0

I have a classifieds website...

Each classified is displayed in a php page called show_ad.php

I am working on a "tip a friend" function, where users enter their own name, the friends email and a short message to the friend.

The above is no problem, however, I need to make sure bots don't use this form for "spam" etc...

One way is captcha, but I was thinking about creating my own captcha, so here is my plan, and I need you to tell me if it has any flaws:

1- On load of the show_ad.php file, I generate a random number, say 5 digits.
2- I output the number to the user, and tell users to enter this number in a form text input.
3- The number is also put into a hidden input.
4- User presses "send" button.
5- I use ajax to call a php file called send_tip.php, and I fetch the value of the hidden input, and compare it to the text-input the user entered, and see if they match, and then send the email.

Nothing is ever safe enough, but is the above enough for a classifieds website?

Thanks

UPDATE:

6- I add a table to mysql, which records ip adresses of the user who sends email, and if it exceeds more than say 3 emails per minute AND 30 emails per day, I stop them... Although then maybe just the email is enough, and I should skip the first steps with the random number? What do you think?

  • 1
    Why in heaven's name invent your own CAPTCHA? – T.J. Crowder Nov 21 '10 at 22:38
  • I don't know whether it's safe from bots, but it's probably not safe from spam since that is most likely what you will be sending to the friend. – bmb Nov 21 '10 at 22:38
  • 1
    FWIW, friends and family who give out my personal email address to websites tend to get a bit of a hard response from me (*"If I wanted the New York Times to have my email address, I'd've given it to them. If you want to send me something, grab the URL and email it to me directly."*). And the website is always completely ignored. – T.J. Crowder Nov 21 '10 at 22:40

4 Answers4

6

You might want to consider using reCAPTCHA instead of reinventing the wheel and making your own CAPTCHA.

As a nice side effect, you're helping to digitize books!

icktoofay
  • 126,289
  • 21
  • 250
  • 231
3

One could easily write a bot that looks at the hidden field and submits the right data.

So no, it's not secure.

Matthew
  • 47,584
  • 11
  • 86
  • 98
  • I'm not sure what your edit was, but if it's something that can be scripted, spammers will take advantage of it. Basically the obscurity of the site is the only line of defense here. This particular safeguard adds almost nothing to it. – Matthew Nov 21 '10 at 22:33
  • Okay, your update is regarding rate limiting. It could be sufficient if you can find the proper limits. (Note that spammers may have access to many IPs.) By the way, it's a good thing to do, regardless of if you ultimately use something like a traditional image CAPTCHA. – Matthew Nov 21 '10 at 22:36
  • @Camran: With the edit, it's still not remotely secure. Just a bit slower from any given individual IP (and these people have *millions* of IPs at their disposal). – T.J. Crowder Nov 21 '10 at 22:37
1

No CAPTCHA's are 100% bot-proof, but 99% bot-proof is enough. AJAX will be a huge roadblock to bots, which is secure enough. You should give misleading names to form fields. For example, you hidden field of your "number" will be named "message", so your bot will misfill it. However, if your site is big enough, bot programmers will re-program their bots to cope with your site...

See also: Practical non-image based CAPTCHA approaches?

Community
  • 1
  • 1
Ming-Tang
  • 17,410
  • 8
  • 38
  • 76
1

It's not very safe. A better solution would be to generate that 5-digit number and store it in the session. Then generate an image that shows the number. Any bot that needs to hack this captcha needs to be able to OCR the image, which is far more complex. Another slight advantage to this approach is that it works without the need for AJAX, although that might be a disadvantage as well, because AJAX is an extra obstacle for bots. You can, if you want, still use AJAX to request the image.

[edit] One very great advantage of writing your own captcha, is that someone needs to write a specific bot for it. Common captchas can be hacked by generic bots that just look for signs. I've had success with protecting some of my forms by replacing a complex captcha with a simple custom made one that shows just plain text and even always requires the same answer!

GolezTrol
  • 114,394
  • 18
  • 182
  • 210