It is not all that uncommon for various people to get users registering for whichever website they run. Sometimes it’s one every couple of days or weeks, or sometimes multiple registrations per minute. The one thing the entire spectrum has to deal with though, is making sure the user is a person, someone who types in the name, password, and extra details. Granted if the “hacker” is rich enough, they can get other real people to log in and start spamming links or try to be a scam artist, asking for someone’s password and all that other good stuff. Here are a few unobtrusive ways to help prevent these things from happening.
(Note: Any Javascript code, is on purpose using the jQuery Javascript Library)
Making Sure They’re Real
The most common and popular way to check for this, is to use what’s called a CAPTCHA. That, however can be bypassed. There are a lot of new versions of it coming out that try and fool bots using new and interesting transformation techniques. The most popular so far is called ReCaptcha. This is fair well and good, but I feel there are better ways to prove humanity, things that I’ve seen on other sites, some only in demonstration.
Pop Quiz
The pop-quiz method (as I call it) is a simple little test asking the human a basic math question. Such as “What is 4 + 3?” The numbers of course are randomized and javascript is used to check if the answer is correct.
num1 = Math.floor((Math.random() * 10) + 1); num2 = Math.floor((Math.random() * 10) + 1); sum = num1 + num2; $("#s_num1").text( num1 ); $("#s_num2").text( num2 ); $("#f_register").submit(function(){ if( $("#i_sum").val() != sum ){ alert( "You're not human!" ); return false; } }); |
It is assumed in the above piece of code, that the answer the user puts in, is contained in an input box with the id of “i_sum”. The two values to be added are in the span tags with id’s “s_num1″, and “s_num2″ respectively. It checks to see if the value in i_sum is the same as the calculated sum, and if so, it lets the form submit, otherwise it pops up an alert error (or does whatever to notify the user that they got the answer wrong and are presumed to be in-human) and returns false. The “return false;” statement is crucial, as that’s what prevents the form from actually submitting.
Focal Blur
The focal blur (again, my own naming) scheme detects whether or not a user clicked on, or used any or all the elements within the form. Meaning, as long as the user causes the focus event to fire, then they are actively clicking on an element, and then making it blur as they leave it.
$("#f_register").submit(function(){ if( $("#h_focusTest").val() != "true" && $("#h_blurTest").val() != "true" ){ alert( "You're not human!"); return false; } }); $("#i_username").focus(function(){ $("#h_focusTest").val( "true" ); }); $("#i_username").blur(function(){ $("#h_blurTest").val( "true" ); }); |
This check banks on the fact that some (if not most bots that I know of) only analyze the html of the page, fill out all the form elements (without triggering either focus or blur event) and then submit it. Some bots, however, are smarter than that. These bots analyze the html, but send a POST request to the server directly with the information. Lucky for us, we can also double check this server side.
< ?php if( $_POST['h_focusTest'] != "true" && $_POST['h_blurTest'] != "true" ) //Say screw it, and die mercilessly. die( "You faker..." ); ?> |
Beat the Clock
Well, not really. This method is, as the name may allude to, a timing verification, but instead of beating a clock, you have to lose to it. See, it takes time to type in all that information (some reg forms are worse than others), so if the bot has the ability to actually trigger the focus and blur events, then it’s not gonna take long to fill out the form; at least, not as long as a normal human would. So, say if given a regular user reg form: username, password, and email, a normal human would take maybe 4 to 6 seconds depending on how good they are with the keyboard to get through it all and hit the enter key. If you time it, and the time for the first focus event to the submit action being fired is less then that, then you have one of two things on your hands: A user with mad keyboard skills, or a bot.
function micro() { d = new Date(); return Date.UTC( d.getFullYear(), d.getMonth(), d.getDate(), d.getHours(), d.getMinutes(), d.getSeconds(), d.getMilliseconds() ); } //======== startTime = null; $("#f_register").submit(function(){ finishTime = micro(); total = finishTime - startTime; alert( total ); if( total < 2500 ){ alert( "Time: You're not human!" ); return false; } $("#h_time").val( total ); }); $("#i_username").focus(function(){ if( startTime == null ) startTime = micro(); }); |
The function micro() returns the javascript near equivalent to php’s microtime( true ); function call. So, the result is in microseconds (meaning, 1 second == 1000, 2 seconds == 2000, etc.) I have my limit set to 2500 (or 2.5 seconds) because for my tests I averaged about 3.5 or 4 seconds, However I understand that for a username, password, and email with no math question, especially with small values in each field doesn’t take that long to fill out, especially if you’re good at typing. 2000 is also a good limit to have, especially if you don’t have the math question to prove humanity.
Limitations
As I’ve mentioned in previous blog posts, everything is hackable. And this also applies to the three methods above, through the use of one simple tool: Another human. Some people get paid to register and log into sites, and then spam the community there, or do other work that is detrimental to the community (e.g. Steal someone’s account on gaia online and take all of their items, etc.) However, if you require the human touch, then you’re important, so give yourself a pat on the back for being important and then ban the user.
In summary there are ways outside of a CAPTCHA to validate a user. So don’t depend on just that one thing to do the work for you. Concerning the onfocus javascript event, there’s many, many, many more ways you can use this to prove that a user is human (forcing them to click on a colored square for instance) so use your imagination and let it go wild. However, as also another downfall with CAPTCHA’s, sometimes they’re unusable by the user because they can’t read the warped message. With that in mind, make sure that your users (who you should expect to be VERY dumb indeed) can solve it easily, or better yet don’t have to do any extra work at all, with the verification being behind the scenes (as with the FocalBlur and Beat the Clock types).
Remember, your website is owned by your users. They are the ones that use it. Make sure they can do so, and at the same time make sure they enjoy doing so, above all else.
1 Comments.