Is this simple concept against spam valid? (Optimization required?)

1
votes

Introduction

We were dealing with some spam-issue in an earlier project we did and prevent any spam bots with the following simple concept. I now want to implement this into a way larger project. Before I do this I wish to optimize it that this works in multiple forms on the same page, but I'm not getting the trick yet or I'm not sure if its worth rebuild this into a more complex version if its useless.

For clarification: I don't want to deal with CAPTCHA or similar things. Just do a native solution.

Concept

If the user focus any input field of the form an AJAX-Query will be sent where a random hash-tag will be generated and stored into a $_SESSION variable. This hash will be also written into a hidden input-field called spamKey (for example).

After the user submit the form I check if the $_SESSION["spamKey"] variable is equal to the $_POST["spamKey"] variable so I decide to process the query or not.

The code

Simple form

<form action="index.php" method="post" id="formOne">

    <label for='input_eins'>Name</label>
        <input type='text' id='input_eins' name='name' />
    <label for='input_user'>E-Mail</label>
        <input type='text' id='input_user' name='user' />
    <label for='ta_text'>Comment</label>
        <textarea name='text'></textarea>
    <label for='input_spamKey'>spamKey</label>
        <input type='text' id='input_spamKey' name='spamKey' />
    <input type='submit' value='Senden'>
</form>

script.js (using jQuery)

var spamKey = false;
$("#formOne > input").focus(function() {
         if(spamKey == false) {
        dataString = "action=getSpamKey";
        $.ajax({
            url: 'asyncresponse.php',
            data: dataString,
            type: "POST",
            success: function(data) {
                $("#input_spamKey").val(data);
                if(data != "") {
                    spamKey = true;
                }
              }
        });
    }
});

asyncresponse.php (Info: The POST-Variables are sanitized)

if($_POST["action"] == "getSpamKey") {
    $spamKey = md5(time().microtime());
    $_SESSION["spamKey"] = $spamKey;
    echo $spamKey;
}

check routine in PHP

($_SESSION["spamKey"] == $_POST["spamKey"] && !empty($_SESSION["spamKey"]))

Okay - whats my question?

Which steps you would suggest me to protect multiple forms? And probably a basic question - is this a valid solution to deal with the spam issue?

Thanks for your help in advance.

A simple demo you can find here: http://godesign.ch/labor/antispam/index.php

1
phpjavascriptjquerybotsspam
If it catches on, and/or your site is popular enough, the spammers will adapt. Not all of them at once, but they will. - tripleee

1 Answers

1
votes

Captcha used to be an effective method of preventing spam. It is now broken because it was widely implemented, creating an economic incentive to break it (google "captcha broken").

I have seen this method be effective in projects. You risk that someone, at some point, will be motivated to break it. Correctly implemented, I believe it provides reasonable protection against spam at this point in time.