Welcome to WebmasterWorld Guest from 184.108.40.206
mail ("email address", "Practice Bite",
"New Practice Bite
Post code: $pcode
Contact Name: $name
Project Desc: $projdesc
Min age: $min_age
Max age: $max_age
P Title; $gptitle
P Text: $gptext
Contact Name: $praccontact"
echo ("<p>Your practice bite has been submitted.</p>
if ($_POST['token']!= $_SESSION['token'])
If the mail script was called remotely i.e. NOT from the website the form was residing on, the $_POST['token'] would be an empty string, as well as $_SESSION['token']... so the IF statement would evaluate as true and would be allowed.
You should therefore add at the begining:
if ($_POST['token']=="") exit; // who sent you here without a token?!?!
The original poster complained of being "hijacked" so I assume that spammers were using their form mail script to send spam to other people.
To avoid this:
- Remove line breaks or ctype_print test everything that goes into the email header (TO, FROM, SUBJECT, etc..). preg and ereg will work but str_replace is faster.
- Run stripslashes on everything.
- The TO addy should of course never be assigned by your form.
That's it. The above will solve the problem 100%. Based on my experience with live sites at any rate. There could of course be other injection methods I'm missing but, if so, spammers aren't using them yet.
Another easy solution and less server intense than the Captcha is to create a random simple sum and have people enter the total in a text box. I`ve found this to be very effective indeed.
I'm thinking of doing exactly that ... with a twist.
instead of 'just' having mathermatical queries to answer, I am thinking of creating a table with around 150 questions / answers to 'validate' a form.
something varied so it cannot be easily bot-guessed, but easy enough for 'thick' people to know the answer - like:
that's 4 already ;)
would that be a good way of doing things?
I do not have any example but web rumors tell me that it has been broken.
henry0, I`ve also heard rumours about the captcha not being as effective as it was, although from my own personal experience I`ve always found it pretty good.
yeah captcha will still do the job and yes it has been cracked
Captcha should just be one part of the defense:
Several groups have created programs that can pass many CAPTCHAs over 80% of the time.Source [captcha.net] (see "Advancing AI")
Everyone considering the use of a captcha solution should also be aware of the accessibility problems [webmasterworld.com] they may cause.
100% is no longer a rock solid statement.
I do not have any example but web rumors tell me that it (CAPTCHA) has been broken.
To clear up the misconception... CAPTCHA is not a thing, it's a blanket classification for a concept.
It's not possible to say "CAPTCHA has been broken!" Hehe.
Any system where you attempt to tell humans and computers apart by challenging them with some kind of interactive test is a CAPTCHA as long is it's entirely automated on your side.
Asking a math (or other type of) question is as much a CAPTCHA as distorted numbers and letters. There are endless varieties of CAPTCHA type tests.
As far as traditional image type CAPTCHAs go... The capability to write a program that can parse and interpret a graphic has been around since before the web. In that sense CAPTCHA was broken long before the acronym was coined.
If you're clever, you can write a program to break a single CAPTCHA scheme. However, that program will only break that one CAPTCHA scheme and it will have taken you a lot of time and effort to write it.
There is no program in existence that could spider the web and just break any CAPTCHA it found. There are just too many variations. The best you could do would be to create a program that can break some popular CAPTCHA implementation where a lot of webmasters have used the same code. If you were ambitious you could perhaps write something that would handle small variations (it might break all number/letter type CAPTCHAs where single color text on a single color background was used and the only obfuscation method involved warping).
Having accomplished this you would (maybe) pull off breaking 5% of the CAPTCHAs encountered, and that's probably way too high a number.
Someone posted about groups claiming to break "many" CAPTCHA systems with 80% success. What that means is that they have an app that can pass a very weak type of CAPTCHA implementation and even then still fails 20% of the time.
If a spammer did take the huge amount of time to write the above program, the weak CAPTCHA systems it was able to break would quickly change to something else and the spammer would be back to square one.
Basically, it's still safe to say that you can stop automated posting 100% with a creative CAPTCHA. :-)
I haven't played around with it yet but it would be like passing a security variable through _$GET (graphic, math question, etc. like mentioned) back to the posting page and using a mod_rewrite RewriteCond to validate the URL.
Throwing 404 errors would cause bots to drop the originating URL and you wouldn't bother visitors so much.