In the video you're first checking if the fields (name, email and query) are set. Personally, what i'd do is first check if the "title" field has been filled in... if so, immediately invalidate the request. There is no need to first validate the actual form, since it's a bot. Cheers
This might work for bots that were created to mass post spam multiple sites, but if a programmer wants to create a bot to post spam this particular website, he's probably going to figure this out and implement it into the bot, so it doesn't fill in the 'title' field. You should probably add this to your description.
Very cool idea. This is simpler and less intrusive than using a captcha script although probably not as effective. I have actually read a tutorial which uses the PHP image manipulation (gd) library to create a captcha. For those who are interested, the idea is simple. You generate a random string using a character set you wish. Hash the string and set it to a session variable. Then generate an image with the original string and apply lines and dots and stuff to make it harder for computers to read. Then on the second page, you take the input field and run it through the same hash to verify that it was typed in correctly. I know I glossed over the details, but hopefully, this should give you an idea of how to work through this. Perhaps Alex could do a tutorial on this? That would be nice.
I use this all the time, only I don't call my class hidden , works really well, you can't really do it with jquery as a bot simply reads the raw markup ie. It would nt see any javascript code applied
Just so people know, this will help against a lot of the bots but not the more sophisticated ones. It is not a substitution for a captcha but can be used in less critical instances or to complement other security measures.
Indeed. This would be good coupled with another method as you mentioned. Saying that, we've had hardly any spam pass through our 'contact us' gates using this method!
Thank you for this but I have a question is there a more complex way in avoiding spam because i think if they will try to bypass the input filled that is hidden they can still continue to spam.
Why don't you check for the title field at the beginning of the if-statement that was already there? Also, what happens if I use the die function if my email form doesn't forward to another page but uses the same page to send it, will the email form become useless?
Because the outcome for 'title' to be set would be different. In this version if the title is set then it calls die()-function. But if everything is in the first if-statement then if title is set there would be no die-call. So we can do a special functionality in a case when title is set. Also I think its more clear for a human to read if its separated because it is a separate issue.
Can you help me understand how to do this in CodeIgniter. I'm using $this->form_validation->set_rules('title_1', 'title1', 'max_length[0]'); Form still goes through
yes that's certainly possible ,but until this method is in wide use nobody is giong to bother programming that into their bots as it's a lot more hassle to check that, much easier to just move onto the sites that have simple forms with no bot protection.
wouldnt be for example .addClass("hidden") in jquery a more save way to prevent bots from checking display:none etc? And something like DO NOT FILL - BOT PREVENTION most people deactivating JS are able to understand that. lech00 two comments below also wrote something very nice! Dont you think?
Scratch that, the editor I was using was automatically adding a "$" in front of if. That fixed, working great... Gone from 40-60 spam email a day to no spam at all. Actually had to check the forms to make sure they where working properly
Could someone please confirm for me that this is what is known as the honey pot spam prevention method? If not what is this kind of method actually called?
CAPTCHA is an awful method to use.. I ment awful because its not clier and annoying.. If I see any forms with captcha, register,contact forms, etc, all I do is exit page.. What I do for my forms, to prevent spam, I just generate random code, lets say (1,999) and ask to enter that number for user..This number is storred in session, so after you click submit button its not going to change, but if this session is already set, we generate another one.. Its super simple for user to enter, no eye breaking like with captcha and you can generate numbers + letters, if you think is going to be more secure..
I do something similar as well... I create a simple math question on the screen, and have the user answer that. I can then verify it after the form is submitted via php. Works great... killed my bot problem in no time...
No need to check for isset() when using !empty(), as one of the equivalent sides of the empty() check is !isset().
In the video you're first checking if the fields (name, email and query) are set. Personally, what i'd do is first check if the "title" field has been filled in... if so, immediately invalidate the request. There is no need to first validate the actual form, since it's a bot.
Cheers
how do you set that up
I'll give this a go. Much appreciated John
Great tip. Useful even in 2024.
Added to favorites
Good job! I like your solution to form spam.
Best PHP tutorials period.
Smart idea! im going to use this from now on! thanks
I can see how this could be implemented with JavaScript as well. Love the concept! Thanks!
Brilliant! Thank you very much.
Thanks :) I will keep this in mind
Wow. Added to my Useful playlist. Will use this later.
Great to hear. Hope it's useful for you in the future.
This might work for bots that were created to mass post spam multiple sites, but if a programmer wants to create a bot to post spam this particular website, he's probably going to figure this out and implement it into the bot, so it doesn't fill in the 'title' field. You should probably add this to your description.
another very useful knowledge thanks you sir for all your tutorials :D
This is so cool, and so easy :) Thanks a lot!
I did this and it, tested it, works. Thanks
This still work in 2022, asking for a friend 😂😂🤣
Really helpful thanks!
I've done this a couple of weeks ago on a site, and it's very effective indeed :)
Great to hear it's worked for you!
***** Another way would be to add an anti-CRSF field, with a temporary Session ID which can be validated by the receiving code. But hey.. :D
Ingenious!
Very cool idea. This is simpler and less intrusive than using a captcha script although probably not as effective. I have actually read a tutorial which uses the PHP image manipulation (gd) library to create a captcha.
For those who are interested, the idea is simple. You generate a random string using a character set you wish. Hash the string and set it to a session variable. Then generate an image with the original string and apply lines and dots and stuff to make it harder for computers to read. Then on the second page, you take the input field and run it through the same hash to verify that it was typed in correctly.
I know I glossed over the details, but hopefully, this should give you an idea of how to work through this. Perhaps Alex could do a tutorial on this? That would be nice.
Are you still going to make a tutorial (playlist) for Laravel 4? I really want to learn it, but there aren't good tutorials.
Thanks
Oh, I see what you did there!
I use this all the time, only I don't call my class hidden , works really well, you can't really do it with jquery as a bot simply reads the raw markup ie. It would nt see any javascript code applied
Great video
Just so people know, this will help against a lot of the bots but not the more sophisticated ones. It is not a substitution for a captcha but can be used in less critical instances or to complement other security measures.
Indeed. This would be good coupled with another method as you mentioned. Saying that, we've had hardly any spam pass through our 'contact us' gates using this method!
+Eric Cederberg Would you mind to share other solutions available? Thanks
Genious!
Wow, thats so simple...
Thank you for this but I have a question is there a more complex way in avoiding spam because i think if they will try to bypass the input filled that is hidden they can still continue to spam.
How can they continue to spam if we already killed the page before submission? I don't get your point here really.
Why don't you check for the title field at the beginning of the if-statement that was already there? Also, what happens if I use the die function if my email form doesn't forward to another page but uses the same page to send it, will the email form become useless?
Because the outcome for 'title' to be set would be different. In this version if the title is set then it calls die()-function. But if everything is in the first if-statement then if title is set there would be no die-call. So we can do a special functionality in a case when title is set. Also I think its more clear for a human to read if its separated because it is a separate issue.
very clever
Can you help me understand how to do this in CodeIgniter. I'm using $this->form_validation->set_rules('title_1', 'title1', 'max_length[0]');
Form still goes through
use reCAPTCHA that can't be read by OCR
But maybe that bot can be smarter and check if input fields ar invisible, if they are, don't write anything in there.
yes that's certainly possible ,but until this method is in wide use nobody is giong to bother programming that into their bots as it's a lot more hassle to check that, much easier to just move onto the sites that have simple forms with no bot protection.
make us a full contact form with attachment
wouldnt be for example .addClass("hidden") in jquery a more save way to prevent bots from checking display:none etc?
And something like DO NOT FILL - BOT PREVENTION
most people deactivating JS are able to understand that.
lech00 two comments below also wrote something very nice!
Dont you think?
I know this is old, but... just makes my mail page go blank....... perhaps something to do with the die command?
Scratch that, the editor I was using was automatically adding a "$" in front of if. That fixed, working great... Gone from 40-60 spam email a day to no spam at all. Actually had to check the forms to make sure they where working properly
Could someone please confirm for me that this is what is known as the honey pot spam prevention method? If not what is this kind of method actually called?
yes this is the "honey pot"-method
Bruno Lustosa Ferrari, da uma olhada nisso aqui.
Why pick CAPTCHA when you have phpacademy !
...or you can use js like
user easyly can remove this hidden input from DOM... :)
2020
CAPTCHA is an awful method to use.. I ment awful because its not clier and annoying.. If I see any forms with captcha, register,contact forms, etc, all I do is exit page.. What I do for my forms, to prevent spam, I just generate random code, lets say (1,999) and ask to enter that number for user..This number is storred in session, so after you click submit button its not going to change, but if this session is already set, we generate another one.. Its super simple for user to enter, no eye breaking like with captcha and you can generate numbers + letters, if you think is going to be more secure..
I do something similar as well... I create a simple math question on the screen, and have the user answer that. I can then verify it after the form is submitted via php. Works great... killed my bot problem in no time...
Yeah..thats easy for us - developers and for users to type..I dont even use math question..Just asking to type number.
Your voice🤔
My Spambot can hack it