WordPress.org

Ready to get started?Download WordPress

Forums

Participants Database
[resolved] Simple Captcha workaround is being undermined (19 posts)

  1. bfbraum
    Member
    Posted 11 months ago #

    Hi. In a different thread, you linked to a simple way to implement a captcha feature in Participants Database. I've used it effectively for a while, but over the past day or two it's started to fail inexplicably.

    At first, I asked people signing up to enter, as a number, the sum of seven and three, and I required regex/match #^10$# for the form to be submitted. Spam entries started blowing through that yesterday, so I changed the numbers... same result. Next, I changed the question to "What is the capital of Ohio?," with "[enter name here]" as the default, and required regex/match #^Columbus$# for the form to be submitted. I tried submitting an entry myself, and the Columbus captcha worked as expected: it rejected my entry until I actually typed "Columbus" into the field. To my considerable surprise, about ten minutes later I got my first spam entry. Even more surprising, the captcha field in the database was populated with "[enter name here]"... it looks as though it somehow managed to bypass that required field altogether.

    The form is here, in case that helps. Any suggestions or ideas would be much appreciated.

    http://wordpress.org/extend/plugins/participants-database/

  2. xnau
    Member
    Plugin Author

    Posted 11 months ago #

    Well, I'm not at the moment sure how this is happening, but spammers wil get very crafty, and can often find ways to submit their content directly to scripts in a way that bypasses validation.

    I do have a couple of better spam-blocking methods in development for the next update, but I will look into this and figure out how it's being done.

    Meanwhile, since it looks like you are not publishing what is posted, you can simply ignore the entries until I can find a solution. I definitely want to plug this hole, so I'll get back to you on this.

  3. xnau
    Member
    Plugin Author

    Posted 11 months ago #

    bfbraum,

    If you are willing, I'd like to work with you more closely to develop a solution to this. Email me at support AT xnau.com if you're interested.

  4. JackieClements
    Member
    Posted 11 months ago #

    I am also experiencing the same problem and am looking for any ideas/suggestions.

    thank you.

  5. xnau
    Member
    Plugin Author

    Posted 11 months ago #

    JackieClements,

    Submissions are are being accepted without a correct response for the CAPTCHA?

  6. JackieClements
    Member
    Posted 11 months ago #

    Yes, I am using your suggestion listed in the FAQ section: "Create a text-line field with the question "what is the sum of 10 and 7?" then put in a regex to verify the answer: #^17$#"

    Here is the form if it helps

    I am still getting tons of submissions that have not answered the question at all.

  7. xnau
    Member
    Plugin Author

    Posted 11 months ago #

    But are the spam submissions coming in with the question filled in correctly?

  8. JackieClements
    Member
    Posted 11 months ago #

    No, the question is not being answered at all. That field is blank as if it were not required.

  9. xnau
    Member
    Plugin Author

    Posted 11 months ago #

    OK, what I have for you is a simple mechanism for foiling comment spam scripts. I have something similar planned for the next release of the plugin, but this will cover you until then. This is for version 1.4.9.3 only.

    The the main plugins file (participants-database.php) on line 1790, you'll find:

    if (!isset($_POST['subsource']) or $_POST['subsource'] != self::PLUGIN_NAME or !isset($_POST['action']))
          return NULL;

    After that, on line 1792, insert this:

    if (self::check_spam_cookie() === false) return;

    Next, on line 1786, you'll find:

    // processes any POST requests for the submitted edit page

    Above that, on line 1785, insert this function:

    public static function check_spam_cookie()
      {
        if (!isset($_COOKIE[self::$css_prefix . 'formcheck'])) {
          return false;
        } else {
          $elapsed_time = time() - $_COOKIE[self::$css_prefix . 'formcheck'];
          /*
           * check to see that the time between loading the form and submitting it
           * is reasonable for a human visitor. In this case between 2 seconds and 3
           * minutes. Adjust this to your own values if you want.
           */
          if ($elapsed_time < 2 or $elapsed_time > (3 * 60)) {
            return false;
          }
        }
        return true;
      }

    Lastly, on line 222, you'll find:

    public static function init() {

    After that, on line 223, insert this:

    // set a cookie marking the time the page is loaded
        setcookie(self::$css_prefix . 'formcheck', time(), NULL, '/');

    This code is based on an idea by Donncha O Caoimh who created an effective comment spam prevention plugin called Cookies for Comments.

  10. bw3em
    Member
    Posted 11 months ago #

    I also have experience of users being able to leave blank required fields.

    Em

  11. JackieClements
    Member
    Posted 11 months ago #

    Thank you, I have implemented this and will let you know if this has solved the problem.

  12. wander lustig
    Member
    Posted 11 months ago #

    Hi! I try to install a simple Captcha according to your instructions http://wordpress.org/extend/plugins/participants-database/faq/ but I don't succeed. Why does the extra field not show up?
    This is my page: http://germancenterhouston.org/join/
    I'm sorry to bother you with such a basic question! Cornelia

  13. xnau
    Member
    Plugin Author

    Posted 11 months ago #

    On the "manage database fields" page, check that your new field has "signup" checked.

  14. wander lustig
    Member
    Posted 11 months ago #

    I don't see what you mean, sorry! Where is "signup" in the Manage Database Fields?

  15. xnau
    Member
    Plugin Author

    Posted 11 months ago #

    On the right side of the table where your fields are defined there is a column marked "signup" which is where you would select the fields to show in your signup form.

  16. wander lustig
    Member
    Posted 11 months ago #

    Ah, blind!!! It works!!!! thanks a lot

  17. wander lustig
    Member
    Posted 11 months ago #

    I just wanted to add something: the problem I had first was that I copied your suggestion above: #^17$#" and that is of course a little spelling mistake: you mean: #^17$#
    May be that helps someone else....

  18. indiadeveloper
    Member
    Posted 8 months ago #

    hello friends i used some programming and data-base tricks and

    the result is fully functional captcha field with this great plugin

    this captcha generate each time a new code same like the other captcha filed

    here is the result you can see http://vmsinfotech.com/demowp/sign-up/

    thanks !!

  19. slowcoachl
    Member
    Posted 7 months ago #

    Hi India Developer

    I wonder if you could let us know how to set up this captcha or any simple captcha.

Reply

You must log in to post.

About this Plugin

About this Topic