[Phpwm] 'Sequencing' Question

Chris Allen pickledegg at hotmail.co.uk
Thu Nov 2 09:33:18 GMT 2006 

Forgive the peculiar title :)
In an admin back-end, where the user can add pages, or menu items etc the 
need to order entries becomes apparent. Ie, the user needs to decide what 
order the menu items will be in the list.

I'd be interested to see if anyone else has found an intuitive way of doing 
this. The only way I can think of is a field to enter a 'sequence number', 
but that is prone to duplication by the user, not to mention being a pain in 
the bum.


>From: phpwm-request at mailman.lug.org.uk
>Reply-To: phpwm at mailman.lug.org.uk
>To: phpwm at mailman.lug.org.uk
>Subject: Phpwm Digest, Vol 41, Issue 4
>Date: Wed, 01 Nov 2006 20:37:55 +0000
>
>Send Phpwm mailing list submissions to
>	phpwm at mailman.lug.org.uk
>
>To subscribe or unsubscribe via the World Wide Web, visit
>	https://mailman.lug.org.uk/mailman/listinfo/phpwm
>or, via email, send a message with subject or body 'help' to
>	phpwm-request at mailman.lug.org.uk
>
>You can reach the person managing the list at
>	phpwm-owner at mailman.lug.org.uk
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Phpwm digest..."
>
>
>Today's Topics:
>
>    1. RE: Securing feedback forms (Jonathan Adjei)
>    2. RE: Securing feedback forms (Ricky Hayes)
>    3. Re: Securing feedback forms (David Goodwin)
>    4. Re: Securing feedback forms (Elliot Smith)
>    5. Re: Securing feedback forms (Elliot Smith)
>    6. RE: Securing feedback forms (Jonathan Adjei)
>    7. RE: Securing feedback forms (Phil Beynon)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Wed, 1 Nov 2006 12:48:45 -0000
>From: "Jonathan Adjei" <jadjei at ntlworld.com>
>Subject: RE: [Phpwm] Securing feedback forms
>To: "'West Midlands PHP User Group'" <phpwm at mailman.lug.org.uk>
>Message-ID: <002e01c6fdb4$12d38330$0a00a8c0 at jonaxp>
>Content-Type: text/plain;	charset="us-ascii"
>
>
>Is anyone using human-readble image checks, and how much of a turn off have
>you found them? I've just added one to a contact form and am wondering if
>these will end up on all my sites and what impact there will be to genuine
>usage. I personally find them a bit of a pain.
>
>jon
>
>-----Original Message-----
>From: phpwm-bounces at mailman.lug.org.uk
>[mailto:phpwm-bounces at mailman.lug.org.uk] On Behalf Of David Johnson
>Sent: 01 November 2006 12:14
>To: West Midlands PHP User Group
>Subject: Re: [Phpwm] Securing feedback forms
>
>
>On Wednesday 01 November 2006 11:00, Greg Jones wrote:
> >
> > only from the beginning or end of the string though, not anywhere
> > within it.
> >
>
>Sigh. That'll teach me to read things properly in future...
>
>Thanks for all the suggestions. I'm now doing the following to user input:
>* checking the string length is not greater than the maxlength of the text
>box
>* checking for \n and \r control characters
>* doing addslashes, trim and strip_tags (to stop me receiving garbage,
>rather
>than to increase security)
>* checking for multiple occurrences of '@' in the provided from address
>
>Hopefully that should keep the spammers away for a while, unless anyone can
>think of something I've missed. I remember the days when you could just
>stick
>your e-mail address in a mailto: link on your website without fear...
>
>Cheers,
>David.
>
>_______________________________________________
>Phpwm mailing list
>Phpwm at mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/phpwm
>
>
>
>
>------------------------------
>
>Message: 2
>Date: Wed, 1 Nov 2006 13:42:14 -0000
>From: "Ricky Hayes" <ricky at domainarena.net>
>Subject: RE: [Phpwm] Securing feedback forms
>To: "'West Midlands PHP User Group'" <phpwm at mailman.lug.org.uk>
>Message-ID: <200611011403.kA1E3oDZ020433 at ns.domain-arena.net>
>Content-Type: text/plain;	charset="US-ASCII"
>
>Hi.
>
>I've used them on a few sites, and found them not-too-bad.
>
>I simply have one image-check per session. If it's been entered correctly 
>by
>the human, then I don't show the image checks on any other forms.
