[nycphp-talk] capricious submission of forms
Rolan Yang
rolan at omnistep.com
Mon Feb 12 12:07:52 EST 2007
Ok, here's a totally off the wall idea to help thwart the robots from
even getting into the submission script. It is complex though:
1. You create a encrypted string based on a secret key combined with
something like the current datetime, then split it in half.
2. Half of that string is pasted into your form as a hidden variable.
The other half is hidden in an obfuscated javascript function which is
called when you click on the submit button. For added "protection", the
javascript function can even be one of those self-decrypting ones (they
used to be common with those malicious browser-exploit worms).
3. When the user clicks "submit", your form script receives the the
hidden value and the javascript decrypted value, pieces it together,
decrypts it with the private key, and checks to make sure the date is
valid. If the string fails to decrypt then we know it's a bot. Otherwise
we have a little more assurance that it's a browser submitting the data.
You may be thinking, well, some bots are pretty smart and have a
javascript engine built in. Ok, here's another layer of deception
throwing css into the mix:
You do above steps 1 and 2 the same.
The first half of the encrypted string should be saved locally on the
server or stored in a database (I'll explain why in a minute).
Your form page will then have a function that dynamically generates
random css code like this:
<style type="text/css">
aerguaehrgaer {display:none;}
cvoazsdofddf {display:inline;}
htergoergjarg {display:none;}
joregpokerge {display:none;}
g493t344kt4 {display:none;}
</style>
Then put a bunch of submit buttons at the bottom of your form:
<input type="submit" class="aerguaehrgaer"
onSubmit="selfdecrypt('eg834nt9ejwegwe');">
<input type="submit" class="cvoazsdofddf"
onSubmit="selfdecrypt('s8934t0w340t934t34q');">
<input type="submit" class="htergoergjarg"
onSubmit="selfdecrypt('mr90238t340834t3');">
<input type="submit" class="joregpokerge"
onSubmit="selfdecrypt('d83ng0erg34t0834');">
<input type="submit" class="g493t344kt4"
onSubmit="selfdecrypt('j9340tgi340we0jerg');">
The spam robot won't know which submit button to push, but a human will
only see one button because the css is hiding the rest.
Well, if I was a stubborn inconsiderate javascript interpreting spam
bot, I would just submit the same form 5 (or however many) times trying
every submit button.
That is why when we receive the form submission, we check for the first
half of the encrypted string in our locally stored list. After a failed
try, the string should be removed from the local list or database and
any successive attempts will return as failed.
The method above provides a decent amount spam-bot deterrence while
still presenting a userfriendly captcha-less form.
Good luck,
Rolan
More information about the talk
mailing list