Here’s a subject that’s close to my heart: secure contact forms.
As I mentioned in a previous tutorial, one common use of contact forms is to help visitors communicate with you without exposing your email address to the email harvesting software used by spammers.
But when it comes to spam, hardly anything’s worse than an insecure contact form. Imagine getting a nasty note from your web hosting company that your site has been used to send out massive amounts of email about black market erection medication and, oh by the way, your site is offline until you get it fixed – thank you very much.
So what I’m going to show you today is a simple method for adding an extra layer of security to ANY contact form on your site – even if you don’t use my super secure and wonderfully flexible Ultimate Form Mail.
The Situation
You notice that spammers have been remotely probing your contact forms for vulnerabilities… and you want them to quit.
The Problem
You don’t want to use CAPTCHA’s (Completely Automated Public Turing Test to Tell Computers and Humans Apart) because you just know that requiring your visitors to read squiggly letters and numbers just to send you a message is going to suppress communication – not encourage it.
Bottom line: you want to make life tough for the Bad Guys and super simple for the Good Guys.
The Solution
You’re going to use jQuery to add some hidden tag information to the contact form when the page loads. When the form is sent to the processor, you’ll use some simple PHP code to verify the following:
- The hidden tag is present
- The hidden tag’s value matches a ‘token’ stored as a cookie by your visitor’s browser
- The timestamp for the hidden tag hasn’t expired
In other words, your visitor will have a limited amount of time (specified by you) to fill in the form and send it. And if a spammer tries to post information to your form processor remotely they’re going to hit a big fat roadblock. Do not pass go, do not collect $200.
What I’m going to share with you is a modified concept I read from a very smart fellow named Chris Shiflett. He’s a security expert on all sorts of issues that PHP programmers can come across if they’re not careful.
The Tutorial
I got great responses from the tutorial for Table Striping Made Easy so I’ve decided to do another “walk through” tutorial with screen grabs. It’s a little time consuming, but hey, you’re worth it.
Tutorial on Safer Contact Forms Without CAPTCHA’s
Silver Bullet?
“So now my forms are 100% secure and I can use Generic Free Contact Form Processor With Sloppy Code and feel safe?”
Uh… no.
This security concept is based on a key assumption:
Spammers would prefer to go after the “low hanging fruit” than spend all day trying to crack a tricky contact form.
Now listen carefully, dear friend:
This technique, although strong, is not a cure for a weak form processor.
My attitude towards securing a contact form is to use multiple methods on both the server side and the client side so that a spammer is going to have to invest an enormous amount of resources to even come close to succeeding with their evil plot.
I view the client side protection as analogous to posting a sticker on the windows of a home to indicate that the house is wired with an alarm. Thieves know to look for stickers, dogs in the yard, lights on the exterior of a home, and other signs of a well guarded house. They’re looking for high payoff with minimal work and risk.
In other words, if you can thwart 99% of attacks before they really get started and you can do it so easily why wouldn’t you? That’s what this technique does.
But it’s not a silver bullet cure for a crappy form processor.
[tags]jQuery, javascript, DOM, spam, spam prevention, contact form, Shiflett, AJAX, form processor[/tags]
200 Responses
Dave Cardwell
May 31st, 2006 at 3:46 am
1Am I right in thinking you would not allow contact through the form unless the jQuery values had been set?
Where would this leave people with JavaScript disabled, and users of assistive technologies without the option?
Jack
May 31st, 2006 at 9:02 am
2On one of the last slides of the step by step tutorial I wrote:
In addition, in the demo, I wrote about a warning message that could be shown if javascript is disabled. You could put a link in this message to a different form, or other options for contact.
My tutorial provides a possible solution with lots of upside but with certain downside.
It’s up to you to decide if the benefits outweigh the costs.
glitsj
May 31st, 2006 at 10:52 am
3Thx for your continuous work to make forms safer and manageable !
Just one small remark. Your demo.php file also references cookieFunctions.js, which doesn’t seem to be either needed nor included …
Keep those tutorials coming
Jack
May 31st, 2006 at 12:06 pm
4@glitsj,
Thanks for the heads up… that was hold over from a different version and I missed it. Extraneous js now gone… thanks.
Alexander K. Schrøder
July 17th, 2006 at 3:29 am
5This idea is bad. You know why? It requires Javascript to be enable. ’nuff said.
Jack
July 17th, 2006 at 10:34 am
6Alexander,
Labeling a technique, such as this, as “bad” or “good” is simplistic and assumes that you know the “right” way.
This is a technique.
It has benefits – and it has drawbacks.
As others have commented, it can be useful for some developers. For you, it is of no use.
’nuff said.
Gilles
October 13th, 2006 at 9:40 am
7You won’t even need cookies for this technique. In the PHP file that generates the hash, you could set a session variable. In the PHP file validating the input, you could dynamicly check for the input tag which should have been generated by jQuery to see if the user had javascript enabled.
Tarwin
November 28th, 2006 at 2:01 am
8There was an interesting discussion on this topic on Humanized.org weblog.
