Posted by Gordon Burditt on 03/13/06 19:34

>I'm building a web site for myself and some friends using php and
>MySQL. All I have coded so far are the index.php, the membership
>registration screen, and the log-in screen. Myself and one other person
>are the only two registered members because we are the only people in
>the world who even know the site exists yet. I'm an experienced C++
>coder, but a php beginner, and my friend is a SQL expert but has no
>knowledge of php.
>
>But only two days after putting up the registration page I noticed the
>welcome screen said we had 3 members, instead of the 2 people who are
>working on the page. When I looked at the users table in MySQL the user
>name was this huge long string that read like a typical spam email, so
>obviously a bot saw a form on my page and tried to fill it with spam.
>
>What is the usual procedure for validating members to prevent bots from
>"registering"? Membership number (auto-indexed) is kind of a status
>thing, so we don't want the primo low numbers to get chewed up by bots
>before the site even goes live for the rest of the membership. How can
>I keep them out?

Well, for one thing, you can validate the user name to see that it
makes sense. It should not be a "huge long string". 40 characters
should be plenty. If it contains carriage return or line feed
characters, or for that matter any unprintable characters, reject
it. This is the usual method for injecting extra headers into
insecure forms that send email. Does it make sense to allow a
username with a colon in it?

You might also get some value out of asking the question
"Are you a bot?" and defaulting the answer to YES. It
might trip up a few humans but they should get it on the
second try.

Gordon L. Burditt

[Back to original message]