Posted by Hilarion on 09/09/05 16:07

> I have a guestbook that keeps getting spamed,what I thinking is can I add
> one of then graphics that you have to key in the number/letter before
> posting.

The question is: who is spamming your questbook? If it's a person, then
this will not change anything. If it's some simple bot / spider, then
it'll not require any graphics (the text the user has to enter into
some special input box could be simply given as text next to the input
box). If it's someone writing a bot dedicated to spam your guestbook,
then the graphic may be a good way, but if the person is smart and
skillful, then you'll probably have to mahe the graphic fuzzy and
the text in it scattered, which is not so easy to do.
Simple answer for your oryginal problem is: that can be done.


> Then next part how ?

I'll give example for the first scenario (the text is visible as
text next to the input field).
It requires you to write some simple (but not easy to quess) hash
function. My suggestion is to use MD5 with a "magic keyword" of
your idea and some time dependency:

function generate_hash( $text )
{
return md5( 'magic' . $text . 'keyword' . date( 'YmdH' ) );
}

On your guestbook entry form page you'll have to randomly generate
some short text:

function generate_random_text()
{
$available_chars = 'abcdefhijkmnoprstuvwxyzABCDEFGHIJKLMNPRTUVWXY346789';
// I eliminated some chars from the table because they resemble eachother
// like 'l' and '1' or 'O' and '0'.
$max_char_index = strlen( $available_chars ) - 1;
$result_length = mt_rand( 5, 10 );
$result = '';
while( $result_length-- )
{
$result .= $available_chars[ mt_rand( 0, $max_char_index ) ];
}
return $result;
}

On the form page you'll have to echo the generated text, place
a hidden field in the form, containing hash of this word generated
by the "generate_hash" functon and place the input field for
the text:

<?php
include( 'script_containing_the_functions.inc.php' );
$text = generate_random_text();
$hash = generate_hash( $text );
?>
<form action="some_other_script.php" method="post">
<!-- some questbook enty fields here -->
Please enter this bolded text into the field below: <b><?php
echo htmlspecialchars( $text );
?></b><br />
<input type="text" name="key_text" size="20" maxlength="20" /><br />
<input type="hidden" name="hash" value="<?php
echo htmlspecialchars( $hash );
?>" />
<input type="submit" />
</form>

In the script which gets the data you should validate what you got
by generating hash for the text given in the input field and
compare it with the value passed in the hidden field:

<?php
include( 'script_containing_the_functions.inc.php' );
if ($_POST['hash'] != generate_hash( $_POST['key_text'] ))
{
echo 'Make sure you entered the text correctly';
}
else
{
// Evaluate form data here.
}
?>


You could also do it by storing the random generated text in
some short living session (session ID could be passed by cookie,
but you should NOT pass the text in the cookie) and do not
do any hashing, but simply compare what you got from user
with what you have in session.


This example (in both forms - with hashing and no session and
with session and without hashing) can be easy transformed
to output graphics by using GD functions to create an image
with the generated text and placing it in some temp folder
(which is cleaned from time to time) and referencing the
image in the code. It will not change the way you validate
the text, but only the way you place the text on the page
(and the way the client has to read it).



Hilarion

PS.: The idea is provided "as is" without any guarantees or
something... :) I have never had to use anything like
this before.

[Back to original message]