Icon View Thread

The following is the text of the current message along with any replies.
Messages 1 to 6 of 6 total
Thread Google No-Captcha reCaptcha
Sun, Jul 31 2016 1:23 AMPermanent Link

Eivind

I suppose some of us EWB devs that have public registration form have to use some kind of reCaptcha. What are you guys using today?

I'm looking into using the No-Captcha reCaptcha solution from Google. However, that requires including some javascript libs and calling some javascript functions.

On googles site is says to link to to:

<script src='https://www.google.com/recaptcha/api.js?hl=es'></script>

and then add a div tag:

<div class="g-recaptcha" data-sitekey="XXXXXXXXX"></div>

To verify if the user clicked the "I am not a robot" checkmark a function called getResponse() have to be called. After this, I guess the server part is plain and easy to verify the response.

The question is.... How is all this done in EWB???

My customers want let me have unprotected registration forms anymore and have requested the No-Captcha solution as it is the newest and easiest solution.

It would be absolutely brilliant to have this and possibly the Google Authenticator implemented in the core of EWB for customers that need the extra security and spam prevention.

Any thoughts?

Thanks
Eivind
Tue, Aug 2 2016 8:30 AMPermanent Link

Eivind

Ok, so I have been studying bots and spammers the last two days and it seams they don't particularly like Javascript. They tend to disable javascript and try to read the html form for inputs and post values in all form fields. As EWB is not based on "normal" html forms, do you think spammers will give up easier when confronted with a pure client side javascript form? Now they have to decode all the javascript to try to figure out what form fields needs data etc. Obviously, spam bots are getting more and more sophisticated, but I wondered if anyone else have some input on this.

So let's say EWB makes it more difficult for spammers to read the forms and post correct data. For my signup form I use a TServerRequest to post various data to the server for user registration. After user registration, all data exchange is using TDataSets. First I have another TServerRequest checking if the email address is not taken. Would it be even trickier for the spammer if I used the TDataSet.Insert on the signup form instead that posts a JSON string to the DatasetAdapter in my Delphi ISAPI dlls? Now he have to figure out exactly how to format the JSON string to be able to spam me.

Quite frankly I have not been bothered with spammers so far in any EWB projects. Do anyone else have any issues with public signup forms and spammers?

The whole reason I started this thread is because of certain clients are asking for it. Not because of large amount of spammers.

Cheers
Eivind

So let's say EWB
Tue, Aug 2 2016 9:25 AMPermanent Link

Matthew Jones

Eivind wrote:

> spammers

It is an interesting question really. You are right in that most won't
bother with the javascript so that will cut most fly-by spamming. If
someone cares enough, they will look at the http calls and work out
what is happening, and ignore your files completely. That of course is
also more work, so it comes down to how valuable your content is. If
you are facebook then it would be well worth it, but most custom sites
are not going to be an issue. It also depends on whether you need an
account or not.

But, even with all that, there are people who get paid to manually
visit sites, sign up, and post spam. You'd have to be very clever to be
able to stop them. And the solution would probably be to logging things
like the source IP address/range, and then doing something like
hell-banning their accounts (so they can post, but it never appears
except to them, perhaps also held for approval).

--

Matthew Jones
Tue, Aug 2 2016 10:46 AMPermanent Link

Eivind

Thanks for your thoughts Matthew!

Yea, hopefully spammers want see too much value in spamming my client as there is really not any value for them and as you you mention, if "fly by spammers" leave EWB apps alone for while that would be splendid.

Only need to convince my client the same Smile

Problem with clients is that they have heard from a friend that have heard from a friend that you have to have reCaptcha on the public reg forms.

Cheers
Eivind
Tue, Aug 2 2016 12:55 PMPermanent Link

Raul

Globestar Systems

Team Elevate Team Elevate

On 8/2/2016 8:30 AM, Eivind wrote:
> So let's say EWB makes it more difficult for spammers to read the forms and post correct data. For my signup form I use a TServerRequest to post various data to the server for user registration. After user registration, all data exchange is using TDataSets. First I have another TServerRequest checking if the email address is not taken. Would it be even trickier for the spammer if I used the TDataSet.Insert on the signup form instead that posts a JSON string to the DatasetAdapter in my Delphi ISAPI dlls? Now he have to figure out exactly how to format the JSON string to be able to spam me.
> Quite frankly I have not been bothered with spammers so far in any EWB projects. Do anyone else have any issues with public signup forms and spammers?
> The whole reason I started this thread is because of certain clients are asking for it. Not because of large amount of spammers.

EWB does help with the automated website scraping for form fields but
one can still use test automation tools to simply run a browser and
submit this (same one we as devs might use to do UI testing - even
something like AutoIT likely would work though have not tried :
https://www.autoitscript.com/site/).

Having captcha would be worthwhile IMHO even with EWB and if Tim would
natively add support it would be ideal

Raul
Wed, Aug 3 2016 7:41 AMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Eivind,

<< The question is.... How is all this done in EWB??? >>

The short answer is that you take the JS api, implement an external interface for it:

http://www.elevatesoft.com/manual?action=viewtopic&id=ewb2&topic=External_Interfaces

and then just use the classes/functions/procedures in the external interface declarations in your code.

The long answer is that it's a bit more complicated than that, especially with Google APIs.

Tim Young
Elevate Software
www.elevatesoft.com
Image