保护免受可脚本化垃圾邮件的侵害
所以我有一个可以创建帐户的表单,现在创建帐户的过程是通过调用 javascript REST API。我认为以编程方式破解该内容可能非常容易,因为他们需要查看 javascript 来找出垃圾邮件的 url,并且在 PHP 脚本中进行处理可能更安全。然后我想,如果我不通过 JavaScript 来完成,他们只需查看表单即可轻松找到 URL。该表单将仅处理 POST 数据,但不确定这是否足够,以及如果我通过 javascript 或 PHP 处理它是否重要。
防止某人以编程方式发送垃圾邮件的最佳方法是什么(即防止他们编写服务器(如 PHP)或客户端(如 javascript)代码来发送垃圾邮件处理脚本)。
So I have a form that can create an account and right now the process to create the account is by calling a javascript REST API. I was thinking that it might be really easy to hack that programmatically since all they would need to do it look at the javascript to find out the url to spam and that it might be safer to do the processing in a PHP script. Then I though well, they could just look at the form to find the URL just as easy if I don't do it through javascript. The form is going to be processing only POST data but not sure if that is enough and if it matters if i process it through javascript or PHP.
What it the best way to prevent someone from spamming a form programmatically (ie prevent them from writing server, like PHP, or client, like javascript, code to spams the processing script).
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
![扫码二维码加入Web技术交流群](/public/img/jiaqun_03.jpg)
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
一种方法是使用 Captcha 过滤掉机器人reCaptcha,但这并不是 100% 的保护
One way is to use Captcha to filter the bots out reCaptcha but its not 100% protection
使用验证码可能是第一种方法:
Google 版本
其次,如果电子邮件是,我会在服务器端进行数据检查,并可能进行电子邮件验证未验证 我将有一个 cron 来清除表中没有电子邮件验证的行。
通过这两种方法,您应该可以避免大部分情况。
Using Captcha is probably the first method:
Google's Version
Secondly I would do data checking on the server side and possibly email verification, if the E-Mail is not verified I would have a cron to clean out the rows in your table which don't have e-mail verification.
With these two methods you should avoid a good majority of it.
前往 reCAPTCHA。这很容易。
您可以通过注册您的网站 URL 来获取密钥对。使用该密钥在表单中生成 reCAPTCHA 图像/文本框。仅当条目与图像中显示的文本匹配时,您的表单数据才会被发布并添加到数据库中,否则不会(这是您必须保留的服务器端检查)。您将在 Google 中获得大量相关代码:)
另一种技术(现在大多数网站都遵循这种技术)是通过电子邮件向用户发送帐户激活链接。仅当单击该激活链接时才会创建帐户。为此,您还可以设置过期时间(例如 24 小时)。
希望这有帮助。
Go for reCAPTCHA. It's pretty easy.
You can obtain a key pair there by registering your website URL. Use that key to generate the reCAPTCHA image/textbox in your form. Your form's data will be posted and added to database only if entry matches the text displayed in the image, otherwise not (that's aserverside check that you have to keep). You'll get plenty of related code in Google :)
Another technique, as most of the websites now a days follow, is to send an account activation link to the user via email. An account will get created only when that activation link is clicked upon. You can also set an expiration time (say, 24 hours) for this purpose.
Hope this helps.