I proposed something similar to this in a comment, but after reading this, and being impressed, realized that you could add another layer to make it totally non JS reliant.
Have a CAPTCHA in the form which is removed by JS. This way works with JS off.
Jack
November 29th, 2006 at 1:32 pm
9I’m not sure I follow… can you connect the dots for me? I’d like to know what you’re suggesting.
Deep
December 5th, 2006 at 6:51 am
10Good stuff, one thing noticed in your code, it is calling for a js file for cookie (cookieFunctions.js) but that file isnt present in the archive.
Regards,
Deep
Jack
December 6th, 2006 at 9:24 am
11Deep,
I checked my demo. The files I packaged up must have a line of code with a hold over from development. Please ignore the reference to the javascript file.
Design to CSS plus Ajax contact form, etc. | The Montoya Herald
January 5th, 2007 at 12:52 am
12[...] The final product combined some PHP code with jQuery and some code from the jQuery forms plugin, and the whole lot wouldn’t have been possible without Safer Contact Forms Without CAPTCHA’s and Form Submission ajaxSubmit(). The final solution is not bad. When Javascript is not available, a message sharing my e-mail address is visible so people can still contact me. With Javascript available, the form appears as normal and upon submission, it returns responses based on whether the spam check passed and whether all fields were filled in. If it’s successful, a thank you message appears and the form clears. It’s all right. I’m glad I got it done. [...]
JsD
January 6th, 2007 at 7:40 pm
13This technique is also very handy for login pages to prevent spoofing. I developed such a page a few years ago and worked like a charm.
Corey
February 18th, 2007 at 1:28 am
14Eh, maybe I’m alone here, but this wouldn’t be too hard to crack…assuming I understand what you explained.
All a remote script needs to do is retrieve the page, then request the hash and send along the cookie as it does it….then submit the form. Sure, it’s a little bit more work, but not more than 10 minutes.
Anything a browser can do without the user interacting a bot can do without a user. I think you understand this since you talk about it just making it harder, but I think you overestimated the level of security this will provide.
It’s a great idea though. I came up with something similar a few years ago…I never implemented it though since I haven’t needed it (lucky me!).
BillsGate
April 6th, 2007 at 4:53 am
15This solution is simple, but brilliant.
Although it is not quite the holy grail, it’s an easy way to separate visitors from bots.
Thank you very much for this example!
A sidenote though, which has nothing really to do with captchas: a common pain in the * is the use of mail forms on websites by bots, to send masses of spam from your server.
If the bot wants to succeed, he has to put a header (mime-type) into the textarea.
Let PHP filter this:
$tmpstr = implode(“”,$_POST);
if(strpos(“mime-type”,$tmpstr)===true){
exit(“Your message is considered spam”);
}
That, combining with this JQuery addon, should be quite waterproof I think. Just my two cents
Elliot
April 6th, 2007 at 6:08 pm
16Thanks for 15 days. I’m a jQuery beginner and am getting a lot out of your series. In addition to the substance, I love the slide show, especially those beautiful colorized code cutout images. Would it be rude to ask what tools you use to produce those? If so, my apologies. If not, I’d be appreciative. Thanks!
Jack
April 9th, 2007 at 10:35 am
17Elliot,
Sure. I use a Techsmith product for screengrabs called SnagIt. I bought this as a bundle with another product, and I betcha you can find much cheaper ways to reproduce my cutouts. But that’s what I use, because I have it and it’s pretty easy.
As for the slideshow, it’s a javascript you can download free. I believe if you look at the javascript file of the slideshow you will see a url to the author’s website.
JO
April 18th, 2007 at 9:07 pm
18Great tutorial, but is this possible in asp.net. Would be great if someone can come up with one.
Aaron
April 21st, 2007 at 1:21 pm
19@JO,
I recently had to reduce some comment spam, and wrote about it here: http://intrepidnoodle.com/blog/show/9.aspx
Its a bit simpler than this technique, and I suspect probably doesn’t work as well, but its so easy to implement that its worthwhile to stay out of the ‘low hanging fruit’ example…
Mike Robinson
April 26th, 2007 at 12:11 pm
20A technique that I have used with some success is based on the realization that spam-bots are either ‘extremely fast’ or (by using previously-cached strings) ‘extremely slow.’
When the input-form is generated, it is marked “do not cache” (so the browser will actually retrieve something new from us), and it includes a hidden-field containing an unrecognizable hash.
This hash is based on the IP-address of the requester, a salt-value and a garbage string known only to us. It masks, by means of exclusive-OR, the server date/time and another checksum/hash.
When we receive the input, we unmask it, verify the checksum in the unmasked data (to know that the unmasking worked), then check the timestamp thus revealed.
This timestamp must be (say) more than 30 seconds old, and not more than 15 minutes old.
Typically, spam-bots are in a hurry. This stops them dead.
Elliot
April 27th, 2007 at 4:08 pm
21Jack, thanks very much for the tips on Techsmith’s SnagIT, and DOMslides for screen shots and html slide show. Very helpful. And again, you’ve been very generous with 15 days. Great work and much appreciated!!
marconi
May 10th, 2007 at 11:19 pm
22the tutorial is cool but it validates even if the name is empty so i added
!empty($_POST['name'])
in the first condition and works great now..
