ColdFusion Alternative to Captcha?
I just watched a video from UGTV on Charlie Arehart’s website done by Jacob Munson. Near the end of the presentation Jacob was talking about how he changed his form names and it broke the spam bots that were hitting his site. He also talked about the concept of using a special key loaded into the session that could be used to check if the person was real or not. The consensus was that manual spammers sucked and you have to use something like Project Honey Pot to try and stop the manual spammers. Well, I agreed with Jacob and the others in the audience, that you have to employ a few different methods to feel even a little safe, but I liked the form name change and session key, so I put together a simple proof of concept. I am still trying to figure out how this method wouldn’t work for bots, so if you know of something let me know.
I started out by setting the appkey and then using it to encrypt the form:
<form action="processForm.cfm" method="post"> <input name="#cfusion_encrypt('firstname',session.appkey)#" type="text" > <input name="#cfusion_encrypt('lastname',session.appkey)#" type="text" > <input type="submit" value="go" > </form>
Then, I run through the form and convert out the keys to usable strings, you simply use the new form instead of the form scope.
<cfset newFrm = StructNew()> <cfloop collection="#FORM#" item="g"> <cfset clearFormName = cfusion_decrypt(g, session.appkey)> <cfset structInsert(newFrm,variables.clearFormName,FORM[g],'true')> </cfloop>
I figure if the bot is going to be looking through form definitions, then the constantly changing key will mess that up. I think it would be best if you used a really good key for the encryption and then used a different encryption method than the cfusion_encrypt. I just used that for a test. Any thoughts?
Recent Comments