The following is a modification for php-fusion that I'm currently trying to adapt for eFiction. This mod displays a random security question when a new account is registered. These are simple questions like "What's the capital of england?" and can be customiced to prevent unwanted spam registrations. It's imho a better alternative for the annoying captchas.
OK, let's start simple. At first we need the arrays for questions and answers:
//The questions
$secure_ask = array(
1 => "First question?",
2 => "2nd question",
3 => "3th question",
4 => "4th question",
5 => "5th question");
//The answers
$secure_res = array(
1 => "answer1",
2 => "answer2",
3 => "answer3",
4 => "answer4",
5 => "answer5");
Now some language strings for en.php:
define ("_REG_QUESTION", "Security question");
define ("_REG_QUESTION_ERROR1", "The security question has not been answered!");
define ("_REG_QUESTION_ERROR2", "The security question has been answered wrong!");
And now the hardest part of the work. I think the following code has to be placed somewhere in editbio.php, but the file is a little to complicated for me. π
$secure_con = isset($_POST['user_secure_con']) ? trim($_POST['user_secure_con']) : "";
$secure_num = isset($_POST['user_secure_zahl']) ? trim($_POST['user_secure_zahl']) : "";
if($secure_con == "" || $secure_num == "" ) {
$output .= write_error(_REG_QUESTION_ERROR1);
}
elseif (strtolower($secure_res[$secure_num]) != strtolower($secure_con)) {
$output .= write_error(_REG_QUESTION_ERROR2);
}
And now the rest of the Code, including the random function and form elements. I'll do the html coding later, this are just the necessary fields:
//the random function
srand ((double)microtime()*1000000);
$zahl = rand(1, 5);
$output .= _REG_QUESTION . ":";
$output .= $secure_ask[$zahl] . " * :";
$output .= "<input type='text' name='user_secure_con' maxlength='100'>";
$output .= "<input type='hidden' name='user_secure_zahl' value='".$zahl."'>";
The script works with a test form, but I'm not sure how to integrate it in eFiction, Aspecially the processing part. Is anyone able to help me how to do this or if this mod is possible at all?
Thanks, Steffen
I'm attempting to get this to work, though I am testing it in place of the captcha in the contact.php page. Since this page is much less busy then user.php, I figured it was a good place to start.
I'm close to getting this, but when I enter the answer to the question in the text field and click the submit button (as part of the contact us form) I receive error2, that the answer didn't match.
I have a limited understanding of php, I usually just tinker with other people's code. But this time I'm stumped. I'm not sure how the answers are supposed to match as the $secure_res only makes an appearance in one other part of the script.
Anyways, any help would be great.
I guess one of the important things to ask is should all the parts of the code suggested above be placed within the same document?
~Shadowess
Hm... I don't think that's better than captcha. You have and array and you can have as many questions you want, they're picked at random and the user needs to give the right answer to complete the registration.
Two problems:
1. Maybe the user doesn't know the right answer.
2. The malicious script just need to know one of the answers and try submiting it again 'till the random question & answer match the answer the script is providing.
Captcha it's better because the verification it's always random. You can change the fonts including some here: eFiction_ROOT/includes/cFonts
Two problems:
1. Maybe the user doesn't know the right answer.
Hehe, who wants to be a millionaire? π I wouldn't use such complicated questions like "What's the smallest village in Timbugtu?" π
2. The malicious script just need to know one of the answers and try submiting it again 'till the random question & answer match the answer the script is providing.
Maybe, but many of these spam-robots are programmed with a specific search pattern. They are looking for websites wich have the same characteristics. If they are using a popular portal system, forum, cms etc. But if you make modifications to one of the portals, the spam robots are not able to follow these mods. So if I replace the standard captcha routine with my mod, spam registrations are mostly blocked. I did it with all my php-fusion installations and never(!) had any of these stupid blue pill dealers in my database since then!
Captcha it's better because the verification it's always random.
Random, but less secure. I've seen some forums that have grafical captchas, but the spammers are nevertheless able to register. And the stronger the captchas are, the harder they are to read. More and more sites became inaccessible because of captchas, not just for visual impaired people like me. They are annoying, they are bad for the world, they are.... bullshit!!!! π
I have read about some other methods that sound interesting. Hidden fields with CSS, fake submit buttons and so on. Maybe these methods are a good alternative to a captcha system if they are combined together.
Steffen
Nothing is 100% secure. The reason these questions are more secure right now than the captchas is because they aren't as popular. All a hacker has to do to get around a question is some social engineering. They'll write a bot to read your form then that bot will display the same registration form at a porn site they've set up. A real live human will fill it out for them and then they'll submit it to you. PHP-Fusion's captcha is crap. I was getting spam on my work site which is why I wrote the captcha we're using...to replace PHP-Fusion's captcha. I haven't had a spam bot get in since at my work site. As senji pointed out you can customize our captcha by changing the fonts in the includes/cFonts/ folder. This will reduce the chances that the spambots can read the captcha. It works on the same basis as your changes, once you've customized from the base of the program it throws the bots off.