Rodin
May 22nd, 2007 at 11:03 pm
23Sorry for saying this method is poor…I’ve worked on attacking CAPTCHAs, in my way , first step of analysis a CAPTCHA is watching the post\get data and cookies. Putting the tokens or keys to the client side is not a good idea – can be easily captured, and this
Rodin
May 22nd, 2007 at 11:49 pm
24(continue) and then, send the cookie and the ts field together, validation in test.php seems to be useless absolutely.
Jack
May 23rd, 2007 at 1:35 pm
25Rodin, and anyone else who says this method is poor,
I don’t mind being wrong.
But there are four things that tell me these kinds of replies are silly:
1) Adding similar code dramatically reduces automated spam attempts on real life websites over and over again. Based on actual experience, it works quite well.
2) From what I gather, the comments about how easy this is to beat talk about the *specific* demo I’ve put up… But tweak the name of the hidden text field, the name of the cookie, and some of the validation, and your bot code is SOL.
3) I would love to see some php or cgi that grabs form fields that are generated through DOM, as jquery would do. Not saying it can’t be done, just haven’t come across it yet. I’m sure it exists, so show me.
4) This isn’t about creating a form that is unbeatable… I clearly say that in my post. It’s about thwarting automated spam. If the technique eliminates 99% of most automated spam attempts before it begins, does it have any worth? I think so.
If you, or someone else reading this post, can create the code I’m told is so easy to create but I haven’t seen yet, I’ll put my money where my mouth is.
Show me the code that will remotely:
1) read all cookies set, regardless of cookie name, even session variables
2) read all form fields, regardless of name, including fields that are added after page load using javascript DOM methods
I’ll pay the first person to show me such code $50 if it meets those specific criteria.
Not saying it can’t be done…
But show me.
Rodin
May 23rd, 2007 at 10:28 pm
26Jack,thank for your reply, and sorry for my extremely words before, and also my poor English, maybe those words make you feel not good, but plz believe me, i have no malice…
1) I agree with that it can works. Actually in my opinion, main reason is not spammers cannot work out this, but because this method havn’t applied commonly, they do not want waste time on such few sites.
2) If this method is used in a widely used open source web application, most of users are lazy or unable to
change the code, except using a builtin function. So tweak the name maybe not as effective as considered.
3) CGI may unable to do those, but the desktop application can work out.
4) Generally speaking, i like this quick and easy method, and will use it in my personal site.
I have currently no way to run the JS within a bot, and no common way to defeat most of CAPTCHAs. On the other hand, write a specific spam bot is much easier.
1) all cookies set can be read at HTTP response header: Set-Cookie . Session variables cannot be read , but in MS ASP(i’m a ASP programmer) server-IIS, session is implemented with a cookie like ‘ASPSESSIONIDSDKFJSFS=KSDJFKLSDFSDFSF’ (this string length maybe not wrong, just show the pattern), sending the same ASPSessionID, IIS will process requests as same user.
2) This criteria seems hard to me – I’ll wrote a script-supported browser if i can do this. It’s also difficult/complex to automaticly read the form fields name. Easier implementation is watch out a valid user operation, capture all the request data, then simulate that in bot.
If you really want a bot, I’ll write one working but may not meets the criteria.
At last, I still interest at the $50 – it’s almost equals my monthly living cost
Rodin
May 23rd, 2007 at 10:39 pm
27This is 12 timezones between us… My local time is 10:38
Rodin
May 23rd, 2007 at 10:39 pm
28AM,24 May 2007
Jack
May 24th, 2007 at 10:33 am
29I need to move where you live!
Anyhow, thanks for your replies.
Ideally, I’d be interested in a PHP script that did what I’ve laid out.
And I agree… it would be very difficult.
Your suggestion of a browser type application is the one that I see as most likely for doing everything I’ve requested for the “prize” money.
That said, this reiterates what I’ve said before: this isn’t the “end all be all” of thwarting automated spam, but in practice it knocks out almost all of it.
steampunk
June 4th, 2007 at 7:07 pm
30curl token.php to get the page with cookies[token], build ts variable from response, use it
and the form post/get variables with curl again which results in
(isset($_POST['ts']) && isset($_COOKIE['token']) && $_COOKIE['token'] ) == md5(‘secret salt’.$_POST['ts'])) hence
$proceed = true;
kill curl , repeat.
if you put just this looped into a php file and run it as a shell scripts then you can you change your ip on your network repeatedly.
and just to be annoying, firefox = open source, firefox = web platform capable of doing the above as a plug in. you do this all the time with you use your fancy video grab plug ins or seo junk…
come to think of it , a ff/ie plugin that inserts a javascript to grab the form variable then submit and clear/alter cookies. reload page repeat.
conclusion, people could sent bogus form information and spam the world using this method.
