Currently I'm wondering if there is a way to post to a website using captcha for a human-check. The following question is asked, ofcourse this is done with random numbers:
Type this number in digits; 'twohundredandfive': [ input ]
The form is sent using AJAX. So when reloading the website the number to be typed changes.
A way to get pass this is reading and converting the number, then post some data, but at the second request the number already has been changed (which is good). But IS there a way to avoid this?
Don't think I'm using this for bad intensions, the described form is used in one of my applications. It is just a check to get sure bots can't get pass.
Thanks so far :-)
A CAPTCHA should test whether the entity solving it is human. To my eyes, the problem you are setting looks like it would be fairly trivial to solve algorithmically.
Given that a human can pass the test, then it's certainly possible to write an automated bot which will pass it too. As to whether there is a "back door" which allows access without solving the CAPTCHA, only you can decide that by analysing your source code.
I hate CAPTCHAs. More often than not, they are unreadable to humans as well :)
I heard one Microsoft researcher offer the following scheme: put 4 pictures up, 3 of little puppies, one with a kitten. Ask the user to click the kitten. With a large enough sample base, you can create a random picture/question any time the page refreshes. No one will bother developing an algorithm to analyze photos to that degree.
read this post for another interesting idea.
Converting strings to numbers has already been discussed in another question where many references to the google calculator were given, which does a great job in such conversions, so your approach is not suitable for testing whether your user is human.
As for an alternate solution, I can only link to another great answer.
Related
If this isn't appropriate, I apologize, but I wanted to get some feedback on a question I was recently asked during a phone interview. I'm strong on front end development but not very clear on back end programming, something I am trying to remedy.
After I got off the call, I had a bit of l'esprit de l'escalier, I think...
Here's the scenario: You have a simple page where a user is presenting
with a random image and allowed to move it around the page, at the
same time that user can see other users of the same page who are also
moving around their own random images, but no one is allowed to
interact with any other user's images.
So, assuming the LAMP stack is in play and jQuery / JavaScript for your front end, describe how you would implement this and prevent these users from taking control of the objects. Assume the users are savvy enough to watch the post calls in firebug.
I was able to describe a simple interface and control. I was able to describe streaming coordinates to and from a database.
I struggled a bit to think of a good way to protect the information being retrieved while on the call.
After I was off the call, within moments, I thought about a simple method of preventing others from gaining control of this data by not exposing the actual IDs of the objects within the database from which they are called. But I'm still not certain of how to do this exactly. I imagine using a php engine to abstract the variable calls, using random Ids on the objects each user cannot interact with.
This is not something that I have ever considered when working with php / MySQL, but of course I'm thinking that I probably should, even when beating an open source CMS or something into submission.
So, my question is if someone could describe their own thoughts on this or point me to a resource to help me grok this, and how I would use AJAX / PHP to make this work? Am I on the right track?
I haven't heard if I got the job yet, but though it seems it was a primarily front end role, I think they wanted a bit more familiarity with the LAMP than I was able to demonstrate.
Thanks in advance for any help you can provide. Yes, I will be following up with this on my own, and I'm already putting together some plans to dig deeper into php and MySQL for my own edification.
I just took this up as a challenge myself, to try out new technology, and I found it a quite fun little thing to work on. The approach I took was in node.js using mongodb as storage.
Using socket.io, the manipulating was set up pretty fast. As for protecting the objects from external I relied on the session ID, which I linked to the object ID. This way, you can safely expose the ID of the object without it getting compromised.
Do note that the manipulating is limited to following the other cursors on the same page.
http://gist.github.com/ThomasHambach/5168951
I was wondering how to set up a system in which an authenticated user could send, with a simple graphical interaction (cliccking a button or so) a non-replayable request/message to the server from an application or a web page.
It's crytical there's must not be a way to set up an automated system that replaces user interaction automating the request as this would totally break up my entire project.
Moreover, as this action must be frequently repeated, it should not implement boring stuff like chaptas or so.
A pratical example: let's say the web page, shown after the login, displays a button that sends the server a request. How can I be sure the request was sent because the user actually clicked the button and it wasn't some sort of bot that forged the message?
Is that even possible to check? I'm sure it is and I'm quite sure there's must be some simple implementation I'm missing, and I'm sorry if this is a trivial question.
Also, if the solution is hiding ('cause I already searched a lot!) out there, please point me to it.
Thanks for your attention.
You could use a non-graphical captcha like a simple question.
Generate a simple addition of two random integers between 0 and 10.
Add a text field to ask for the result.
The result is very easy to find (for a human being), and very quick to type.
Example:
What is the result of 7+5? Write your result here: [_]
It should only block robots and very young or very stupid people.
i have made a simple php contact form following this tutorial:
http://www.catswhocode.com/blog/how-to-create-a-built-in-contact-form-for-your-wordpress-theme
The big problem is that this form processing is not safe, I have heard people can use it to send spam and/or hack my server.
What are the basic steps needed to make this form more secure?
Ps: I don't want to use re-captcha if it can be avoided...
Edit: I need suggestions to what php functions are used to filter and secure that the form is submitted "the right way" and not altered and/or used to hack my site or send email to other people (using the site to send spam to other people). Do i just need to use strip_slashes? or is there a better way?
