Another way to protect web forms from robots
Foreword
I bring to court the readers of habra my own way of protecting forms from spam bots. The method is based on the fact that most bots cannot read style sheets and execute javascript codes. But about 90% of all browsers support these technologies. The remaining 10% are old browsers and browsers with javascript disabled. If you think about it, it is unlikely that users of these 10% have as their goal to use the feedback, registration on forums, guest, etc. Now I will briefly discuss ways to deal with such spam today.
Existing methods of struggle and their disadvantages
Ways:
- Using CAPTCHA
- Combining the listed methods
Minuses:
The minuses include the annoyance of the user, who is forced to solve puzzles, guess numbers, letters. Further, most of today's graphic captchas are the so-called “weak captchas” and are cracked using simple server-side OCR scripts. It is also worth mentioning the “lemmings method”, where a lot of real people take part in the captcha recognition process: spammers redistribute a question / image from a hacked website on special sites with high traffic, where, in order to gain access to information, a person decides such a captcha and passes the result to spammers . Another more interesting method is the direct hiring of people to guess.
The essence of my way
On the page, create a fictitious form and hide its fields from the user's eyes, using the display: none element of the style sheet. Next, by launching a specific javascript function on the page somewhere outside of the fictitious form, we display the real one with valid field names instead. When a robot sends a fictitious form, the interpreter receives an array with incorrect names and, for example, displays an error message. In the case of a real user, the form is processed normally.
Benefits:
- 95% spam bot cut-off guarantee
- lack of need for a person to solve captcha
- ease of implementation for the developer
- spam server load due to the need to execute javascript and css
Minuses:
- Sooner or later hack
Implementation
Most of the work is done on the client side using CSS and Javascript. With
the help of CSS, which it is desirable to connect to the page from a separate file, hide
the form-trap from the user's eyes: Then write a simple javascript (by the way, too, can make a separate file), with the following content:
#ourGreatForm {display:none;}
function GenerateSomethingGreatForRealPeople () {
// Declare our variable
var ourfields = '
'+
''
'+
''
'+
' ';
// Replace the dummy fields on the machines where Javascript is running
document.getElementById ("ourGreatForm"). innerHTML = ourfields;
// Turn on the display of real fields
document.getElementById ("ourGreatForm"). style.display = "block";
}
All elements of the trap form are placed between the tags. The identifier value must match the value inside the javascript function described above:
After the form, somewhere at the end of the document, run our javascript function, if we have a real browser:
GenerateSomethingGreatForRealPeople ()
As a result of this function, the fictitious contents of the form are changed to the present and the display of the form is turned on to the user.
Example
Page in action
conclusions
The method has established itself as an excellent weapon against spam, reducing it almost to nothing on those sites where it was implemented. The target audience of users of the method is sites with little traffic. Such protection is effective against bots located mainly on shared hosting servers that do not know how to work with javascript and css. After a while, I'm sure spammers will write a program to work around this method, but only if the use of this method becomes widespread. To strengthen protection against spam bots, we can consider combining my method with captcha — the human question.
Related links:
- Wikipedia: The global market share of browser usage. Counting is not in Russian.
- Spylog: Global browser market share. Counting in Russian.
- One of the algorithms for hacking a graphic captcha
- Wikipedia: All About captcha
Any comments, additions, comments are welcome.