alamin ahmed: a typical geek 2.0

ideas.experiments.thoughts.life

home blog about me
twitter: aahmed753

Archive


Topics:

5-ways to prevent comment spamming

posted on: August 12, 2007 at 01:27 am

Spamming? What Spamming??
These days, whether you are blogging or running a business website, form submission spamming has become on of the primary issue of concern and frustration. Form submission spamming usually happens if you have commenting feature on your website. Spammers like to use this opportunity to promote their website and most importantly hoping to get higher rank in search engines. Im sure most of web developers/webmasters has gone through nightmare(s) when you found dozens of v1agra (you know what i mean) related links floating around your website posts.

Form submission some times occurs on your membership registration form as well, people attempting to create multiple accounts instantly. And if you have content submission features, such as Digg, Reddit or other social network relying on user submitted contents, then you have another form submissions to worry about.

Prevention is better then cure.
In deed it is. There are many ways you can prevent most of these spammers. It is hard to stop hackers entirely, but these methods should make attackers life bit difficult and have them find another nest to play around with.

I have prepared to write about 3 ways (out of many) you can prevent form submission spam. You can implement them individually or combine them with any combination you want to add even greater security based on your need. These 3 methods are:
1. Post Hash Authentication
2. Hidden Text field Mechanism
3. CAPTCHA

[Please note, all these are programming language independent concepts, but I will be using php to demonstrate some code when necessary.]

POST HASH AUTHENTICATION:
This method relies on renewed hash code for authentication. So every time your page is loaded, a unique hash code is created by your server and put it on session value, which then need to be passed by form on every submission. Therefore, upon form submission the server can verify the passed hash code with session hash code for validity. And the trick is that, after validating, server has to destroy the hash right away and start looking for another one, a different one. This is very easy to implement.

//check if form submission occurred
if((count($_POST)) {
if(!isset($_POST['posthash'] && ($_SESSION['posthash'] != $_POST['posthash'])) {
die('unauthorized request.');
} else {
$_SESSION['posthash'] = ""; // removing current code
}
}

// right after check we want to regenerate post hash, regardless if form was submitted or not
// actual hash value can be simply md5(current time in nano second)
define("POSTHASH", md5(time())); // making it constant for global access across your web application.
$_SESSION['POSTHASH'];

These codes should be on the top of each page (save it in separate file and include in every page).
In your HTML form, you need to add special hidden field and supply this code

<form ...>
...
<input type='hidden' name='posthash' value='<?php echo POSTHASH ?>' />
</form>

This method will also prevent users from spamming by refreshing browser for multiple submission, since POST variable will hold previous hash and therefore will be rejected.

Hidden Text field Mechanism:
This method is based on a blog that I came up across. Concept is very cheap, but extremely powerful to fool most of spam bots (no bender, it's not fambot).
This is how it works. You simply add a text field in your form and hide it's "visibility" from the users. The idea is that users will not see the text field there for it will stay blank. But, most of the spamming bots attempts to fill all the text fields they find in the form before submitting. So a simple conditional check, whether or not hidden text field has value or not, can give you clue if this is a spamming or not.

<form ...>
...
<div class='special-field'><label>Enter your Middle name:</label> <input type='text' name='middlename' value='' /></div>
...
</form>

In your CSS code, you need to set 'special-field' display to 'none'. This way users will not see the label and text field, but still will be visible in the HTML code which is used by spammers.

In your server script, all you have to do is check if 'middlename' field has value or not:

if(!empty($_POST['middlename'])) {
die('unauthorized request');
}


CAPTCHA:
This method is used most widely and most effective way of preventing users from spamming. CAPTCHA is almost like POST HASH concept, only addition is that instead of putting the hash value (or the captcha code) in hidden field automatically, a human user needs to read it of distorted image and enter it him/herself. Therefore this gives you highest level of prevention from Spamming.
There are many free and effective CAPTCHA codes and class files with tutorials floating around the web, so I will not go in detail here.

Lots of developers does not like to include CAPTCHA mechanism because it puts little bit burden on genuine users and can discourage them from posting comment or even registering.

Conclusion:
There are many ways one can attempt to prevent from form submission. These three I found to be useful. However, as I mentioned earlier, ti is not possible to entirely block hackers from doing what they do best. You constantly have to modify your code, provide additional security as your site gets more and more popular.

Please share your tips and tricks, comments, suggestions.
[PS, I am only using Hidden Text field mechanism on this site, I hope some one can start spamming me so I can push laziness out and implement other once :)]
Tagged: html   Parma Link | Comment(s)

CSS based table - table without TABLE

posted on: August 11, 2007 at 12:00 am

Why CSS and not TABLE.
Honestly, I have no good answer or explanation for you.  In fact I don't think any one does.  There are equal weight of advantage and disadvantage on both approaches.  Many people have tried to be strict and only show CSS benefit, and others did exactly same vice verse.

