PHP-验证码替换 [英] PHP - Captcha replacement

问题描述

对于实现反垃圾邮件解决方案，我需要您对以下代码发表意见：

I need your opinions on this code for implementing a anti-spam solution:

• 在生成页面/表单时，随机字符串被创建，例如。例如 $ string = md5（$ _ SERVER ['REMOTE_ADDR']）


• 此字符串已插入数据库，并设置为过期假设2个小时之后，我们就不会填满数据库了。


• 在页面加载时，表单具有一个没有值的隐藏输入字段，我们将其命名为 spam_check


• 页面加载AJAX请求后10、15或20秒会自动触发尝试检索该 $ string 从数据库&填写 spam_check 输入值。


• 提交表单后，我们在 $ string 和 $ _ POST ['spam_check'] ，如果它们不匹配，则说明该邮件是垃圾邮件...
  

• When page/form is generated, a random string is created, eg. like $string = md5($_SERVER['REMOTE_ADDR'])
• this string is inserted in the database, and set to expire after let's say 2 hours so we don't fill up database
• On page load, the form has a hidden input field with no value, let's name it spam_check
• 10, 15 or 20 secs after the page has loaded a AJAX request automatically fires off that attempts to retrieve that $string from the db & fill out spam_check input value with it.
• when the form is submitted, we perform a simple check between the $string from the db and $_POST['spam_check'], if they don't match the message is spam...

这是个好主意吗？它有多安全？
明显的优点是它不需要访问者采取任何操作，例如阅读验证码等。

Is this a good idea? How secure is it? The obvious advantage is that it doesn't require any action from the visitor, like reading a captcha etc.

推荐答案

有趣。我会警惕地将其视为解决垃圾邮件/替换capcha的解决方案，但这确实使垃圾邮件发送者的生活更加困难。

Interesting. I'd be wary of thinking of it as a solution to spam / replacement for capcha, but it does make the spammers life more difficult.

但是您应该计划如何处理在禁用了javascript的情况下（可能还有CSS）-例如通过为表单分配一个div，但保留默认消息，然后使用javascript将表单写入表单（内联而不是等待onload / pageready）。

However you should plan for dealing with cases where javascript is disabled (and potentially CSS too) - e.g. by assigning a div for the form, but leaving it with a default message, then writing the form into it using javascript (inline rather than waiting for onload/pageready).

$ string = md5（$ _ SERVER ['REMOTE_ADDR']）

$string = md5($_SERVER['REMOTE_ADDR'])

这不是随机值-它不会改变。考虑：

This is not a random value - and it won't change. Consider:

$ string = sha1（$ _ SERVER ['REMOTE_ADDR']。rand（1000）.time（））;

$string = sha1($_SERVER['REMOTE_ADDR'].rand(1000).time());

（尽管底层算法需要更多操作，sha1还是比md5快）。

(sha1 is slightly faster than md5 despite the underlying algorithm requiring more ops).

使用会话可能是一个好主意，并且：

It might be a good idea to use a session, and:

$ _ SERVER ['string'] = sha1（session_id（）。 rand（1000）.time（））;

$_SERVER['string'] = sha1(session_id().rand(1000).time());

这篇关于PHP-验证码替换的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！