简体繁体 English

'keypress'的addeventlistener = captcha替代品？

[英]addeventlistener for 'keypress' = captcha alternative?

原文 2010-11-10 09:33:13 9 2 javascript/ validation/ captcha/ addeventlistener

Am I right in thinking that spam bots can't simulate the 'keypress' event, and thus I can't get spammed if I require a keypress for each field in my contact form before being able to submit it? 我是否正确地认为垃圾邮件机器人无法模拟“按键”事件，因此如果我需要在我的联系表单中为每个字段提供按键才能提交垃圾邮件，我就不会发送垃圾邮件？

Is this a good alternative to captcha, etc. if I don't care whether or not my viewers have JavaScript enabled? 如果我不关心我的观众是否启用了JavaScript，这是验证码等的一个很好的替代品吗？

Wizards, set me right. 奇才，让我说对了。

2 个解决方案

I'm unsure if they can generate the keypress event "natively" (I think you might be right that they can't, but it wouldn't surprise me to learn that there's some edge case whereby this is possible). 我不确定他们是否可以“本地”生成按键事件（我认为你可能不对，但我不会惊讶地发现有一些边缘情况可以这样做）。

However, I don't think they would have a problem merely executing element.onkeypress() directly. 但是，我不认为他们只是直接执行element.onkeypress()会遇到问题。 If the bot can determine that it needs to press a key to advance, then what that actually boils down to is that a particular event handler method needs to be invoked - and the bot can do the latter. 如果机器人可以确定它需要按一个键来推进，那么实际上归结为需要调用特定的事件处理程序方法 - 并且机器人可以执行后者。 It can create its own fake Event object too containing the keycode, and then pass this in and/or set it on window.event . 它可以创建自己的假Event对象，也包含keycode，然后将其传入和/或设置在window.event 。

In theory you might be able to detect this by being very strict about instrospecting the event object in your handler. 理论上，您可以通过非常严格地检查处理程序中的事件对象来检测这一点。 I don't think that the bot would easily be able to create a native-equivalent event object, so perhaps by inspecting the prototype chain you could distringuish between the two. 我不认为机器人很容易就能够创建一个本机等效的事件对象，所以也许通过检查原型链你可能会在两者之间产生歧视。 However, this would almost certainly be too fragile for general use, and is not going to reliably work across different browsers/environments/plugins/etc. 但是，对于一般用途来说，这几乎肯定太脆弱了，并且不能在不同的浏览器/环境/插件/等之间可靠地工作。

Thus I don't think this is a fruitful path, because you can't tell in an event handler whether the event is "real" or not. 因此，我不认为这是一条富有成效的道路，因为你无法在事件处理程序中告诉事件是否“真实”。 Browser-native code is different, since bots cannot actually trigger a click event, but within Javascript I don't see a simple way to prevent your method from simply being called. 浏览器本机代码是不同的，因为机器人实际上不能触发点击事件，但在Javascript中我没有看到一种简单的方法来阻止您的方法被简单地调用。

The current implementations of spambots might not be able to do that. 当前的spambots实现可能无法做到这一点。 But it's not that hard to simulate keypresses. 但是模拟按键并不难。 If you're only a small website the bot author might not do the work to circumvent your system, but if it large enough for the auther to care your system will be broken really quick. 如果你只是一个小网站，机器人作者可能无法绕过你的系统工作，但如果它足够大，以便教师关心你的系统将很快被打破。