Alright, before I begin, I am terrible at English and grammar.
Say your using a form to forum post method. What I do to secure the form page is phpbb3(or similiar) integration into the page.
//Tells PhpBB we're not hackers. Includes the common.php file from the forums.
define('IN_PHPBB', true);
$phpbb_root_path = './PATH TO FORUMS/';
$phpEx = substr(strrchr(__FILE__, '.'), 1);
include($phpbb_root_path . 'common.' . $phpEx);
// Start session management. This allows us access to some of the user's information when they are logged in.
$user->session_begin();
$auth->acl($user->data);
$user->setup();
//Some common thing's you'll use. $username gives the username, and $userid gives the unique ID of the loggedin user.
$username = $user->data['username'];
$userid = $user->data['user_id'];
if($user->data['user_id'] == ANONYMOUS){
echo '
';
exit();
} else {
}
?>
// The page below will show if user is logged in, if not, the below information will not even load
Well, I have just noticed the dates on the reviews...
This method still works but it is not a good method anymore. I have found it to be more useful and more difficult to bypass by leaving a hash in the form and in their session.
For example, I take an md5 hash of their useragent concated with their IP, I will then save this hash in the form as a hidden field; on submission, I check to ensure that the current useragent and IP match the hash, else I assume foulplay and kick them out.
One improvement, if you're not going to be requiring emails, can be to name it "email", not "leave blank". There are a lot of bots out there that look for recognized fields and fill them out (like email fields). A "leave blank" field is less likely to be filled in by a bot.
It will stop automated bots, in spite of any skepticism.
Say I have a forum using SMF. People write bots that successfully target these forums. If you don't allow anonymous posting then this is probably not a problem, BUT the fact remains that there are auto bots that can do this.
Ultimately I guess if someone wrote a bot specifically to target your site, then you are no longer fighting a bot but a human.
So this article makes sense and it works.
If you check any page on howtocreate.co.uk, you can see he's got a hidden link. Click the link and get banned, a nice honeypot.
Google and such don't click the link because it's forbidden under robots exclusion.
Anyway, to nitpick with this article:
the second code block you've got will work in practice but technically it has a bug. The bot can submit useless data ;)
Try entering the value "1", it will get through.
Yes I'm being a smartass.
Somebody just had to come along and say it, didn't they?
This may work to prevent automated scanners... maybe... but if anyone is looking to directly bot a form for a site you're running, they will do it by hand.
Even when I've created automated login systems for Hotmail, Gmail, Yahoo, AOL, MySpace, Facebook - it takes about 30 mins of dev work to figure out all of the required fields you need to pick up and post in as hash strings, and the rest you can just ignored.
I have found that alot of bots ignores an element that is hidden with display: none;
I simply use a technique where you just push the desired element outside of the screen instead with negative values and it has worked like a charm, never got a single spam after that.
Join the friendly bunch on IRC...
So you start of with:
