[Phpwm] Securing feedback forms
Ricky Hayes
ricky at domainarena.net
Wed Nov 1 13:42:30 GMT 2006
Hi.
I've used them on a few sites, and found them not-too-bad.
I simply have one image-check per session. If it's been entered correctly by
the human, then I don't show the image checks on any other forms.
I've found the best place for them is during login (if appropriate). They
can't login unless they're human!
But if you've got multiple parts when you'd like an image-check, just do the
one, and don't show the others if they've completed one once.
I also keep mine simple, no more than 4 letters/numbers. I don't bother with
non-alphanumeric characters, and I make them case-insensitive.
Personally I'm not a fan of distorting the text, but a nice background
pattern is enough to fox most bots I would have thought.
Let me know if I'm wrong!
Regards,
Ricky.
-----Original Message-----
From: phpwm-bounces at mailman.lug.org.uk
[mailto:phpwm-bounces at mailman.lug.org.uk] On Behalf Of Jonathan Adjei
Sent: 01 November 2006 12:49
To: 'West Midlands PHP User Group'
Subject: RE: [Phpwm] Securing feedback forms
Is anyone using human-readble image checks, and how much of a turn off have
you found them? I've just added one to a contact form and am wondering if
these will end up on all my sites and what impact there will be to genuine
usage. I personally find them a bit of a pain.
jon
-----Original Message-----
From: phpwm-bounces at mailman.lug.org.uk
[mailto:phpwm-bounces at mailman.lug.org.uk] On Behalf Of David Johnson
Sent: 01 November 2006 12:14
To: West Midlands PHP User Group
Subject: Re: [Phpwm] Securing feedback forms
On Wednesday 01 November 2006 11:00, Greg Jones wrote:
>
> only from the beginning or end of the string though, not anywhere
> within it.
>
Sigh. That'll teach me to read things properly in future...
Thanks for all the suggestions. I'm now doing the following to user input:
* checking the string length is not greater than the maxlength of the text
box
* checking for \n and \r control characters
* doing addslashes, trim and strip_tags (to stop me receiving garbage,
rather
than to increase security)
* checking for multiple occurrences of '@' in the provided from address
Hopefully that should keep the spammers away for a while, unless anyone can
think of something I've missed. I remember the days when you could just
stick
your e-mail address in a mailto: link on your website without fear...
Cheers,
David.
_______________________________________________
Phpwm mailing list
Phpwm at mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/phpwm
_______________________________________________
Phpwm mailing list
Phpwm at mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/phpwm
More information about the Phpwm
mailing list