Jack
June 5th, 2007 at 9:03 am
31Put the code up as a .txt file so I can test it out and see if you get $50
Tobbe
June 7th, 2007 at 6:51 am
32I think I will use this in combination with a captcha. I’ll have some JS remove the captcha so it isn’t seen by most people, and then on the php side I first look for the hidden tag. If it matches the token I go ahead with the form processing. If it doesn’t I check the captcha which should have been visible in case of JS being disabled on the client side.
phpdude
June 26th, 2007 at 3:35 pm
33If you use a server side scripting language, why could you not embed a unix timestamp and an md5 hash for it as hidden form fields when the form page 1st loads.
Then when you get a post you would first look to be sure the timestamp is within your pre-determined timeframe and that its md5 hash is correct.
If so, go with it. If not, drop it on its head.
vermontdevil
October 26th, 2007 at 2:16 pm
34Jack – so did the code by steampunk work?
Paul Koppen
October 27th, 2007 at 6:21 am
35First I would like to say, I am really surprised by the simplicity of this method and the fact that *all* php is done in the token file. Truly clever.
But then, of course, I have some comments.
1. I assume you set the cookie instead of a session to keep your solution stateless? Because storing it in a session variable would be just as easy and theoratically more secure (in your solution, an attacker can brute force the salt, and yes I read your 1000 comments on silver bullets).
2. As Mike Robinson put forward, typical bot behaviour can be characterized by either slow or fast responses. So putting a lowerbound on the timestamp is really a good idea.
3. The comment by Tarwin (instead of the warning message, remove a CAPTCHA) is extremely good, for multiple reasons: a) With javascript disabled, the form is still accessible. b) Bots see the CAPTCHA and leave. c) If a bot is so extremely clever to solve the CAPTCHA and your system, we can catch ‘em because they send back two solved challenges! d) It is gracefully downgrading; Annoying CAPTCHA tests now suppress only communication with annoying visitors
4. It would be friendly to the visitor to tell him/her that the submission time has expired and provide a way to reload without losing form content, wouldn’t it?
greg
November 16th, 2007 at 7:57 am
36ok, we tried this on our forms , but after about a week people figured out a way around this.
Jack
November 16th, 2007 at 4:10 pm
37greg,
I’ll email you with a request for more info.
Chris Wash
November 28th, 2007 at 7:25 pm
38This strategy is known to the Java world as the Synchronizer Token pattern. I didn’t see you explicitly point this out, but what its main purpose in life is for is to make sure that redundant posts are not accepted – i.e., you can only submit one form-per-token that you get from the server.
This helps ensure a client’s posts are synchronized with a new transaction on the server every time (consider submitting a payment) – hence the name.
Many Java web frameworks implement this sort of thing for you out of the box – skipping the JQuery step of inserting the hidden form field in dynamically and just automatically including the hidden field in the form for you. This method requires no Javascript, and you can suggest it as a way to deal with clients that don’t have Javascript. The Javascript applies just an added level of obfuscation to the whole process and isn’t really needed to achieve what you’re looking for.
Another similar pattern to take a look at in terms of secure form processing is PRG (http://en.wikipedia.org/wiki/Post/Redirect/Get).
Null Reference » CAPTCHA My Cat
May 14th, 2008 at 2:54 pm
39[...] are various alternate solutions being banded around such as Client Side Javascript CAPTCHAs and verbal reasoning (via 37Signals) tests. The oddest so far has to be the image based effort by [...]
25 Excellent Ajax Techniques and Examples - Six Revisions
June 2nd, 2008 at 11:58 pm
40[...] 12. Safer Contact Forms Without CAPTCHAs [...]
Jeff
June 3rd, 2008 at 2:50 pm
41By saying this is bad because it requires javascript to be enabled is like saying, captcha is bad because it requires images to be enabled. Javascript is a fundemental part of the web these days, and usually the ones with javascript disabled would be bots or hack attempts which shouldn’t be accessing the site anyways. There are times when I have used linux based text browsers, but that’s only if I’m downloading files. I say, if they don’t have javascript enabled, too bad.
gabe
June 4th, 2008 at 10:58 pm
42JS runtimes: Rhino, Spidermonkey etc. could be used to eval the JS. Eg: appjet.com, XULRunner, Helma etc.
Implementing the browser environment is a bit hard though even with the JS runtimes so you could get away with this for a while. Though a simple XULRunner or Firefox Extension app would have the environment to run anything in FF.
I don’t think I’m understandint this fully though. Are you just setting a cookie when the XHR is made, or are you sending back JS that needs to be interpreted. If its justa cookie, then this isn’t JS dependent, if its obfuscated JS, then yes the spammer would need a JS interpreter or some nifty regex. If you implement some browser specific environment features, then you could get even further as the spammer would need to implement those in their bot. Could get expensive enough you might have something for the masses…
Reponere » Blog Archive » 25 Excellent Ajax Techniques and Examples
June 6th, 2008 at 2:01 pm
43[...] 12. Safer Contact Forms Without CAPTCHAs [...]
