Geek Answers Handbook

Response when requesting source code - PHP

As suggested by Stopping Bot [SO] - PHP , I developed an anti-bot system in PHP, the code of which can be viewed at https://codereview.stackexchange.com/questions/2362/anti-bot-comment-system-php

But anyone can get a token by looking at getToken.php
In SO, they get a token from stackauth.com [I think by looking at the page code], but when I looked at it, it just showed some text!
How can I do something like this? [token is transmitted only at the request of the code, not the browser]

Token generation and verification process
on the form page

 $hash=sha1($time.$myKey); echo $time.'#'.$hash;

On the poster / checkout page

 $token=explode($_POST['token'],'#',2); if (sha1($token[0].$myKey)==$token[1]) echo 'A good Human';

Edit
I do not store the used token in the database, and the token expired after [say] 5 minutes!
Think bad user gets a token 2011-05-18 11:10:12 # AhAShKey000000000 he can use a token to send random text in 2011-05-18 11:15:12 , how can I fix this problem?

+7
source share
7 answers

After reading the entire answer, I carefully designed this [thanks to all the people for their valuable comment and answer]

 <?php $time = microtime(); for ($i=1;$i<=10000;$i++) generateMath(); echo 'Generating '.$i.' math Took '.(microtime()-$time); function generateMath() { $operands = array(43,45,42); $val = chr(rand(48,57)); $ope = chr($operands[rand(0,2)]); $txt = $val.$ope; //42* 43+ 45- 47/ $val2 = chr(rand(48,57)); $txt .= $val2; $ans = 0; if ($ope == '+') $ans = $val + $val2; else if ($ope == '-') $ans = $val - $val2; else if ($ope == '*') $ans = $val * $val2; echo $txt.' -> '.$ans.'<br/>'; } ?>

This can be improved by adding a random number of spaces to $txt = $val.$spaces.$ope.$spaces.$val2;

And it was faster than CAPCHA, people would need to do really simple math if they send more than 30 or so comments in an hour!

0
source

Not quite sure if this is your answer, but ...

Load the marker statically on the page, not using Ajax. Then you know that the form page has been loaded accurately.

+3
source

You can use ftok(__FILE__,'T'); - and the token will be unique for each system.
Instead of T you can use any letter by reading Manual .

As an example, in your getToken.php you can replace:
$hash=sha1($key.'mySecretKey');
from
$hash=sha1($key.ftok(__FILE__,'T')) ;

This feature only exists on Linux / Unix based systems.

+2
source

This will not stop anything, in fact it will add more load to your server.

Use hashcash ( Wordpress plugin ).

+1
source

Nothing is going to completely stop this type of activity. However, for the case 99.99999999999%%, the method that uses the server-side component plus something that uses javascript to convert the data returned from the server will stop most bots that are there (except for cases based on node.js and use jsdom; -)).

+1
source

Well, this is impossible to do. You cannot see if the bot or browser is viewing the token page. Everything you could check can also be imitated. (Referrers, more hashes or user agents)

You have to ask yourself, what do you want to protect your site from? For a regular bot, you're fine, it will take you too long to crack your script and spam only on your site. This will go on and spam someone else. This way your script will give enough protection.

When someone only targets your site, and he takes the time to hack it, he is likely to succeed. So you also want to leave such bots / people? I would suggest displaying captcha after, for example, 3 messages within an hour from one IP address. This will keep them out.

It's not always about being fully protected, your decision might already be good enough ... If you need more protection, just use captchas or something like that.

0
source

Well, this, like everything else, is not completely safe.

You can try to create a similar hash with javascript, which carries the time and the unique identifier of the user and sends it with the request. You can then add this to code generation and verification. In the absence of this hash, no code is served.

It looks like a handshake.

0
source

More articles:


All Articles