SSD盘,月流量5000GB 1197元/年
点我进入腾讯云,查看更多详情

I need your opinions on this code for implementing a anti-spam solution:

  • When page/form is generated, a random string is created, eg. like $string = md5($_SERVER['REMOTE_ADDR'])
  • this string is inserted in the database, and set to expire after let's say 2 hours so we don't fill up database
  • On page load, the form has a hidden input field with no value, let's name it spam_check
  • 10, 15 or 20 secs after the page has loaded a AJAX request automatically fires off that attempts to retrieve that $string from the db & fill out spam_check input value with it.
  • when the form is submitted, we perform a simple check between the $string from the db and $_POST['spam_check'], if they don't match the message is spam...

Is this a good idea? How secure is it? The obvious advantage is that it doesn't require any action from the visitor, like reading a captcha etc.

#0

Since that $string isn't very random, and the AJAX request will be visible to someone trying to circumvent your protection, it's easy to build an automation that retrieves $string beforehand and then fires off a gazillion of spam messages onto that form.

#1

One approach that I like a lot is to use CSS to hide a <input type="text"> element. A bot wouldn't know if it's hidden or not and a regular user will never see it.

Take a look at this post where this topic is already extensively discussed Practical non-image based CAPTCHA approaches?

Anyways, considering your real question is this a good idea?, I can't think of a reason why it wouldn't work... I think the database part isn't necessary though, there are other ways as you can see at the previous link...

#2

Interesting. I'd be wary of thinking of it as a solution to spam / replacement for capcha, but it does make the spammers life more difficult.

However you should plan for dealing with cases where javascript is disabled (and potentially CSS too) - e.g. by assigning a div for the form, but leaving it with a default message, then writing the form into it using javascript (inline rather than waiting for onload/pageready).

$string = md5($_SERVER['REMOTE_ADDR'])

This is not a random value - and it won't change. Consider:

$string = sha1($_SERVER['REMOTE_ADDR'].rand(1000).time());

(sha1 is slightly faster than md5 despite the underlying algorithm requiring more ops).

It might be a good idea to use a session, and:

$_SERVER['string'] = sha1(session_id().rand(1000).time());

推荐文章

不同的运输方式:Ubercart

不同的运输方式:Ubercart

推荐文章

作业VS调度程序,Oracle 10G

作业VS调度程序,Oracle 10G

推荐文章

你能找到一个只有字符串的可用类吗?

你能找到一个只有字符串的可用类吗?

推荐文章

如何在C++中给给定的数组指针分配内存

如何在C++中给给定的数组指针分配内存

推荐文章

上传时图像有时会失真

上传时图像有时会失真

推荐文章

JCheckbox更改文本位置

JCheckbox更改文本位置

推荐文章

如何正确并行严重依赖I/O的作业

如何正确并行严重依赖I/O的作业

推荐文章

流异常:无效的XML字符(Unicode:0x1a)

流异常:无效的XML字符(Unicode:0x1a)

推荐文章

施曼特是什么?

施曼特是什么?

推荐文章

MapAction.SetCenter和缩放(…)在9780上引发NoClassDefFoundException

MapAction.SetCenter和缩放(…)在9780上引发NoClassDefFoundException

推荐文章

大多数移动浏览器能处理3000个css样式定义吗?

大多数移动浏览器能处理3000个css样式定义吗?

推荐文章

使用jquery,我希望根据坐标在另一个图像上放置一个图像

使用jquery,我希望根据坐标在另一个图像上放置一个图像

推荐文章

使用ArrayAdapter的ListView的自定义筛选器问题

使用ArrayAdapter的ListView的自定义筛选器问题

推荐文章

如何在Heroku上使用Elasticsearch

如何在Heroku上使用Elasticsearch

推荐文章

与iCloud共享文本文档或照片

与iCloud共享文本文档或照片

推荐文章

MongoDB模式设计。得不到我想要的

MongoDB模式设计。得不到我想要的