One way: If you're not a huge site, it's not likely anyone is going to figure this out/take the time to.
You could use some tricky JS to handle tokens on click. So your server issues token-id's to clickable/focus-able elements on the page during the backend render phase. Log these in a database or data file. Then, when users click around and submit, you can compare the id's sent via the onclick() function. You could also apply some heuristics to determine if the history of clicks is reasonably paced. Posts are too fast to be a human or not, that is, even if they scripted the hijacking of the token-ids and auto submitted, you could check that the time between click events appears automated. Signed up for a twitter account lately? They use passive human detection that while not 100% foolproof, it is slower and more difficult to break. Somebody would REALLY want to hack/spam your site.
Important Step 2: strip out/URLEncode strange characters if you think this will break your page. common ones that break things are " and ' and :
Another Way: http://areyouahuman.com/
As long as you are using encrypted methods verifying humanity without crappy CAPTCHA is possible.I mean, don't ignore your headers either. These are complimentary ways.
The key is to have enough complexity to make for an NP-Complete problem. http://en.wikipedia.org/wiki/NP-complete
When the day comes when AI can solve multiple complex Human problems on their own, we will have other things to worry about than request tampering.
http://louisville.academia.edu/RomanYampolskiy/Papers/1467394/AI-Complete_AI-Hard_or_AI-Easy_Classification_of_Problems_in_Artificial
Another company doing interesting research is http://www.vouchsafe.com/play-games they actually use games designed to trick the RTT into training the RTT how to be more solvable by only humans!
Here's a great article on NP-Hard problems. I can see a huge possibility here: http://www.i-programmer.info/news/112-theory/3896-classic-nintendo-games-are-np-hard.html
i have a large form with a lot of fields. I used fieldset on it. How could I create a better experience to user/accessibility with this large form?
I think about split it. What do you think about it?
Don't re-invent the wheel and confuse the user. Keep it simple. You could break the form down into separate parts, either into separate steps or pages and even with a progress indicator to keep the user informed of where they are.
Form design patterns:
http://patterntap.com/tap/collection/forms
It would be much easier to answer this if I knew a little bit more about the form and what kinds of users you want to be accessible for (ie - you would want to use different techniques if you are trying to be accessible for seniors than you would use if you want to be fully accessible for sight impaired users). Rbaker gave you a tremendous answer and I encourage you to follow his advice/read the link he provided.
However, I would like to add one thing. There is no rule that says that a form has to appear on one page. There is also no rule that says that a 'form' cannot consist of a number of individual questions. Depending on who you want to be able to use your form, a system flow like:
Do you accept our privacy policy? (Click 'yes'/'no)
What is your full name? (Click 'ok')
Would you like to register? (Click 'yes'/no')
You wouldn't have to refresh the page after each question, but if you gave users some idea of how close they are to being finished the form, an individual question approach might be less intimidating and more accessible for your users.
Finally, be proud of yourself for being concerned with accessibility! Best of luck!
i think better if you can post screenshot of that form. from my experience you can tryout some of the steps
1. Keep only fields which you need for uyour system rest take out.
2. Divide into different section
3. if needed can have accordion kind of panels
4. please have proper feedback system, better if you can prompt feedback while filling the form itself instead of waiting for submit or finish button.
5. from the visual, great to have white/gray kind of interface
6. have proper instruction for fields if needed
7. button with affordance
artsrajesh
You need to check out the information on this guys site. Most amazing I have seen anywhere on the net
http://www.lukew.com/presos/
there are many videos, pdf's, power points on form best practices
here is a good start on the site.
http://www.lukew.com/resources/articles/EventApart_WebForms_120809.pdf
and here
http://www.lukew.com/resources/articles/web_forms.html
Im making a rudimentary "human test" for a form on my website.
I want to take the current date (to the minute, not second), and combine that with the users REMOTE_ADDR, then from that generate a string (perhaps use md5?) then limit that to 6 characters.
This code will then be presented to the user, which is instructed to copy it to a particular text box, upon submission will be verified and allow the form to process.
I dont know if there is an easier way to do this, but this is something i think will work for me and be a quick fix. Any suggestions?
I dont know if there is an easier way
to do this, but this is something i
think will work for me and be a quick
fix. Any suggestions?
If you just need a quick fix, try for something simpler. I had a very popular website with a notoriously effective Turing Test:
Check this box if you're a human: [ ]
This little fix brought my spam count down from 10s of 1000s of messages everyday to 1 or 2 every few months. Of course, once the bots wised up, I had to make my test much more difficult:
What's the sound a cat makes? (Rhymes with 'cow') [________________]
Never had anymore problems after that. YMMV.
I would say the simplest solution would be to use a honeypot.
Basically, create a hidden field called Name or something of that sort, and then check to see if the field has data upon submission. If it does, you know it is a bot! Since it is hidden, human's will not be able to populate that field, only bots will!
Generate an MD5 from any source (inc. totally random). Put it on the screen and store it in the session. Check it. Voila.
Using a captcha library is, obv. much more secure though. There's plenty of very good and very very easy to install ones about.