6

On my website I did not wan't to use those distorted text CAPTCHAS. So I decided to go for a hidden field captcha.

e.g. 

<form>

<input type="text" name="surprise" value="" style="display: none; visibility: hidden;"/>

</form>

Real user will not see this field, therefore they will leave it blank, where as spam bots will fill it in. I can then check if "surprise" field is empty or not and if it is empty continue stuff.

But I'm now asking this method, I don't think it is very secure. So can you suggest? is it safe? are there any other methods of CAPTCHA that don't require user to enter text from image?

Ilja
  • 44,142
  • 92
  • 275
  • 498
  • How do you know they will fill it in? I've run boards in the past and not all fields were filled in by spam bots, just the obvious ones like *name*, *country*, etc. – Andy E Dec 07 '11 at 19:47
  • 1
    Might want to check out my answer to a similar question here: http://stackoverflow.com/questions/2603363/good-form-security-no-captcha/2603408#2603408 – Eric Petroelje Dec 07 '11 at 19:48
  • 2
    what I did for my hidden input is I used name="address" id="address" etc. it makes it sort of obvious field and at the same time I don't need to collect address from real user. – Ilja Dec 07 '11 at 19:49

6 Answers6

7

What you have here will probably help to deter spam but it is far from a complete solution. A proper CAPTCHA will get you a lot further, but depending on your needs and usage scenarios, your solution might be adequate.

Nathan Taylor
  • 24,423
  • 19
  • 99
  • 156
  • 1
    I like this site, http://caca.zoy.org/wiki/PWNtcha . It's a good reality check if you are seriously interested in captcha protection. +1 to Nathan, as it really depends on your needs, like he said. – ToddBFisher Dec 07 '11 at 19:52
5

What ceejayoz said here is very true.

I like to do this along with other methods such as:

  • When the form is submitted under 2 seconds, reject the request.
  • Do the whole validation through ajax -- this requires JavaScript to be enabled.

First, lets add an extra input in our form field:

<input class="not_in_my_house" type="password" name="password">

I name my real password field "pass"

Sprinkle a little css magic:

.not_in_my_house {
    position: absolute; /* don't bother other elements on the page */
    width: 0; /* small */
    height: 0; /* very small */
    margin: 0; /* tiny */
    padding: 0; /* very tiny */
    border: 0; /* tada */
}

You can also try the following method but I feel dirty doing it -- it's up to you.

.not_in_my_house {
    position: absolute;
    left: -9999em;
}

Lastly, whenever a post is submitted with that form field filled in, you reject the request and maybe even ban the IP.

if(!empty($_POST['password'])){
    echo 'Nope, not in my house.';
}
Community
  • 1
  • 1
Emre
  • 831
  • 11
  • 13
5

If you do it like this, might I suggest using better spambot bait.
Put in a keyword for the 'name' attribute like "city" or "phone" that spambots can recognise and know what kind of text they can fill in. That will increase your chances.

Mr Lister
  • 45,515
  • 15
  • 108
  • 150
4

Most modern spambots will ignore a hidden field.

ceejayoz
  • 176,543
  • 40
  • 303
  • 368
2

There are other kinds of captchas that ask you answer simple mathematical problems, or others that ask you to solve a simple word puzzle. The main purpose is to distinguish a computer from a human. So the are many idea you can try. Another might be: show the user several different colour boxes and ask them to click on the blue on. They all have varying degrees of security and different pros and cons, only you know your circumstances

nwaltham
  • 2,067
  • 1
  • 22
  • 40
2

A bot will fill a hidden field. However you should hide it using a css file, doing it in the input HTML would still make it possible to detect if its a hidden field.

Kevin Vandenborne
  • 1,397
  • 1
  • 10
  • 28
  • so in my case I apply display: none and visibility : hidden is that alright? – Ilja Dec 07 '11 at 19:55
  • Yes, doing it through a css file would rule out bots trying to detect hidden fields. Might also be able to do it through javascript, but css is cleaner. – Kevin Vandenborne Dec 07 '11 at 20:03