防止垃圾邮件机器人提交表单
[英]Prevent spam bots from submitting a form
问题描述
I need some advice how to best prevent a spam bot to submit a form. 
我需要一些建议,以最好地阻止垃圾邮件机器人提交表单。 I have done some research and come up with the code below. 我做了一些研究,并提出了以下代码。
The mechanism is like this - the HTML code asks the user to enter a number and if the entered number equals 50 then the jQuery returns true and the form is submitted. 机制是这样的-HTML代码要求用户输入一个数字,如果输入的数字等于50,则jQuery返回true,然后提交表单。 If the value is different from 50, the form is not submitted. 如果该值不同于50,则不提交表单。 The code works if a user is filling out the form, however spam is still being sent by bots. 如果用户填写表单,该代码将起作用,但是僵尸程序仍在发送垃圾邮件。
My question is the following - Are the bots just bypassing the jQuery code and submitting the form directly on the server or this is not possible and they somehow guess that 50 should be entered in the field? 我的问题如下-漫游器是否只是绕过jQuery代码并直接在服务器上提交表单,否则这是不可能的,他们以某种方式猜测应该在该字段中输入50?
I would like to get some expert opinion on this as to decide if i should invest more time to improve the current code (maybe hide the field and set a default value for it) or i should come up with totally different solution. 我想对此提出一些专家意见,以决定是否应该投入更多时间来改进当前代码(也许隐藏字段并为其设置默认值),还是应该提出完全不同的解决方案。
Thank you all! 谢谢你们!
$("#RegFrm").submit(function(){
if ($('#samp').val() != 50) {
return false;
}
else {
return true;
}
})
1 个解决方案
解决方案1
0 2014-07-07 18:09:54
There are two bot categories that you need to prepare for: the dumb ones and the headless browser-based ones. 您需要准备两种机器人类别:愚蠢的机器人类别和无头的基于浏览器的机器人类别。
The first category is just a glorified HTML parser which harvests, populates and submits forms, all based on HTML. 第一类只是美化的HTML解析器,它基于HTML收集,填充和提交表单。 These spambots are not capable of running JavaScript, so they will bypass the JavaScript challenge in your original question entirely. 这些垃圾邮件机器人无法运行JavaScript,因此它们将完全绕开您原始问题中的JavaScript挑战。
Headless browser-based spambots are as smart as your regular web browser (they're typically based on WebKit or Gecko) and they will run JavaScript. 基于无头浏览器的垃圾邮件监听程序与常规的网络浏览器(它们通常基于WebKit或Gecko)一样聪明,它们将运行JavaScript。 They can, in theory, still bypass your JavaScript challenge by removing your submit() event handler (note that this is speculation, I don't know if they routinely do that, although it would make some sense to disable validation this way). 从理论上讲,他们仍然可以通过删除您的Submit()事件处理程序来绕过JavaScript的挑战(请注意,这只是猜测,我不知道他们是否按常规进行操作,尽管以这种方式禁用验证是有意义的)。
The solution you proposed in your comment should suffice against generic attacks. 您在评论中提出的解决方案应足以抵御一般性攻击。 Prompting the user for the correct value would require the spambot to understand the challenge (which it won't) and enforcing the right answer on the server-side will work regardless if the form submitter understands JavaScript or not. 向用户提示正确的值将要求spambot理解挑战(这不会),并且无论表单提交者是否理解JavaScript,在服务器端强制执行正确的答案都将起作用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.