Solved

Captcha String random generation, will this be enough to avoid spam

Posted on 2014-04-07
19
362 Views
Last Modified: 2014-04-08
Currently my contact form is getting a ton of spam. I am using cgi to process the submitted form.

I am using the code below to generate random string using php like below

 <?php 
 $characters = 'bcdfghjklmnpqrstvwxyz0123456789';
 $random_string_length = 6;
 $string = '';
 for ($i = 0; $i < $random_string_length; $i++) {
      $string .= $characters[mt_rand(0, strlen($characters) - 1)];
 } 
 ?>

Open in new window


and display the above generated 6 length string inside a div tag as below

<div class="captcha"><?php echo "$string" ?></div>

Open in new window


then I have a input text box where the user enters the above code and using jquery I am checking if both values are correct continue with the form submission

My question will this be enough to keep spam away or Do I need to add anything else to make it more stronger.

here is the link where I added the code

http://nehikingholidays.com/brochure-request.php

Thanks
0
Comment
Question by:niceoneishere
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 4
  • +1
19 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39984102
Just about any sort of 'captcha' will minimize automated spam.  It will do nothing to prevent people from individually posting spammy messages.  However, your captcha is clear enough to be read by OCR methods so I wouldn't use it if there was any money to be made by breaking in.
0
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 39984105
If you echo a string in clear text, the answer is "No, that is not good enough."

The article here will probably answer all your questions about CAPTCHA.  The popular and widely hated reCaptcha is the target of frequent attacks, some of which succeed.  By using an "organic" CAPTCHA you will avoid the spillover from those attacks.

Executive summary: This is the first line of defense against spam.  Content moderation and approval is the second line.  If you're reasonably fortunate you will never need the second line.

http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_9849-Making-CAPTCHA-Friendlier-with-PHP-Image-Manipulation.html
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39984115
You could make your captcha a little more effective by using a mottled background with the text color being part of it.
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 1

Author Comment

by:niceoneishere
ID: 39984132
Thanks Dave and Ray for replying.

I will read the link you gave me Ray

And Dave can you shed little more mottled background, can this be dome using CSS. An example or reference is appreciated

Thanks
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 39984135
Here's an example showing how easy it can be to extract a clear-text data element from an HTML document.  That's why it is usually smart to add a little more complexity to the CAPTCHA process.
http://iconoun.com/demo/temp_niceoneishere.php

<?php
/**
 * Per the request of the Author, the example source code has been removed
 */

Open in new window

HTH, ~Ray
0
 
LVL 1

Author Comment

by:niceoneishere
ID: 39984153
Oh wow, so basically I am back to square one :(  how can I avoid the clear-text, is that means I need to display it over an image

Thanks
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39984242
Ray's article shows how you can include the captcha code inside an image instead of using plain text.
0
 
LVL 1

Author Comment

by:niceoneishere
ID: 39984409
Thanks but my form is using perl (.cgi) If I use the captcha code inside an image as Ray's article do I have to create the form in PHP

Thanks
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39984438
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 39984447
I assumed you wanted a PHP solution since the question was posted in the PHP Zone and you gave your example in PHP.  The principles remain the same whatever language you choose.  Anyway, best of luck with your project, ~Ray
0
 
LVL 1

Author Comment

by:niceoneishere
ID: 39984591
Hi Ray,

Anyway you can remove my webpage link in the example you have posted showing how easy it was figuring out the captcha code.

Thanks
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 39984686
I'll see what I can do.  But this is not secret information that is unique to you or your web page.  Everybody with even a little bit of PHP knowledge knows how to do this!  If hackers want to attack you, they will do it without my 2-cents.  For your own safety and security please consider joining OWASP and advancing the cause of online security.
0
 
LVL 53

Expert Comment

by:Scott Fell, EE MVE
ID: 39984972
One of the things I have run into is the client complains of spam but they also complain about captchas and they feel people don't fill out forms if they are too hard to read.

Most of the sites I am talking about here are for small businesses that get 3K to 50K uniques each month, we are not talking big numbers.  If I take down a captcha, there is typically one bot that rapid fires spam submits.

The compromise has been to create a clear text captcha or secret word or the 1+1=2 thing and it immediately cuts out 99% of the problem.   I just did this for a client and he still gets one spam post a week instead of 50 a day.  For him, the one spammy post per week is tolerable for not having  complaints about a traditional captcha.  In addition, I have a counter that allows only so many posts before the form code is hidden as well as the code that accepts input.  

In Ray's article, I like the Craftsy approach as well as the "secret word"

Are these methods the most secure and best practice? No but this only works because of the types of smaller sites I am working with and I have not detected any issues yet that would force me to use something different.
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 39985642
0
 
LVL 53

Expert Comment

by:Scott Fell, EE MVE
ID: 39986745
I agree!   I wouldn't want my solution for my bank...
0
 
LVL 1

Author Comment

by:niceoneishere
ID: 39986821
Thanks guys I ended up using one of Ray's solution along with Captcha. It was amazing It been 24hrs and so far no spam at all . Touchwood :)

Thanks guys
0
 
LVL 1

Author Closing Comment

by:niceoneishere
ID: 39986823
Thanks
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 39987122
Thanks for using EE, and here's hoping it continues to work well for you. ~Ray
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The article shows the basic steps of integrating an HTML theme template into an ASP.NET MVC project
This article discusses how to implement server side field validation and display customized error messages to the client.
In this tutorial viewers will learn how to code links for mobile sites that, once clicked, send a call or text to a specified number. For a telephone link (once clicked, calls a number), begin with a normal "<a href=" link tag. For the href, specify…
The viewer will learn how to dynamically set the form action using jQuery.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question