Safer Contact Forms Without CAPTCHAs | Webmaster-Source
June 10th, 2008 at 7:17 am
44[...] Safer Contact Forms Without CAPTCHA’s [...]
“The Complete Guide” for jQuery Developer- Reblog « Dynamic Disruption
August 18th, 2008 at 10:43 pm
45[...] Safer Contact Forms Without CAPTCHA’sUse a hidden field in a form and don’t annoy your visitors with CAPTCHA. [...]
25 Excellent Ajax Techniques and Examples « Jonsunhee’s Weblog
August 29th, 2008 at 3:59 am
46[...] 12. Safer Contact Forms Without CAPTCHAs [...]
Dwayne from Probably Sucks Blog
November 4th, 2008 at 1:13 am
47I’m just about to implement this solution on my blog: http://probablysucks.com. It would seem I have a bit of a spam problem at the moment.
Dwayne.
dan
November 20th, 2008 at 3:10 am
48I’m no security expert and I don’t even have a blog or website. But I plan to make one soon. Just an idea I want to throw out there.
Use flickr API and display 10 images.
1) 9 of the 10 images are random pictures.
2) One of the image gets retrieved with a random ‘tag word’ from your server. So use flickr API to find an image tagged with ‘turd’. While the rest of the images are pictures of flowers and family photos.
3) On the client side, ask…’Of the 10 pictures, select the picture with a [turd]‘.
4) On the client side, the onclick event of that particular IMG tag gets sent to the server via AJAX (position 6 of 10, etc).
The server code knows the correct position of the turd image (position 6). If the wrong image has been selected, reload and grab a new set of images with a different keyword (i.e. ‘clogged toilet’) and 9 other random pictures.
One major drawback – one of the 9 random images by chance may contain the keyword. So to fix that, you HAVE to pick all of the images knowing they do and don’t contain the keyword being generated by the server.
Keep it real, and peace.
dan
November 23rd, 2008 at 2:48 am
49Well I want to revamp from my original idea above.
I like the idea of making the user select a picture from a group of images to verify they are human. BUT that can be easily broken by a spam bot since they can download the set of images and study the question (i.e. select an image of a cow). By downloading the binary of the images, they can take the question and based on try and fail method, the bot can figure out which image is the correct one.
To workaround that, you must generate 1 single image with a set of images in a fixed row and column. In the HTML, create a image map like so…
The pixel coordinates aren’t perfectly aligned (this is just demo). The server generates a random keyword and shoves it to the KEY attribute in area element of the CORRECT area, with invalid random ones for the rest.
So onclick of the correct area will fire off a remote call and the server end will compare the key with the key that was originally assigned on the backend.
The 1 single image containing the group of images must be generated real time with random position of the images inside of it.
To recap.
1) Server generates 1 image with 5 images inside of it as fixed position under 1 row and 5 columns.
2) Server generates a ‘secret’ word.
3) Client side AJAX requests the image and then gets a list of AREA as MAP element. Each AREA has an attribute, with the correct secret word and invalid ones.
4) Onclick event of each AREA sends the backend it’s secret word. If it’s right, the server continues the operation. If it’s wrong, generate a new image but this time the arrangement of the individual pictures are different. If the user gets it wrong a second time…forward the client browser to an illegal porn site.
With Flash, you don’t need to go through this hassle but I want my website accessible through iphone (which doesn’t support Flash yet).
Apenuatusepebyinort
January 3rd, 2009 at 9:07 am
50euxpblyheuyrpgrrwell, hi admin adn people nice forum indeed. how’s life? hope it’s introduce branch
juziku
January 21st, 2009 at 11:44 pm
51good
??? » 25????Ajax?????
February 9th, 2009 at 9:57 pm
52[...] 12????????? Safer Form demo [...]
jiminy
February 11th, 2009 at 10:40 pm
53“# When the contact form is loaded we’ll make an AJAX call to a PHP file”
Wait… the form is being printed out with PHP. Why would we possibly need to do that? Try
$time=time();
echo ”
Ma'moon Al-Akash
March 6th, 2009 at 3:15 pm
54i have created another type of captcha that depends on jQuery, you might want to take a look at it!
http://phpirate.net/?p=359
Scott Oakley
April 1st, 2009 at 11:52 pm
55Your potential customers generally only search for you on the 1st Page of Google. Do you have 1st page Google placement? If not, we can guarantee 1st page Google placement or your money back. Email us back to get a full proposal.
Waseem
April 23rd, 2009 at 7:59 am
56NICE !
I am looking all over as alternatives to captcha.
REASON :
1. they are annoying.
2. they are not safe anymore.
2.1. Image Recognition ‘systems’ gets more and more powerful each day – I seen it read letters of a physical page through a camera image, whats stopping bots from identifying captchas ? the annoying lines and blur effects that run across which make it almost humanly unreadable.
