Posted by Jerry Stuckle on 09/20/06 01:46

pittendrigh wrote:
> Let's say we're trying to keep blog and forum spammers out
> of our site--we're not trying to protect fort knox.
>
> 1) Step one is a one-time-only step.
> We create six different css files that define the
> same six color names differently, but each such
> css file assigns red to one and only
> one of those same six color names, and then store
> the six somewhere in the document_root.
>
> 2) We make a dynamically generated GET page that mods a random number
> to
> between 1 and 6 and sets that number as session variable.
> That number will tell us in a later POST which of the six
> css files to use when we generate a dynamic POST page.
>
> We also randomly create 6 digits between 1 - 256 and concatenate
> them
> into a comma delimeted string. We set that string
> as a session variable.
>
> 3) In the post we generate a page that specifies one
> of the six css files in its header, according the value
> of first session variable. Because we have that session
> variable, and because we know which of the six different
> css schemes we are now using, we know which css attribute
> in the current scheme means red. We don't care about the other
> colors.
>
> 4) Now we generate 256 random digits (between 1 - 256) into an array.
> We loop through the array and concatenate a <b class="xx">$digit</b>
> onto a string. Foreachsuch <b> tag we randomly choose one of
> the css colors known not to red, except for the N array index digits
>
> we get from the exploded comma-delimeted session var #2.
> We set those <b class="yy"> tags to the color known (only to us)
> to be red.
>
> 5) Now we echo the string of <b> tags. Six out of the
> 256 randomly generated digits will be red, all the others
> some undetermined color. But we know which ones are
> red.
>
> 6) Now we do another post, asking the user to tell us which
> of the 256 digits are red.
>
> 7) if the post variable matches the session stuff, we proceed,
> else we tell the client computer to chop the fingers off
> the spammer's hands and smoke the seat of his pants.
>

It would work (other than the color-blindness Benjamin mentioned).

But why go to all that trouble when there are several captcha routines
out there for your use?

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]