>
>I've found the best place for them is during login (if appropriate). They
>can't login unless they're human!
>
>But if you've got multiple parts when you'd like an image-check, just do 
>the
>one, and don't show the others if they've completed one once.
>
>I also keep mine simple, no more than 4 letters/numbers. I don't bother 
>with
>non-alphanumeric characters, and I make them case-insensitive.
>
>Personally I'm not a fan of distorting the text, but a nice background
>pattern is enough to fox most bots I would have thought.
>
>Let me know if I'm wrong!
>
>Regards,
>
>Ricky.
>
>
>-----Original Message-----
>From: phpwm-bounces at mailman.lug.org.uk
>[mailto:phpwm-bounces at mailman.lug.org.uk] On Behalf Of Jonathan Adjei
>Sent: 01 November 2006 12:49
>To: 'West Midlands PHP User Group'
>Subject: RE: [Phpwm] Securing feedback forms
>
>
>Is anyone using human-readble image checks, and how much of a turn off have
>you found them? I've just added one to a contact form and am wondering if
>these will end up on all my sites and what impact there will be to genuine
>usage. I personally find them a bit of a pain.
>
>jon
>
>-----Original Message-----
>From: phpwm-bounces at mailman.lug.org.uk
>[mailto:phpwm-bounces at mailman.lug.org.uk] On Behalf Of David Johnson
>Sent: 01 November 2006 12:14
>To: West Midlands PHP User Group
>Subject: Re: [Phpwm] Securing feedback forms
>
>
>On Wednesday 01 November 2006 11:00, Greg Jones wrote:
> >
> > only from the beginning or end of the string though, not anywhere
> > within it.
> >
>
>Sigh. That'll teach me to read things properly in future...
>
>Thanks for all the suggestions. I'm now doing the following to user input:
>* checking the string length is not greater than the maxlength of the text
>box
>* checking for \n and \r control characters
>* doing addslashes, trim and strip_tags (to stop me receiving garbage,
>rather
>than to increase security)
>* checking for multiple occurrences of '@' in the provided from address
>
>Hopefully that should keep the spammers away for a while, unless anyone can
>think of something I've missed. I remember the days when you could just
>stick
>your e-mail address in a mailto: link on your website without fear...
>
>Cheers,
>David.
>
>_______________________________________________
>Phpwm mailing list
>Phpwm at mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/phpwm
>
>
>_______________________________________________
>Phpwm mailing list
>Phpwm at mailman.lug.org.uk
>https://mailman.lug.org.uk/mailman/listinfo/phpwm
>
>
>
>
>------------------------------
>
>Message: 3
>Date: Wed, 1 Nov 2006 14:15:43 +0000
>From: David Goodwin <david at codepoets.co.uk>
>Subject: Re: [Phpwm] Securing feedback forms
>To: West Midlands PHP User Group <phpwm at mailman.lug.org.uk>
>Message-ID: <20061101141543.GB22609 at codepoets.co.uk>
>Content-Type: text/plain; charset=us-ascii
>
>Jonathan Adjei wrote :
> >
> > Is anyone using human-readble image checks, and how much of a turn off 
>have
> > you found them? I've just added one to a contact form and am wondering 
>if
> > these will end up on all my sites and what impact there will be to 
>genuine
> > usage. I personally find them a bit of a pain.
> >
>
>I agree with the 'pain' sentiment; I've found many to be annoying and
>hard to read correctly.
>
>I suspect, it's probably safe to say that if you're using a popular
>application (e.g. drupal, wordpress etc) then making minor changes to it
>will result in spam being 'blocked'. In my case, with Drupal, I edited the
>source code to add in a trivial check (3+3 = ?) to stop bots posting
>rubbish. Since doing this, I've not received any spam - before I was
>getting around 5 'spam' comments per day.
>
>In most cases, the spammer(s) probably look to see what popular
>applications are in use, write some script to automate e.g.
>mail/comment/etc posting, and then let it loose on us (probably using
>Google to provide a source of urls/sites to target).
>
>Of course, if you're a very high profile/traffic site, making minor
>deviations (like I did) probably wouldn't work, as spammers are likely
>to target you in particular.
>
>I believe the image checking breaks teh application for some
>disabled/blind users.
>
>thanks,
>David.
