Solved

Captcha String random generation, will this be enough to avoid spam

Posted on 2014-04-07
19
341 Views
Last Modified: 2014-04-08
Currently my contact form is getting a ton of spam. I am using cgi to process the submitted form.

I am using the code below to generate random string using php like below

 <?php 
 $characters = 'bcdfghjklmnpqrstvwxyz0123456789';
 $random_string_length = 6;
 $string = '';
 for ($i = 0; $i < $random_string_length; $i++) {
      $string .= $characters[mt_rand(0, strlen($characters) - 1)];
 } 
 ?>

Open in new window


and display the above generated 6 length string inside a div tag as below

<div class="captcha"><?php echo "$string" ?></div>

Open in new window


then I have a input text box where the user enters the above code and using jquery I am checking if both values are correct continue with the form submission

My question will this be enough to keep spam away or Do I need to add anything else to make it more stronger.

here is the link where I added the code

http://nehikingholidays.com/brochure-request.php

Thanks
0
Comment
Question by:niceoneishere
  • 6
  • 6
  • 4
  • +1
19 Comments
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
Just about any sort of 'captcha' will minimize automated spam.  It will do nothing to prevent people from individually posting spammy messages.  However, your captcha is clear enough to be read by OCR methods so I wouldn't use it if there was any money to be made by breaking in.
0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 500 total points
Comment Utility
If you echo a string in clear text, the answer is "No, that is not good enough."

The article here will probably answer all your questions about CAPTCHA.  The popular and widely hated reCaptcha is the target of frequent attacks, some of which succeed.  By using an "organic" CAPTCHA you will avoid the spillover from those attacks.

Executive summary: This is the first line of defense against spam.  Content moderation and approval is the second line.  If you're reasonably fortunate you will never need the second line.

http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_9849-Making-CAPTCHA-Friendlier-with-PHP-Image-Manipulation.html
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
You could make your captcha a little more effective by using a mottled background with the text color being part of it.
0
 
LVL 1

Author Comment

by:niceoneishere
Comment Utility
Thanks Dave and Ray for replying.

I will read the link you gave me Ray

And Dave can you shed little more mottled background, can this be dome using CSS. An example or reference is appreciated

Thanks
0
 
LVL 108

Expert Comment

by:Ray Paseur
Comment Utility
Here's an example showing how easy it can be to extract a clear-text data element from an HTML document.  That's why it is usually smart to add a little more complexity to the CAPTCHA process.
http://iconoun.com/demo/temp_niceoneishere.php

<?php
/**
 * Per the request of the Author, the example source code has been removed
 */

Open in new window

HTH, ~Ray
0
 
LVL 1

Author Comment

by:niceoneishere
Comment Utility
Oh wow, so basically I am back to square one :(  how can I avoid the clear-text, is that means I need to display it over an image

Thanks
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
Ray's article shows how you can include the captcha code inside an image instead of using plain text.
0
 
LVL 1

Author Comment

by:niceoneishere
Comment Utility
Thanks but my form is using perl (.cgi) If I use the captcha code inside an image as Ray's article do I have to create the form in PHP

Thanks
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 108

Expert Comment

by:Ray Paseur
Comment Utility
I assumed you wanted a PHP solution since the question was posted in the PHP Zone and you gave your example in PHP.  The principles remain the same whatever language you choose.  Anyway, best of luck with your project, ~Ray
0
 
LVL 1

Author Comment

by:niceoneishere
Comment Utility
Hi Ray,

Anyway you can remove my webpage link in the example you have posted showing how easy it was figuring out the captcha code.

Thanks
0
 
LVL 108

Expert Comment

by:Ray Paseur
Comment Utility
I'll see what I can do.  But this is not secret information that is unique to you or your web page.  Everybody with even a little bit of PHP knowledge knows how to do this!  If hackers want to attack you, they will do it without my 2-cents.  For your own safety and security please consider joining OWASP and advancing the cause of online security.
0
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
Comment Utility
One of the things I have run into is the client complains of spam but they also complain about captchas and they feel people don't fill out forms if they are too hard to read.

Most of the sites I am talking about here are for small businesses that get 3K to 50K uniques each month, we are not talking big numbers.  If I take down a captcha, there is typically one bot that rapid fires spam submits.

The compromise has been to create a clear text captcha or secret word or the 1+1=2 thing and it immediately cuts out 99% of the problem.   I just did this for a client and he still gets one spam post a week instead of 50 a day.  For him, the one spammy post per week is tolerable for not having  complaints about a traditional captcha.  In addition, I have a counter that allows only so many posts before the form code is hidden as well as the code that accepts input.  

In Ray's article, I like the Craftsy approach as well as the "secret word"

Are these methods the most secure and best practice? No but this only works because of the types of smaller sites I am working with and I have not detected any issues yet that would force me to use something different.
0
 
LVL 108

Expert Comment

by:Ray Paseur
Comment Utility
0
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
Comment Utility
I agree!   I wouldn't want my solution for my bank...
0
 
LVL 1

Author Comment

by:niceoneishere
Comment Utility
Thanks guys I ended up using one of Ray's solution along with Captcha. It was amazing It been 24hrs and so far no spam at all . Touchwood :)

Thanks guys
0
 
LVL 1

Author Closing Comment

by:niceoneishere
Comment Utility
Thanks
0
 
LVL 108

Expert Comment

by:Ray Paseur
Comment Utility
Thanks for using EE, and here's hoping it continues to work well for you. ~Ray
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
php documentation 4 19
Bootstap Icons 3 18
gif animation 6 16
Showing data from 2 sql queries in one dropdown 8 8
This is a PowerShell web interface I use to manage some task as a network administrator. Clicking an action button on the left frame will display a form in the middle frame to input some data in textboxes, process this data in PowerShell and display…
This article demonstrates how to create a simple responsive confirmation dialog with Ok and Cancel buttons using HTML, CSS, jQuery and Promises
In this tutorial viewers will learn how to embed an audio file in a webpage using HTML5. Ensure your DOCTYPE declaration is set to HTML5: : The declaration should display (CODE) HTML5 is supported by the most recent versions of all major browsers…
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now