PHP-验证码替换 [英] PHP - Captcha replacement
问题描述
对于实现反垃圾邮件解决方案,我需要您对以下代码发表意见:
I need your opinions on this code for implementing a anti-spam solution:
- 在生成页面/表单时,随机字符串被创建,例如。例如
$ string = md5($ _ SERVER ['REMOTE_ADDR'])
- 此字符串已插入数据库,并设置为过期假设2个小时之后,我们就不会填满数据库了。
- 在页面加载时,表单具有一个没有值的隐藏输入字段,我们将其命名为
spam_check
- 页面加载AJAX请求后10、15或20秒会自动触发尝试检索该
$ string $的请求c $ c>从数据库&填写
spam_check
输入值。 - 提交表单后,我们在
$ string
和$ _ POST ['spam_check']
,如果它们不匹配,则说明该邮件是垃圾邮件...
- When page/form is generated, a random string is created, eg. like
$string = md5($_SERVER['REMOTE_ADDR'])
- this string is inserted in the database, and set to expire after let's say 2 hours so we don't fill up database
- On page load, the form has a hidden input field with no value, let's name it
spam_check
- 10, 15 or 20 secs after the page has loaded a AJAX request automatically fires off that attempts to retrieve that
$string
from the db & fill outspam_check
input value with it. - when the form is submitted, we perform a simple check between the
$string
from the db and$_POST['spam_check']
, if they don't match the message is spam...
这是个好主意吗?它有多安全?
明显的优点是它不需要访问者采取任何操作,例如阅读验证码等。
Is this a good idea? How secure is it? The obvious advantage is that it doesn't require any action from the visitor, like reading a captcha etc.
推荐答案
有趣。我会警惕地将其视为解决垃圾邮件/替换capcha的解决方案,但这确实使垃圾邮件发送者的生活更加困难。
Interesting. I'd be wary of thinking of it as a solution to spam / replacement for capcha, but it does make the spammers life more difficult.
但是您应该计划如何处理在禁用了javascript的情况下(可能还有CSS)-例如通过为表单分配一个div,但保留默认消息,然后使用javascript将表单写入表单(内联而不是等待onload / pageready)。
However you should plan for dealing with cases where javascript is disabled (and potentially CSS too) - e.g. by assigning a div for the form, but leaving it with a default message, then writing the form into it using javascript (inline rather than waiting for onload/pageready).
$ string = md5($ _ SERVER ['REMOTE_ADDR'])
$string = md5($_SERVER['REMOTE_ADDR'])
这不是随机值-它不会改变。考虑:
This is not a random value - and it won't change. Consider:
$ string = sha1($ _ SERVER ['REMOTE_ADDR']。rand(1000).time());
$string = sha1($_SERVER['REMOTE_ADDR'].rand(1000).time());
(尽管底层算法需要更多操作,sha1还是比md5快)。
(sha1 is slightly faster than md5 despite the underlying algorithm requiring more ops).
使用会话可能是一个好主意,并且:
It might be a good idea to use a session, and:
$ _ SERVER ['string'] = sha1(session_id()。 rand(1000).time());
$_SERVER['string'] = sha1(session_id().rand(1000).time());
这篇关于PHP-验证码替换的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!