CAPTCHA is virtually never the right solution. If a simple CAPTCHA is sufficient to protect your form, you're not securing something immensely valuable in an attacker's eye. If simple CAPTCHA isn't sufficient, then complex CAPTCHA will be broken as well, because you've obviously got something valuable. As such, it's almost always drastic overkill or simply insufficient. Couple that with the annoyance it provides to legit users trying to use your form, and the reasonable use cases are pretty slim.
Much better to use a cookie-based nonce, perhaps some JavaScript obfuscation (if you are comfortable require JS), and if you're processing prose, something like Akismet. The nonce ensures people can't hit your action page directly, the JS obfuscation ensures that whomever is submitting the form has to load the form in a user agent with a JS interpreter, and Akismet does a fantastic job of filtering out spam while leaving the good stuff. If someone can beat those, they can beat CAPTCHA too, so you're still screwed, but you haven't pissed off your end users in the process. However, based on the original question, a simple nonce (or perhaps with a half-JS "upgrade") will almost certainly suffice. cheers, barneyb On Tue, Mar 17, 2009 at 8:31 PM, Justin Scott <[email protected]> wrote: > >> How do I prevent someone from using their own form to submit >> to my action page and skipping my javascript function to make >> sure the data is well formatted? > > If you want to make sure the input is well formed, you'll need to do that on > the server side. Do not rely on JavaScript code to do this for you. > > Having said that, if you need to protect the form itself there are a few > ways to approach that. One of the best would be to use a captcha. Another > would be to check the cgi.http_referer variable on submission (though this > can be easily spoofed if the person is determined enough). Embedding a > hidden value into the form will help ensure the post came from your > generated form, though it won't stop someone from turning off JavaScript and > submitting the form with whatever values they want, so again, verify the > input on the processing side in addition to any client-side script you're > using. > > > -- > Justin Scott | GravityFree > Member of the Technical Staff > > 1960 Stickney Point Road, Suite 210 > Sarasota | FL | 34231 | 800.207.4431 > 941.927.7674 x115 | f 941.923.5429 > www.GravityFree.com > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:320612 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