>--
>David Goodwin
>
>[ david at codepoets dot co dot uk ]
>[ http://www.codepoets.co.uk       ]
>
>
>
>------------------------------
>
>Message: 4
>Date: Wed, 01 Nov 2006 14:34:30 +0000
>From: Elliot Smith <elliot at townx.org>
>Subject: Re: [Phpwm] Securing feedback forms
>To: West Midlands PHP User Group <phpwm at mailman.lug.org.uk>
>Message-ID: <4548B076.7040502 at townx.org>
>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>David Goodwin wrote:
> > Jonathan Adjei wrote :
> >
> >> Is anyone using human-readble image checks, and how much of a turn off 
>have
> >> you found them? I've just added one to a contact form and am wondering 
>if
> >> these will end up on all my sites and what impact there will be to 
>genuine
> >> usage. I personally find them a bit of a pain.
> >>
>I'd like to echo David's comments, and state that a simple captcha has
>removed the bulk of spam from my site. Drupal actually has a captcha
>module which does a similar thing to David's implementation (i.e. poses
>a simple addition question). I used to get maybe 30+ spam comments a
>day; Drupal used to catch about 75% (in the spam module), but I ended up
>cleaning out the rest manually. Adding a captcha has reduced my spam
>comments to zero. I think an image captcha is only really vital if you
>are a heavily-trafficked site which spammers are going to write
>specialised tools to reach (e.g. maths AI bots which can do sums but
>can't do image recognition :).
>
>Elliot
> >>
> >
> > I agree with the 'pain' sentiment; I've found many to be annoying and
> > hard to read correctly.
> >
> > I suspect, it's probably safe to say that if you're using a popular
> > application (e.g. drupal, wordpress etc) then making minor changes to it
> > will result in spam being 'blocked'. In my case, with Drupal, I edited 
>the
> > source code to add in a trivial check (3+3 = ?) to stop bots posting
> > rubbish. Since doing this, I've not received any spam - before I was
> > getting around 5 'spam' comments per day.
> >
> > In most cases, the spammer(s) probably look to see what popular
> > applications are in use, write some script to automate e.g.
> > mail/comment/etc posting, and then let it loose on us (probably using
> > Google to provide a source of urls/sites to target).
> >
> > Of course, if you're a very high profile/traffic site, making minor
> > deviations (like I did) probably wouldn't work, as spammers are likely
> > to target you in particular.
> >
> > I believe the image checking breaks teh application for some
> > disabled/blind users.
> >
> > thanks,
> > David.
> >
>
>
>
>
>------------------------------
>
>Message: 5
>Date: Wed, 01 Nov 2006 14:38:02 +0000
>From: Elliot Smith <elliot at townx.org>
>Subject: Re: [Phpwm] Securing feedback forms
>To: West Midlands PHP User Group <phpwm at mailman.lug.org.uk>
>Message-ID: <4548B14A.3080404 at townx.org>
>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>David Goodwin wrote:
> > Jonathan Adjei wrote :
> >
> >> Is anyone using human-readble image checks, and how much of a turn off 
>have
> >> you found them? I've just added one to a contact form and am wondering 
>if
> >> these will end up on all my sites and what impact there will be to 
>genuine
> >> usage. I personally find them a bit of a pain.
> >>
> >>
>Sorry, I didn't really answer your question: how much of a turn-off are
>captchas? To be honest, I'd rather put off one person in 20 and not have
>to deal with spam, than have a situation where 1 in 20 comments is
>genuine and the other 19 are spam. Not so important to me, because my
>website isn't my livelihood: if you need every single passing contact,
>maybe spam filtering isn't viable. But I'd say a trivial maths question
>isn't too painful for most people. To be honest, captchas are getting to
>the point where I can't read them, never mind a machine - I think the
>image ones are irritating, personally.
>
>Elliot
>
>
>
>
>
>------------------------------
>
>Message: 6
>Date: Wed, 1 Nov 2006 14:43:54 -0000
>From: "Jonathan Adjei" <jadjei at ntlworld.com>
>Subject: RE: [Phpwm] Securing feedback forms
>To: "'West Midlands PHP User Group'" <phpwm at mailman.lug.org.uk>
>Message-ID: <004e01c6fdc4$29227820$0a00a8c0 at jonaxp>
>Content-Type: text/plain;	charset="us-ascii"
>
>Hi,
>	Good thinking on making sure one check covers all forms. That's a
>good pain reducer. I'm using 4 characters in mine  as well, and instead of
>distorting the text, I've just misaligned them.
