[Phpwm] Securing feedback forms

Ricky Hayes ricky at domainarena.net
Wed Nov 1 13:42:30 GMT 2006


Hi.

I've used them on a few sites, and found them not-too-bad.

I simply have one image-check per session. If it's been entered correctly by
the human, then I don't show the image checks on any other forms.

I've found the best place for them is during login (if appropriate). They
can't login unless they're human!

But if you've got multiple parts when you'd like an image-check, just do the
one, and don't show the others if they've completed one once.

I also keep mine simple, no more than 4 letters/numbers. I don't bother with
non-alphanumeric characters, and I make them case-insensitive.

Personally I'm not a fan of distorting the text, but a nice background
pattern is enough to fox most bots I would have thought.

Let me know if I'm wrong!

Regards,

Ricky.


-----Original Message-----
From: phpwm-bounces at mailman.lug.org.uk
[mailto:phpwm-bounces at mailman.lug.org.uk] On Behalf Of Jonathan Adjei
Sent: 01 November 2006 12:49
To: 'West Midlands PHP User Group'
Subject: RE: [Phpwm] Securing feedback forms


Is anyone using human-readble image checks, and how much of a turn off have
you found them? I've just added one to a contact form and am wondering if
these will end up on all my sites and what impact there will be to genuine
usage. I personally find them a bit of a pain.

jon

-----Original Message-----
From: phpwm-bounces at mailman.lug.org.uk
[mailto:phpwm-bounces at mailman.lug.org.uk] On Behalf Of David Johnson
Sent: 01 November 2006 12:14
To: West Midlands PHP User Group
Subject: Re: [Phpwm] Securing feedback forms


On Wednesday 01 November 2006 11:00, Greg Jones wrote:
>
> only from the beginning or end of the string though, not anywhere 
> within it.
>

Sigh. That'll teach me to read things properly in future...

Thanks for all the suggestions. I'm now doing the following to user input:
* checking the string length is not greater than the maxlength of the text
box
* checking for \n and \r control characters
* doing addslashes, trim and strip_tags (to stop me receiving garbage,
rather 
than to increase security)
* checking for multiple occurrences of '@' in the provided from address

Hopefully that should keep the spammers away for a while, unless anyone can 
think of something I've missed. I remember the days when you could just
stick 
your e-mail address in a mailto: link on your website without fear...

Cheers,
David.

_______________________________________________
Phpwm mailing list
Phpwm at mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/phpwm


_______________________________________________
Phpwm mailing list
Phpwm at mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/phpwm




More information about the Phpwm mailing list