Random Javascript and PHP generation
Wednesday, 15 August 2007
This code was based on a CAPTCHA I wrote but it could be useful in other areas such as comment spam protection. The idea is that a few random code blocks are generated on the client and server side, so each language (PHP, Javascript) has the same code. For example:-
num = 1330;
for(i=0;i<2;i++) {
num += 25;
for(j=0;j<2;j++) {
num += 25;
}
cfapqx = num
The variables and the code are completely randomised so you should never get the same value, PHP will actually have the same code and therefore knows the result of the Javascript code block.
Here's the source, enjoy π
No. 1 — August 15th, 2007 at 10:04 am
Interesting… source code? π
No. 2 — August 15th, 2007 at 10:06 am
Hi Jector
Yep I shall upload the source code for you.
No. 3 — August 15th, 2007 at 10:18 am
Thanks a lot, Gareth Heyes.
I think that’s an interesting idea. There is no graphical CAPTCHA for users to disturb them, but there is spam-protection. No additional actions for users. That’s good.
Thanks for source code, I’ll look through it π
P.S. and as I can see, you implemented this idea in your site, didn’t you?
No. 4 — August 15th, 2007 at 10:28 am
Yeah I implemented a variant of this idea, I actually released a WordPress plugin, which uses an older method of code creation but still works fine because I don’t get any comment spam on this site.
No. 5 — August 15th, 2007 at 10:38 am
Aha, I see. Anyway, thanks for great idea.
No. 6 — August 15th, 2007 at 10:49 am
Before I forget, I must mention that much of the code was inspired by Ronald’s blog and you should visit his excellent site to learn more stuff about security.
No. 7 — August 15th, 2007 at 11:20 am
I’ve used something similar a while back. I used a MD5 JavaScript to create a hash of the users’ name before submitting the form.
I then created the same hash in php and compared them to each other…
This reduced the spam posted using the contact form of that particular site to zero.
-H-
No. 8 — August 15th, 2007 at 11:30 am
Yep it’s surprising how much of this comment spam isn’t parsing Javascript, they certainly have the ability to do it.
The problem with the technique you mentioned is that it is quite easy for a spammer to create the key (server side) without having to parse Javascript. Therefore your technique relies on the spammer not knowing how you are protecting the form.
No. 9 — August 15th, 2007 at 3:27 pm
We start seeing more and more JavaScript (based) crawlers. They won’t have any problem with these kind of protections.
But well, sure it’s working well so far. I used to work on this kind of protection for a phpBB forum I have, and well, no more spam π
No. 10 — August 15th, 2007 at 3:31 pm
Yep I look forward to developing something to defeating them if they get passed my spam protection π
No. 11 — August 15th, 2007 at 7:38 pm
π There’s the gauntlet π
No. 12 — September 8th, 2007 at 2:15 pm
looks great !!! its a big help!!!
No. 13 — September 8th, 2007 at 2:15 pm
ei thanks! i will try this code.. actually i need this kind of code for my new project.
thanks again!
No. 14 — September 16th, 2007 at 8:34 pm
Thanks for this plugin! 8)
No. 15 — September 17th, 2007 at 10:30 pm
Thanks for this code. Very interesting.
No. 16 — September 17th, 2007 at 11:24 pm
No problem enjoy π