Bot Prevention

Question

Bot Prevention

On my site I submit a form for entering a visitor. No login required. I can not require a login. Therefore, anyone who views the site can submit the form. He also opens the form to bots. I need to prevent bots. I asked a question on the following topic.

Unwanted entry of garbage from bots?

I got a helpful answer. I read several solutions for this (captcha and non-captcha).

Mine is not a site where I get significant traffic. My users are not very smart. So I was thinking of doing something like this. I am not a very experienced programmer, and what I say here can be very stupid. But I'm just trying to learn, so please bear with me.

Every time I submit a form, I generate a unique key (unix time + remote host IP). I store the key in the db table and I submit the form with the key being the hidden field in the form. When the form is submitted, I check if the value for the key is in the db table. If so, I delete the key from the db table and process the form. If the key is not in the db table, I drop the form and ask the user to perform the operation again.

Each time I submit, I also delete the obsolete entries (when users did not submit the form at the agreed time). I will need to have some mechanism where I prevent form requests from bots. Say, for example, if I have n number of pending requests from a specific host, I ask people to request a form in a few moments.

Will there be something like this work?

+4

security

rpat Mar 10 '11 at 4:01

source share

5 answers

necromancer · Answer 1 · 2011-03-10T04:07:58+0000

bots will be able to request a hidden field and send it anyway. try the non-re-captcha library so that your users are not overloaded (recaptcha suppresses because of its additional purpose of capturing your users to make OCR pretty illegible text).

however, since you are requesting a solution other than captcha, I would suggest that you measure the time between requesting the form and submitting the form (with a private key). the bot will submit the form within a couple of seconds of the request, but the person will not.

if you find that this simple approach does not work for your site, you can try something more complex.

Jason · Answer 2 · 2011-03-10T04:11:14+0000

You can also hide the form, and then the user needs to click on the button to open it. Like twitter when you log in.

foreyez · Answer 3 · 2011-03-10T04:12:46+0000

I would not worry too much about the bots sending your form. This will not happen. If you are terribly afraid, then instead of captcha ask a stupid question like "what is 1 + 1?". before serving.

Anomie · Answer 4 · 2011-03-10T04:23:29+0000

It all depends on how desperately spammers want to send garbage to your form. Your method will work for the most stupid bots, but since the mehx agx indicated triviality for the bot to load the form and extract the field, if someone bothers to take a minute or so to configure their bot.

At the other end of the spectrum, little can be done to automatically stop “paying people in certain countries the equivalent of 10 ¢ / hour to spam every board they can find” tactics without blocking to the extent that they also prohibit the public from posting useful comments.

Gilles lesire · Answer 5 · 2013-01-26T19:57:36+0000

How about hashing form field names so that the name is different every time? hash (Original field name + timestamp + secret salt), but just skip the timestamp with the form, the bot will need age, especially if the salt is different for each user and changes every couple of hours / days. I just had an idea. I wonder if you think this will stop the bots?

Bot Prevention

More articles: