A very simple way to keep machines out of your forms is through CAPTCHA's. A very simple implementation of this in your Rails forms is by using a nifty little javascript. This is not the preferred method, since there are ways around the javascript, but it is definitely a nice little spam helper.
Note: This will not stop spiders, only human interaction with forms. This is only intended to show how to integrate jcap with a rails app. Not in anyway a tutorial on how to stop spiders
Set it up
1. Download the Jcap scripts from here. Decompress and copy them to your public/javascripts folder. In my case, I left the cimg folder within my javascripts folder. 2. Add the javascript include tags to your view (within the head).<%= javascript_include_tag 'jcap', 'md5' %><body onload="document.xfrm.uword.focus();"><%= form_tag({:action => 'create'}, {:onSubmit => 'return jcap()', :name => 'xfrm'}) %> <%= render :partial => 'addlistingform' %> <noscript>[This resource requires a Javascript enabled browser.]</noscript> Please enter the code as it is displayed above. <input type=text name="uword" id="uword" value="" size=20> <%= submit_tag "Create" %> <%= end_form_tag %>
I modified my jcap.js file to reflect the location of my cimg folder. If you keep yours in the javascripts folder you will need to do so as well.
The developer of the Jcap scripts recommends you use some further steps to make sure your captcha is covered by requiring the verification form field.
This is a neat script but does not solve all problems. As I mentioned, if a browser does not have javascript enabled this will fail.
On Thursday, Jul 6
I think it is no use, spam machines do not use browsers, they are scripts, apps only post requests. Captcha is used to stop machines, but this one will only show up for human being, it does nothing on server side, it's a joke.
On Thursday, Jul 6
You are correct Hui. That's why I said wrote "does not solve all problems". I didn't go as far as you simply because I'm not an expert on spiders and their technology. However, if you use a little hackery with the required fields you can trick it and stop "some" spiders.
On Thursday, Jul 6
I really doubt this would actually stop any spiders. Not that it's not a good example, it's just that spiders (and spam bots especially) don't use Javascript. They'll just happily submit the form without any regard for your Javascript trying to stop them. So effectively you're just kind of annoying your users ;) but cool nonetheless. It would be good to stop/slow down people who are posting too much to a forum or something.
On Friday, Jul 7
This is a bad idea.
CAPTCHA's are purely intended to stop rudimentary (javascript-less) web spiders from successfully submitting a form.
The fact that Javascript is required to use the CAPTCHA means that it will not fulfill that one intended duty.
They hurt accessibility & in more advanced forms frustrate users.
Hacker ways to work around them include:
+ image & character recognition (most CAPTCHA's are machine generated, and therefore are inevitably machine readable)
+ scripts that stream queued CAPTCHA images to humans that do the image recognition
http://www.google.com/search?q=captcha+bad
On Friday, Jul 7
Mars, I added a note in the post defining that fact since it didn't seem to be clear to readers.
Nice bike by the way!
On Wednesday, Jul 19
Greg, this will work even though it’s javascript. Check out acts_as_authenticated and look at how it does a constant redirect until you get the password right. You could probably alter a_a_a to get this to work.
The key with captcha is not that it’s perfect, but that it makes an attacker spend more money. Let’s say they were running a simple Java spider that raided blogs. With this simple client side CAPTCHA they now have to run javascript. Ok, they can get Rhino, but then they also need the full dom and image processing parts. This also increases the CPU and RAM required. Finally they have to feed yet another captcha method to whatever image buster they use.
In the end, to get around your captcha they have to spend more money. That’s the best you can do, so rather than shoot for a perfect solution (which won’t happen), use this until they break it and then change it out. Nice thing is it’s javascript so you can cook up a bunch of schemes and quickly swap them out to the clients. Even randomize them too.
Remember, it’s COST not blocking that’s important. Make them pay for real.
On Saturday, Dec 8
Nice post
The quickest solution I have ever found....
I got it working in less than 2 minutes....
Thanks
:)