Authentication

[kelleydl]

I have a site that users go to and can leave comments without having to sign in. just type what they want and click submit. lately there have been spammers who leave like 100 comments a day and i have been having to go into the database and deleting them. how can i stop this? ive seen the authentication images that have blurred words and users type in the words, but how do i get images like that? do i make them myself? is there another way for authentication of users without making them have to create a username and password? DK

[jeffman]

There are 2 possible problems. (1) you are being spammed by robots. This can be controlled by image systems like Captcha, which is the word you want to Google. Slightly lower level security against spam-bots is to generate a random word in ordinary text, store it in a $_SESSION variable, make the user submit the word, and then compare them. (You'll want your security word to appear in a normal paragraph, span, or div element, not a form element. Spambots would notice the pattern in a form element and try to fool your system. And when I say a random word, I mean a dictionary word. A good spambot would recognize a gibberish word and try using that as your security word. If you have a simple textfile containing 1000 real words or so, you could pull a random word from it. (A very very good spam bot will figure this out eventually, too, though, which is why image systems are so popular.)But 100 posts is not a lot. That could just be (2) human spammers. A determined human spammer will not be blocked by any sort of captcha system, text or images. Especially twerpy home after school getting wired on energy drinks.One option is to log IP addresses and restrict posts from each IP to some limited number per hour or day. If a post comes too soon, redirect the user to a simple message that explains your limit. You already have a database system, it sounds like, so just create a unique table for this purpose.It is not a perfect solution, because it does not account for every possible method of spoofing. But if your spammer has limited tools available, it might help. I'll bet if you check IP logs, you'll find that most of your spam is coming from one domain, which would mean it's probably just one ##### who's found you.Heck, if it's literally the same IP every time (a possibility) just block it forever.