In this new "Web 2.0" era, CSS is becoming primary tool for designing and shaping web pages.  This is a good thing. CSS is really the best thing that happened to web designing.  Now designers can separate "data" from "presentation".  CSS also gives designers much more flexibilities and controls.  In terms of web standards and future, CSS certainly looks brighter.  So any attempt to migrate your any part of your web site to CSS, is a step toward right direction.  But if you taking your time then you can feel comfort knowing that tech giant like Google still uses TABLEs all over the place.  There is no sign of TABLE being deprecated from HTML, at least not any time soon.


Migrating HTML TABLE to CSS-P
Traditionally, you would use TABLE tag as follows:

  
      

          

              

              

          

      

      

          

              

              

          

      
Header Column 1Header Column 2
Body column 1body column 2

output:
Header Column 1 Header Column 2
Body Column 1 Body Column 2


My goal is to bring the same structure and coding layout using CSS.  To be precise, here is an example:

  


      


         
Header Column 1


         
Header Column 2


      


      


          
Body Column 1


          
Body Column 2


     

Looks good right? But we are far from being done.  Let's look at the output first:
output:
Header Column 1
Header Column 2
Body Column 1
Body Column 2

As you can see,  It is not at all what we expected.  Everything is showing in a single column in separate rows.  This needs to be fixed in CSS section.

CSS, time to play
If you noted, you know that we have used several classes inside our "div", for example -'table', 'row', 'cell'.  Our next step is to define those classes in css.  In "perfect world" (which basically means geniuses at Redmond complying with W3C web standard), creating table using CSS is extremely easy.  We can be done with the following lines of CSS codes:
  .table {

      display: table; }

  .table .row {

      display: table-row; }

  .table row .cell {

      display: table-cell; }

that's it. Simple right? Unfortunately, above styles are not supported by most browsers including Internet Explorer 6 and 7.  So it's basically useless for now.

CROSS BROWSER APPROACH:
alternative approach is to use 'inline-block' to define 'cell'.  In this case we additionally need to specify width of every cell in HTML code.  It is tedious depending on your table size and structure.  However, this is the only "good" solution we have.  Here is how:

Your CSS code is simple.  All we have to do is declare cell to be 'inline-block'.  This allows you to re-size your cell to any width/height you want.
.table { }

  .table .row { }

  .table .row .cell { display: inline-block; }

now in HTML add additional style to specify width of each column. 



      


         Header Column 1

         Header Column 2

      


      


          Body Column 1

          Body Column 2

     




This approach works for most browsers.  For IE 6 to work, you have to use "span" instead of "div" for the columns.  Don't ask me why.  This breaks W3C regulation since you are making "span" as a block element.

ANOTHER APPROACH:
Another approach is to use 'float'ing columns.
  .table { }

  .table .row { clear: left; }

  .table .row .column { float: left; }
We still have to specify width of every cell.  In additional, we have to clear the the floating after the last row.  For example:


      


         Header Column 1

         Header Column 2

      


      


          Body Column 1

          Body Column 2

     




This approach is most widely compatible among browsers.  Your best bet is to chose between 'floating' cell or 'inline-block' cell.


FORMATTING TABLE
power of CSS comes when it's time to format - "presentation".  For example, we can format our headers and table in following css properties:

  .header {

      font-size:18px;

      font-weight:bold; }

  .header .cell {

      line-height:24px; }

  

  .table {

      border:2px solid #ccc; }

  .table .row .cell {

      padding:3px;

      margin:2px; }

EXTENDING TABLE USING MULTIPLE CSS CLASSES:
another power of css is the ability to have multiple classes for an element.  We have already done this on row '
so 'row' is one class and 'header' is another class.  Browser will join these two classes (append their properties) to render the element.

This technique comes in handy when using different types of tables, such as - table for creating form, table for listing items and so on.  For example:
  


      


         
Enter your name:


         


     


and css codes
  .form {

      width:500px; }

  .form .row .label {

      width:150px;

      font-weight:bold;

      text-align:right; }
As you can see we have added 'form' class with table and additional 'lable' and 'input' classes with cells.  You can imagine the possibilities when you start working with may different kinds of tables.

Mapping some of table's attributes to CSS properties:
cellpadding=2
 .cell { padding:2px }
cellspacing=4
 .cell { margin:4px; }
border=1
 .table { border:1px solid red}
 css allows you to define three dimension of border - color, style and size
width=100%
 .table {width:100%}
 can be applied to table, row or cell
align=center
 .cell { text-align:center; }
 if you want to center the table, then you have to use different approach. just wrap the table with another div and set it's text-align to center.
valign=middle
 .cell {vertical-align:middle; }
 different browser produce different result
bgcolor='#000000'
 .cell {background-color:#000000;}






Tagged: css   html   web design   Parma Link | Comment(s)

copyright© 2008 alaminahmed.com || powered by me!