Support » Plugin: Participants Database » Simple Captcha workaround is being undermined

  • Resolved bfbraum

    (@bfbraum)


    Hi. In a different thread, you linked to a simple way to implement a captcha feature in Participants Database. I’ve used it effectively for a while, but over the past day or two it’s started to fail inexplicably.

    At first, I asked people signing up to enter, as a number, the sum of seven and three, and I required regex/match #^10$# for the form to be submitted. Spam entries started blowing through that yesterday, so I changed the numbers… same result. Next, I changed the question to “What is the capital of Ohio?,” with “[enter name here]” as the default, and required regex/match #^Columbus$# for the form to be submitted. I tried submitting an entry myself, and the Columbus captcha worked as expected: it rejected my entry until I actually typed “Columbus” into the field. To my considerable surprise, about ten minutes later I got my first spam entry. Even more surprising, the captcha field in the database was populated with “[enter name here]”… it looks as though it somehow managed to bypass that required field altogether.

    The form is here, in case that helps. Any suggestions or ideas would be much appreciated.

    http://wordpress.org/extend/plugins/participants-database/

Viewing 15 replies - 1 through 15 (of 18 total)
  • Plugin Author xnau webdesign

    (@xnau)

    Well, I’m not at the moment sure how this is happening, but spammers wil get very crafty, and can often find ways to submit their content directly to scripts in a way that bypasses validation.

    I do have a couple of better spam-blocking methods in development for the next update, but I will look into this and figure out how it’s being done.

    Meanwhile, since it looks like you are not publishing what is posted, you can simply ignore the entries until I can find a solution. I definitely want to plug this hole, so I’ll get back to you on this.

    Plugin Author xnau webdesign

    (@xnau)

    bfbraum,

    If you are willing, I’d like to work with you more closely to develop a solution to this. Email me at support AT xnau.com if you’re interested.

    I am also experiencing the same problem and am looking for any ideas/suggestions.

    thank you.

    Plugin Author xnau webdesign

    (@xnau)

    JackieClements,

    Submissions are are being accepted without a correct response for the CAPTCHA?

    Yes, I am using your suggestion listed in the FAQ section: “Create a text-line field with the question “what is the sum of 10 and 7?” then put in a regex to verify the answer: #^17$#”

    Here is the form if it helps

    I am still getting tons of submissions that have not answered the question at all.

    Plugin Author xnau webdesign

    (@xnau)

    But are the spam submissions coming in with the question filled in correctly?

    No, the question is not being answered at all. That field is blank as if it were not required.

    Plugin Author xnau webdesign

    (@xnau)

    OK, what I have for you is a simple mechanism for foiling comment spam scripts. I have something similar planned for the next release of the plugin, but this will cover you until then. This is for version 1.4.9.3 only.

    The the main plugins file (participants-database.php) on line 1790, you’ll find:

    if (!isset($_POST['subsource']) or $_POST['subsource'] != self::PLUGIN_NAME or !isset($_POST['action']))
          return NULL;

    After that, on line 1792, insert this:

    if (self::check_spam_cookie() === false) return;

    Next, on line 1786, you’ll find:

    // processes any POST requests for the submitted edit page

    Above that, on line 1785, insert this function:

    public static function check_spam_cookie()
      {
        if (!isset($_COOKIE[self::$css_prefix . 'formcheck'])) {
          return false;
        } else {
          $elapsed_time = time() - $_COOKIE[self::$css_prefix . 'formcheck'];
          /*
           * check to see that the time between loading the form and submitting it
           * is reasonable for a human visitor. In this case between 2 seconds and 3
           * minutes. Adjust this to your own values if you want.
           */
          if ($elapsed_time < 2 or $elapsed_time > (3 * 60)) {
            return false;
          }
        }
        return true;
      }

    Lastly, on line 222, you’ll find:

    public static function init() {

    After that, on line 223, insert this:

    // set a cookie marking the time the page is loaded
        setcookie(self::$css_prefix . 'formcheck', time(), NULL, '/');

    This code is based on an idea by Donncha O Caoimh who created an effective comment spam prevention plugin called Cookies for Comments.

    I also have experience of users being able to leave blank required fields.

    Em

    Thank you, I have implemented this and will let you know if this has solved the problem.

    Hi! I try to install a simple Captcha according to your instructions http://wordpress.org/extend/plugins/participants-database/faq/ but I don’t succeed. Why does the extra field not show up?
    This is my page: http://germancenterhouston.org/join/
    I’m sorry to bother you with such a basic question! Cornelia

    Plugin Author xnau webdesign

    (@xnau)

    On the “manage database fields” page, check that your new field has “signup” checked.

    I don’t see what you mean, sorry! Where is “signup” in the Manage Database Fields?

    Plugin Author xnau webdesign

    (@xnau)

    On the right side of the table where your fields are defined there is a column marked “signup” which is where you would select the fields to show in your signup form.

    Ah, blind!!! It works!!!! thanks a lot

Viewing 15 replies - 1 through 15 (of 18 total)
  • The topic ‘Simple Captcha workaround is being undermined’ is closed to new replies.