Forum Moderators: coopster
I know captcha is the bee's knees but I wonder what you think of tis solution. (if you don't want to set up a captcha system for visually impaired accessability (among other) reasons, not even thinking of audio captcha)
Basically most sites let you register then send you a verification email to activate account.
The problem with this I see is it fils your databse with false registerations (which you can easily delete but why bother)
What are your thoughts on when somone comes to register,
1. give message to stop fake registeration you first need to verify your email address
2. send them an email with a token like so md5('theiremail@example.com' . 'secretword');
3. the link they click in simply has 2 paramaters
1. email='theiremail@example.com
2. token=(the md5string shown above)
therefor nothing needs to be saved in your databse, you verify the email with your secret word agaist the token sent in on url param
You save email and token in hidden form field and teake rest of registeration details for fisrt time.
the after submit check email, against token again to protect against for spoofing or even set email in a session and use that.
Either way you don't have to save data in database and no one can register without a valid email address and some manual labour
Can anyone see a way this could be spoofed by spammers?
Problems with this is you would have to restrict ip address per hour to stop spamming (I know captcha is better) but is this a reasonlable easy to implement a solution?
Also anyone got any good human readable questions/ideas that could be used in first instance when people first add their email address for confirmation email to try stop spamming.
I just don't like the idea of taking false reg data
Cheers
Trent
For visually impaired people, I know there is a different form of captcha that uses images of objects instead of words for use in the verification process. The user only selects the object displayed from a dropdown list--it works quite nicely.
Anyway, I wish you success in implementing your solution. I'm sure you will find that it will suit your needs. :)
Or, you could take the registration data and put that in a table, I'll call it pending. Then require a verification email. Upon verification, take the information from the pending table and put it in the verified table. if you put the current date in the pending table and you could safely and easily remove anything over 30 or so days old every so often.
Just giving you some ideas. However you do it, I am sure you will find something that works well for what you want to do.
I think one solution for small sites would be take Miata1476 solution of adding email and token in seperate table (this way no-one can constantly spam one poor unsuspecting email address-ee), then remove the email from temp table on registeration, and make emails unique on your site - take breath.
I wonder however (contradicting myself), if it's probably safer to take all reg details on first step of registeration, as people might not bother to register if they think it will be a hassel to register by verifying email etc.
But on the flipside of that if someone can't be bothered registering properly on a site, then for my purposes, It their loss ;), but I woulbn't argue that with a sales team!
In responce to gusak:
Can I not argue (for sake of learning) the point that my original solution will verify humans to a degree that only people who check their emails can actually register, or is it easy enough to write a system that will take incoming emails, read a link, post to it with the token and woola, token bypassed?
I'm very curious on this as I just though about it..leaving captch as one of the only true ways against robots
I like that sad/happy picture idea as well :)
Cheers
