4

I'm considering using random input names for registration form. It would be done this way:

  1. User requests register form site.
  2. Create random names for input fields and save them to user's session.
  3. Render form and display it to the user.

I just wonder if that method gives me anything. If session driver is a cookie - it's encrypted and secured in the best possible way using third party library which I consider as save enough. If user don't except cookies I can refuse registration.
To remove cookies as potential security risk I can store sessions in database. This seems more secure but also might overload the server(?).
My question is quite simple. Is there any sense to implement such feature?

Vanitas
  • 95
  • 1
  • 6
  • captcha not enough to fight against them? If your form has only one input field and always POST to a fix URL, a bad guy like me will fill the text box inside your form and form.submit to spam you. Haha. – Ken Cheung Jan 09 '12 at 09:42
  • 2
    Some bots fill in all fields, so naming them randomly does not help. BUT if you have nonsense fields filled in (e.g. a hidden useless field) you know it's not a human. – djot Jan 09 '12 at 09:47
  • Captcha is annoying and can be easy passed by bots. – Vanitas Jan 09 '12 at 09:58
  • PHP sessions rely on a cookie anyway, so it doesn't really matter how the session data is stored. – GordonM Jan 09 '12 at 10:06
  • 2
    Some bots now can simulate the web browser. Meaning that they actually loads your form, and fills in the text field, then post the form. They don't just blindly submits to the url now. – iWantSimpleLife Jan 09 '12 at 10:12

3 Answers3

7

The standard approach is to have a hidden text field. That is a field with type=text, but with CSS rules applied to it so that it's invisible.

markup: 

<input type="text" name="put_some_innocuous_name_here" class="some_innocuous_css_class_name_here" value="" />

CSS: 

input.some_innocuous_css_class_name_here {
    display: none;
}

PHP:

if ((isset ($_POST ['put_some_innocuous_name_here']))
&& ($_POST ['put_some_innocuous_name_here'] != ''))
{
    throw new Exception ('Suspected bot!');
}

The way this works is quite simple. A normal user will never see your hidden text field because CSS rules will keep it hidden. therefore a real user will never fill it out.

However, most spambots aren't aware of CSS. They just parse the form markup and they see a text field that appears to need filling out. So they fill the field out with some random data. Because a form field that should never be seen by a normal user has been filled out, this means you're probably dealing with a bot.

Don't use input type=hidden for this, because most spambots are smart enough to notice them and ignore them.

GordonM
  • 31,179
  • 15
  • 87
  • 129
  • i believe display: none; will make it all pointless. You have to give visibility: hidden; margin-left: -1000px; – sqram Jan 09 '12 at 10:26
1

A little late but I have created an class file which does exactly what you need you can find it here. You just need to pass the name of the form through a function example.

<input type="text" name="<?php echo $obj->DynamicName("fieldName")?>"/>

and once the form is submitted it will populate $_POST['fieldName'] with appropriate data as soon as you create its object.

Shub
  • 2,686
  • 17
  • 26
  • Nice idea, but a clever bot could identify the field by its location in the form, or by its label or prompt. Still, I think it would stop many bots. – Bob Ray Dec 02 '22 at 05:55
  • 1
    @BobRay Yah I did some crazy stuff back then, for anyone reading this now better use methods like CSRF tokens, DDOS prevention, limiting number of calls per interval per user etc. – Shub Dec 02 '22 at 09:54
0

Try checking the IP against known spammers lists, it's very effective. Good examples would be Botscout and Spambusted. I've tried both, and they reduced my spammer bot registrations.

RedPoppy
  • 573
  • 4
  • 11