What's a good way to protect against automated form postings? I figure I'll change my Formation library (public version terribly out of date) to automatically (if the form is a POST) add a timestamp field, an IP address field, and a hash of the two with a secret seed to the form, and then automatically reject the form if the submission isn't from the same IP address and if the IP+timestamp hash in the form isn't correct. And because the code to do this is in the library, clients of the library don't have to know anything about it.
This scheme would require a spammer to write software to spider my form pages each time before posting a comment, unlike the situation now where they can just spit 'name', 'e-mail', and 'text' at an entry page. That's still possible, of course, but it's unlikely anyone would go through the trouble. An even more protective system would use Javascript to do something fancy, but that's not a route I want to go down.
Anything better I'm missing? What does WordPress do? Matt, what was your idea again?
Friday, March 10, 2006
Permalink