I think some jquery mixed in with either PHP or ASP will do the trick provided the jquery only loads if the browser supports JavaScript
Thanks for your solution
question.
why use the $document,ready(function() { … } instead of the $(function() { … }
Waseem
April 23rd, 2009 at 8:00 am
57ahh i mean document.ready() … }); function instead of $(function() { … });
excuse my syntax
Test
April 25th, 2009 at 3:08 pm
58test
nasir
June 3rd, 2009 at 2:14 am
59this is totally fail because if i want to send the feed back again from the same system it don’t allow me i have the better solution and 100% authantic.
High PR Link Builder
June 15th, 2009 at 1:58 pm
60I agree that captchas can be annoying but the amount of spam I have received has been overwhelming. It would be nice if there was a way to use a standard contact form and ask a simple addition question. For example ‘What is 3+4?’ That way a human would have to answer the simple question with the correct answer otherwise it would be considered spam. Kudos on the blog post.
M. A. Sridhar
June 24th, 2009 at 1:51 pm
61Since you’ve thought about this issue in depth, I am curious about your opinion on the following approach. In the HTML markup, we set the form’s action attribute to “#”, and set it to a real URL in the JavaScript. So if your JavaScript does not execute (as would probably be the case with a spam bot), the action URL would not be available to the bot, so it can’t post at all.
What do you think?
lorenzo
July 5th, 2009 at 9:31 pm
62jack thanks for your contribution, but I am not successful at this.
I am using andrew riley’s phpformmail and would like to integrate the two.
I can not run your test.php on my form post/get because the form processor is riley’s phpformmail file , so does anyone know of a way to integrate these together?
http://developerkarma.com/projects
Ma'moon Al-Akash
July 7th, 2009 at 10:41 am
63The captcha that i have created is a re-write for ajax fancy captcha in PHP, its much more safer and it totally depends on server side validation while maintaining the same look and feel of AFC, you might want to take a look at it here http://phpirate.net/?p=359
pligg.com
July 18th, 2009 at 2:29 am
64Safer Contact Forms Without CAPTCHA’s…
You don’t want to use CAPTCHA’s (Completely Automated Public Turing Test to Tell Computers and Humans Apart) because you just know that requiring your visitors to read squiggly letters and numbers just to send you a message is going to suppress com…
Billz
July 18th, 2009 at 3:17 am
65I’m with Lorenzo up there… I wish someone would create an easy to follow tutorial about how to implement the validation part. I can get this script and any captcha script inserted into my form, and have all he javascripts and whatever else is needed uploaded and included on the page, but, when it comes to integrating something like test.php into my form’s current processing page… I’m lost. Can you just stick the code anywhere in the file that processes the form? I doubt it.
I’m hoping that one day, someone will come out with a hidden captcha script that is free, and all you have to do is copy and paste code into the page with your form on it.
Actually I found a script like this, but it’s pure javascript, so people say it’s not very secure, but then again, this invisible captcha is javascript…
Syed Aslam
August 14th, 2009 at 3:35 am
66Pretty late but a very good article and resource. Can anyone point me to any Rails example similar to this?
denny
August 16th, 2009 at 9:55 pm
67But I could use legitimate http request (I can use vbs or Others) to get the page which host the contact form and fill all the element with trash data and submit the page. So how can you Prevent it?
Christian
August 26th, 2009 at 5:20 am
68Hi Jack,
Thanks for the codes and tutorial. I successfully implemented it in my current project.
If I want to use this code for a contact form in a service provider website, is it violating the “non-commercial” rule of the license?
Looking forward to your response. Thanks.
Chuck
August 27th, 2009 at 4:15 pm
69Chuck…
…
Jed
September 3rd, 2009 at 2:04 pm
70@Jeff Your assumption is way off. The extreme majority of people with javascript disabled are people who work for a living and use their work computer. Corporate IT departments frequently disable Javascript due to the security threat it poses. In addition, people with physical handicaps such as the blind or poor motor functions will often disable javascript due to the navigation hazards it often poses.
@Jack I like your idea as it does complicate hacking a form. However, I would like to see where you got the “prevents 99%” statistic. Have you even tested this method out on a form that previously received lots of spam?
Roy
September 8th, 2009 at 2:56 pm
71Ok, I was able to successfully implement this on my contact form however, how do I know it is working or not? How do I test it to make the cookies not match.
The other question is how do I display the message to the spammers that the contact form has halted due to suspicious activity?
Thanks…
funny videos of cats
September 9th, 2009 at 3:59 am
72Hi, thanks for sharing a nice information. Hope these can stop an immense amount of spam.
Instant PayPal Affiliate Commissions Directory
September 11th, 2009 at 3:35 pm
73I use captchas on a few of my pages and think they’re beneficial. They key is to avoid confusing characters such as: 0, o, O, 1, l, I. If you avoid the most common then this could be helpful to the visitor. Nice post.
Tim
September 15th, 2009 at 2:17 pm
74All my code does is create a browser object, turn cookies on, get the token, then make the post, including the token in the post. It’s quite trivial, actually.
Yes, it does require effort – a completely automated spam bot won’t be able to get through this, most likely, but if someone cares to look at what’s going on using a tool such as Firebug, it only takes a few minutes to crack.
