[thelist] junk entry into forms (captcha?)

Bill Moseley moseley at hank.org
Wed Feb 7 09:26:41 CST 2007

On Wed, Feb 07, 2007 at 11:47:41AM +0000, Austin Harris wrote:
> Morning all,
> Just had a (very old) client get in touch and the order form that I
> made for them a fair few yesra ago is now getting hammered - about
> 50 - 100 per day.

Besides captchas:

I find requiring them to fetch the form first stops most of these

If the application already has sessions I include a token that is only
valid once for a post and will time out.  So they have to fetch the
form before submitting to it.

Without sessions, the other thing I've done is take the time in
minutes plus a secret word and hash it.  Then when the form is posted
I calculate the current time and step backwards X number of minutes
until the hash matches.  That way I know they fetched the form within
the last X minutes.

It's amazing how often I can't read the captcha images myself.

Bill Moseley
moseley at hank.org

More information about the thelist mailing list