#169 Anti-Bot Reg System (hidden fields)


A few edits to registration system.

basically it is to help stop a few bots from registering.

It will not stop all bots but it will prevent some.

It does not use CAPTCHA (which is also useless at preventing many bot registrations)

basically the hack, adds 3 new fields to the registration form, these fields are hidden to the user so that user input can't be made on those specific fields.

I have labelled the fields user_name, user_email & user_url.

the idea is to trick the automated bot into inputting data to those fields.

If you are aware of how bots function you will know that they do not always use the registration form itself, they scan the form and then fill out the appropriate fields, an email field, url field & username field is what a bot will enter it's details in. so we try to trick the bot into entering data into those fields.

upon submission, these fields are then checked.. if those fields contain data or are not empty fields, then we know that a human has not filled out the form and registration is halted.

as i say it's not foolproof, but neither is captcha. but it will help in some regards.


  • Vaughan

    anti-bot registration system (non captcha)

  • Herko Coomans
    Herko Coomans

    Logged In: YES
    Originator: NO

    Ehm, maybe I'm being too obvious here, but if I were to make a bot, I wouldn't have it providing input on fields marked 'hidden', as no user would provide input for those fields. So all a bot would have to do is ignore input type='hidden' fields, and you're good to go. Very safe prevention, that is...

  • Vaughan

    Logged In: YES
    Originator: YES

    well like i said, it's not foolproof, and it can be improved upon. CAPTCHA is not foolproof either with a very high percentage of bots being able to crack the captcha.

    but this method does not affect human usability as it's in the background, another method that could be added is a timer on the submit form.. ie. it would be physically impossible for a human to fill in the registration form in under 10 seconds. so if the form is submitted within 10 seconds of beinc called, then we also know it's not a human filling the form in.

    you could also check the user-agent & IP address, because BOTS change their IP and user-agent frequently, so the bot could have a new IP address before it even finishes the registration.

    another method would be to issue a $string variable to the $_POST form, and also issue that same $string to the PHP SESSION itself, and if both $_POST & SESSION contain different values, we know that at least that a human hasn't entered the info. this method would prevent bots that use CURL to input data, because when using CURL the only the SESSION would contain the $string & $_POST would be empty because the reg form is not being used, so on comparing them they would not be the same values.. as I say that method would prevent bots that use CURL from registering.

  • Mark Boyden
    Mark Boyden

    Logged In: YES
    Originator: NO

    The issue is pertinent, but I agree we need a different solution. Also, it needs to be a solution that works for people with sight disability as several of the sites I built using XOOPS are used by people with sight disability. The CAPTCHA system works only for people who can see. I've seen another system (but don't know who did it) where there is a link to listen to the graphic as well.

    XOOPS needs integrated into the core, for developer use and call, something similar to the CAPTCHA system. And it should be a one-time call for each session so that users don't have to do it for EVERY search, submission, etc. And it may only need to be required by new users with less than X posts, anonymous users, etc. So, incorporating it into the core and giving module developers the ability to use it in their modules would be a positive move, especially if the core code is designed such that it isn't used/displayed once a user becomes "well-known" as a good site user.