25 Excellent Ajax Techniques and Examples | pc-aras
November 16th, 2009 at 1:11 pm
75[...] 12. Safer Contact Forms Without CAPTCHAs [...]
Don Smart
January 13th, 2010 at 3:08 pm
76I want to learn more about this website
Don Smart
January 13th, 2010 at 3:11 pm
77Please i want you to tell me more about your services
Anup Nath
January 25th, 2010 at 4:22 am
78Dear Sir
I have a quary. someone copy our URL of any important webpage like Contact form etc. and type or paste it on browser and display same webpage. but I want ristrict that type’s of activities. User must type or Paste our Index Page URL on browser then fill contact form.
Thanks
Anup Nath
grane
February 13th, 2010 at 1:39 am
79The doctor, my daddy thinks, that it Mario!
- We will cure.
- And it can be cured? Yesterday we were in a zoo, it has jumped on a head to an elephant. The elephant has decreased!
» Stop search engines indexing your web
February 17th, 2010 at 4:26 pm
80[...] Hidden tag: 15daysofjquery.com/safer-contact-forms-without-captchas/11/ [...]
Zamezení indexování webu vyhledáva?i
February 17th, 2010 at 4:51 pm
81[...] Skrytý tag: 15daysofjquery.com/safer-contact-forms-without-captchas/11/ [...]
Fred
March 6th, 2010 at 1:44 pm
82This ancient problem has been solved long ago… what I do is just make the user submitting the form get an email which then they must answer to verify themselves. This way the spammer cannot send spam directly to a recipient, and they must answer the email we send (this contains a link they must enter in their browser) and then the original contact form is sent to the user.
In my nearly ten years with this system online, I have never had a spam message through my contact form.
Problem solved, ages ago!
Hendo
March 12th, 2010 at 12:38 am
83Email verification is a great way to lose users – i would much rather serve a captcha to someone than have them a) go to their email (assuming the verification email arrives promptly) and then b) have to click on *another* link in that email. Pretty cumbersome ..
My question is this: why aren’t these “secure” AJAX forms implemented everywhere? Why do most sites still employ captcha for form verification?
Also, wouldn’t this “secure” form implementation work just as well for sign-in / sign-up forms as well? I’d love to never have to present captcha to users
Thanks for any replies in advance!
eryk
April 10th, 2010 at 7:54 am
84Thank you this nice post
geryk
April 10th, 2010 at 9:19 am
85this cool post thanks
dine
April 10th, 2010 at 10:31 am
86ok! super post
dsguh
May 7th, 2010 at 9:48 am
87????????
Mike
May 7th, 2010 at 10:59 am
88Awesome post Jack. I was actually going to use Captcha in my guestbook I am writing for a wedding website. But then I found this post while googling captcha methods. This method makes a lot more sense to me. I will try this out first.
Thanks!
Kevin Cabrera
June 9th, 2010 at 1:19 am
89As a leading provider of internet search solutions including: Link Building, SEO and Internet Marketing. We offer a high quality service and best value for money, with proven results. Please contact us if you are interested.
Huge Collection Of Ajax Tutorials And Techniques | Design your way
June 23rd, 2010 at 2:15 pm
90[...] Safer Contact Forms Without CAPTCHAs [...]
George
June 28th, 2010 at 6:45 am
91Hi
I like the idea of this solution and it works for me in most browsers except internet explorer. The session is halted after submitting the form. I’ve tested on ie8 and ie6 on different computers in various locations. Is this a common problem and is there something I can do to make this work?
JJ
July 6th, 2010 at 3:04 pm
92Sorry, i know i’m going to get killed for asking this but how do you set the target recipient? I’m totally new to jquery, i’ve used forms in the past but always the with the cumbersome capchka method. I’ve gone through the code but i can’t see how to set recipients etc?
Thanks and go easy on me
stef
October 5th, 2010 at 8:18 am
93Juste wath i’m looking for, but all 3 links won’t work, or am i missing somthing ?
Dommage
Just let me know if you update the links
pinky
October 5th, 2010 at 11:46 pm
94hi,
i have created jsp page ….
whenever the user enters his/her username which is valid… the captcha image will appear…..
problem is… when user type invalid username,on click of submit button,,, there is an alert box appearing which is respect to captcha,,, wherein the captcha image is not displayed…
plz do help me out….
Detas - Gebze Nakliyat
December 6th, 2010 at 4:27 am
95very very Good article. Thanks a lot…
??SEO?????
January 15th, 2011 at 1:30 pm
96Just let me know if you update the links ?
SEO
January 15th, 2011 at 1:31 pm
97Just let me know if you update the links ~~~
love royalty free photos
February 14th, 2011 at 5:56 pm
98Wonderful opinion. I totaly agree with you! For better visitors for yours blog i suggest to choice more royalty free images… You can borrow it on my site cheap photo. Thanks for posting. You are right. I’ve tried all these steps including commenting on otherblogs.. Very helpful information
art
April 15th, 2011 at 1:30 pm
99my god
art
April 15th, 2011 at 1:31 pm
100are you OK ?