>
>This is a very low traffic site, and so in a perhaps misguided attempt to
>maintain accessibility I've also got a mailto link on the contact page that
>is obfuscated using javascript. Does anyone have experience of whether this
>actually works or not. I'm dubious as surely if a screenreader can cope 
>with
>this(?), a bot can too?
>
>jon
>
>-----Original Message-----
>From: phpwm-bounces at mailman.lug.org.uk
>[mailto:phpwm-bounces at mailman.lug.org.uk] On Behalf Of Ricky Hayes
>Sent: 01 November 2006 13:42
>To: 'West Midlands PHP User Group'
>Subject: RE: [Phpwm] Securing feedback forms
>
>
>Hi.
>
>I've used them on a few sites, and found them not-too-bad.
>
>I simply have one image-check per session. If it's been entered correctly 
>by
>the human, then I don't show the image checks on any other forms.
>
>I've found the best place for them is during login (if appropriate). They
>can't login unless they're human!
>
>But if you've got multiple parts when you'd like an image-check, just do 
>the
>one, and don't show the others if they've completed one once.
>
>I also keep mine simple, no more than 4 letters/numbers. I don't bother 
>with
>non-alphanumeric characters, and I make them case-insensitive.
>
>Personally I'm not a fan of distorting the text, but a nice background
>pattern is enough to fox most bots I would have thought.
>
>Let me know if I'm wrong!
>
>Regards,
>
>Ricky.
>
>
>
>
>------------------------------
>
>Message: 7
>Date: Wed, 1 Nov 2006 20:36:56 -0000
>From: "Phil Beynon" <phil at infolinkelectronics.co.uk>
>Subject: RE: [Phpwm] Securing feedback forms
>To: "West Midlands PHP User Group" <phpwm at mailman.lug.org.uk>
>Message-ID:
>	<MDBBIMBGKCJEJKIHMENGOEGHLCAA.phil at infolinkelectronics.co.uk>
>Content-Type: text/plain;	charset="iso-8859-1"
>
> > > only from the beginning or end of the string though, not anywhere 
>within
> > > it.
> > >
> >
> > Sigh. That'll teach me to read things properly in future...
> >
> > Thanks for all the suggestions. I'm now doing the following to user 
>input:
> > * checking the string length is not greater than the maxlength of
> > the text box
> > * checking for \n and \r control characters
> > * doing addslashes, trim and strip_tags (to stop me receiving
> > garbage, rather
> > than to increase security)
> > * checking for multiple occurrences of '@' in the provided from address
> >
> > Hopefully that should keep the spammers away for a while, unless
> > anyone can
> > think of something I've missed. I remember the days when you
> > could just stick
> > your e-mail address in a mailto: link on your website without fear...
> >
> > Cheers,
> > David.
> >
>
>David,
>Just do this;
>
>if(!eregi ("^([a-z0-9_]|\\-|\\.)+@(([a-z0-9_]|\\-)+\\.)+[a-z]{2,4}$",
>$emaila)) error_alert("Invalid email address");
>
>function error_alert($msg){global $flag; $flag = 1; echo
>"<script>alert(\"Error: $msg\");history.go(-1)</script>";}
>
>Where $emaila is the incoming email address. $flag is used to control the
>send based upon a successful series of tests, like required fields are
>filled etc.
>
>This will strip out anything like a \n \r additional @ signs etc
>etc............
>If you want to play with it on a live site then goto
>http://www.ralphsutcliffeminerals.co.uk/notify.php and have a play and 
>watch
>it kick you back, you wont get signed up for the newsletter as its not a
>100% live site yet - will be a few days though! :-)
>
>Regular expressions are your friends and a very very powerful tool, learn 
>to
>use them!
>One good regular expression can replace a heap of individual statements 
>when
>correctly done and is way more efficient.
>
>Phil
>
>Phil
>
>
>
>
>------------------------------
>
>_______________________________________________
>Phpwm mailing list
>Phpwm at mailman.lug.org.uk
>https://mailman.lug.org.uk/mailman/listinfo/phpwm
>
>
>End of Phpwm Digest, Vol 41, Issue 4
>************************************

_________________________________________________________________
Windows Live™ Messenger has arrived. Click here to download it for free! 
http://imagine-msn.com/messenger/launch80/?locale=en-gb

More information about the Phpwm mailing list