Hotel Istanbul
April 27th, 2011 at 10:03 pm
101Uhh no, page not found error again. I dont know why links are usually broken in this site…
Loans Cash Advances
May 1st, 2011 at 10:47 pm
102I know this if off topic but I’m looking into starting my own blog and was curious what all is needed to get set up? I’m assuming having a blog like yours would cost a pretty penny? I’m not very internet savvy so I’m not 100% positive. Any tips or advice would be greatly appreciated. Appreciate it
25 Excellent Ajax Techniques and Examples | graftek.net
May 10th, 2011 at 8:16 am
103[...] 12. Safer Contact Forms Without CAPTCHAs [...]
Tennie Curts
June 10th, 2011 at 12:43 am
104Heya! I understand this is sort of off-topic but I had to ask. Does operating a well-established blog like yours require a lot of work? I’m completely new to running a blog however I do write in my diary every day. I’d like to start a blog so I can share my experience and thoughts online. Please let me know if you have any kind of ideas or tips for brand new aspiring blog owners. Appreciate it!
Elena Watt
June 14th, 2011 at 4:40 am
105Hi,
My name is Elena, Web Marketing Consultant. I have greatly enjoyed looking through your site 15daysofjquery.com and I was wondering if you would be interested in exchanging links with my website. I can offer you a home page link back from my pagerank 4 blog: http://openuy.org/. In return I would like a link back to one of our casual gaming sites.
If you are interested, please send me the following details of your site:
TITLE:
URL:
I’ll add your link as soon as possible, in the next 24 hours. As soon as it’s ready, I’ll send you a confirmation email along with the information (TITLE and URL) regarding my site to be placed at yours.
I hope you will take us up on the offer. For further details please don’t hesitate to contact me.
Kind regards
Elena Watt
Webmaster
28-130749-0-Christian
Maia Ginanni
June 15th, 2011 at 11:10 am
106I have come to understand that charges for on-line degree gurus tend to be an awesome value. For instance a full Bachelor’s Degree in Communication from The University of Phoenix Online consists of Sixty credits from $515/credit or $30,900. Also American Intercontinental University Online provides a Bachelors of Business Administration with a overall study course feature of 180 units and a tariff of $30,560. Online learning has made getting your certification been so cool because you might earn your degree through the comfort of your dwelling place and when you finish from office. Thanks for all other tips I have learned through your site.
mantolama
July 6th, 2011 at 5:50 am
107istanbul kartalda mantolama ve çat? hizmetleri ile burday?z. yte?ekkürler
Cosetta
July 7th, 2011 at 6:36 pm
108lol…. that is an awesome idea!
ipod in wall docking station
July 11th, 2011 at 8:01 am
109Probably one of the favorite models in the UK today, the Three Facet Victorian Style conservatory is elegant in its simplistic ambience. The conservatory is three faceted, that refers to the general essence of the conservatory.
????? ?????
July 13th, 2011 at 8:34 am
110I would much rather serve a captcha to someone than have them a) go to their email (assuming the verification email arrives promptly) and then b) have to click on *another* link in that email
photographer ealing
July 13th, 2011 at 1:51 pm
111If you need to get some pictures made, then why not the very best work done? You need to collect those wonderful memories.
web tasar?m pendik
August 2nd, 2011 at 4:09 pm
112I wrote something for everyone in this blog, very loved friends know my birthday today, I congratulate myself, and everyone’s birthday in advance
LJ
August 6th, 2011 at 5:16 pm
113I find it more than ironic that is forum has spam posted in it…
home security systems fort lauderdale
August 8th, 2011 at 1:08 am
114home security systems fort lauderdale…
Monday post on home security systems fort lauderdale Find the best bargains for best security camera systems for home…
25 Excellent Ajax Techniques and Examples | Kappa Techie's Tips and Tricks
August 9th, 2011 at 7:20 am
115[...] 12. Safer Contact Forms Without CAPTCHAs [...]
Mopshund
August 28th, 2011 at 9:54 am
116this blog should be printed out and put on every lantern in the city
this too is a captcha
September 14th, 2011 at 3:30 am
117The proposed solution is not a “form without CAPTCHA”, it’s just without an user-interactive text recognition type of CAPTCHA, but it uses an automatic javascript CAPTCHA. CAPTCHAs don’t have to use user interaction nor images. Whatever automatic way of differentiating between bots and humans you think of, it will be a CAPTCHA.
engin
September 21st, 2011 at 3:33 am
118ths is good idea
servis
September 26th, 2011 at 4:39 am
119this is perfect
su deposu
October 11th, 2011 at 8:03 am
120Have a CAPTCHA in the form which is removed by JS. This way works with JS off.
Lillie Burks
November 1st, 2011 at 10:20 pm
121Hello, I would like to share one of my favorite motivational fitness quotes with you and your readers: “When it comes to eating right and exercising, there is no I’ll start tomorrow. Tomorrow is disease.” – V.L. Allinear
Polovni Automobili
November 7th, 2011 at 6:19 am
122Good work. Thanks for the info. very useful tips indeed.
Polovni automobili