non-CAPTCHA and Honey-pots

[davewest]

just sent in an update for the forms used in zc156x

Also:
Added new in this version an auto field name reset every 10 days.. Checks after a form is sent if the field name is older then 10 days, the name is changed to a new one for you.

[athena]

Only just started up again today. I wonder how they are figuring out the change? Thank you for working on this. I will install the new. Maybe I missed something.

[delia]

Tried the idea of changing the default fields. Customer says no but still waiting for additional responses to my questions. Create account was his primary problem - new accounts have html in the name fields. My template. No others with this issue with my template. Definitely no hacking! I just was able to do this on the default template for 1.5.5f. The sanitizer is not removing this so this appears to be a failure of zen cart. If I'm not correct, I'll apologize but since I've never even seen this on a site before last week, I'm not how long this has been happening. It could be a fairly new phenomenon. I now have customers getting mad at me because I can't fix it. For me it's a major problem.

So far this has stopped spam on some sites permanently without me having to do anything else. Since they can download the mod and figure this out with the settings, I'm wondering if we can't create auto generated settings from the start so that they can't figure it out and require folks to change the default settings or not change the fields automagically. Unless your auto settings completely cure the problem, I guess it doesn't matter. I'm simply not enough of coder to tackle any of this. Never have had to work on this kind of issue in all my years of zen cart work. Dang bots.

By the way I have hidden all the presently visible fields. No need for any of this to show as far as I'm concerned. I also had a site that had an old slider installed that conflicted with the rest of the css. I prefer solutions without javascript or jquery. I do write or find current jquery and almost never use the mods in the plugin sections because of the possibility of conflicts.

If I can help in anyway I will.

Thread working on this issue of html https://www.zen-cart.com/showthread....omer-creation/

[dbltoe]

reset around midnight and had dozens by noon today

[davewest]

By the way I have hidden all the presently visible fields. No need for any of this to show as far as I'm concerned. I also had a site that had an old slider installed that conflicted with the rest of the css. I prefer solutions without javascript or jquery. I do write or find current jquery and almost never use the mods in the plugin sections because of the possibility of conflicts.

If I can help in anyway I will.

Thread working on this issue of html https://www.zen-cart.com/showthread....omer-creation/

I've not read that post, but answered on two others.

Templates don't normally modify the account creation page except to style it. I do modify my site so I run attacks on it, fixed forms that failed before going live. The files uploaded on my map request page can trigger virus scanners because they are script.

My honey pots look the same as any other form input fields, require is always active for main fields, and I use pattern matching for allot of fields preventing html input.. Which is grate for making it user friendly, but all of it can be bypassed...

If I can see the site in question, I can tell more, if I had access to the raw code I can see more... I just fixed an issue with my admin caused by my ftp program adding the wrong permission to a file. Something that simple was making the admin reset after login... PM a link or file if you don't want to post it..

[RixStix]

Question? Is it html in the name fields or is it text that might resemble html?

I see name fields like www.mrspammer . ru www.mrspammer.ru done but considered it as text entries that look like html

non-CAPTCHA has been working 100% for us in the contact-us arena with our zencart 1.5.4 store. non-CAPTCHA doesn't play nice with 1.5.4 create_account nor IE or EDGE browsers but since it is not advertised to work with 1.5.4, I accept that it doesn't function there and live with the spam account creations. So far, every spam account creation that I've seen also has the company name entry of google Maybe the company name can be a filter useful to intercept the bogus accounts? At least until they figure that out too.

[delia]

it is actual html but it's really screwy stuff like http://v.ht/bcudae as the first name. I'm sure that I looked at the actual accounts before I deleted over 500 of them, but the ones now being created no longer are not showing anything beyond country in the account profile since I installed this. So it did change ?

The fix of adding this line to the create account page does seem to work since it just kills off the process.

PHP Code:

if (strpos($firstname, "http") !== false || strpos($lastname, "http") !== false) { die(); } 


after

PHP Code:

$lastname = zen_db_prepare_input(zen_sanitize_string($_POST['lastname'])); 


[DrByte]

davewest's latest v0.4 update to the zenNonCaptcha mod has been reviewed and approved.
NOTE: I made a bunch of tweaks to it myself, including making it affect fewer files than previous. Watch for files that are no longer in the mod (but were before), and put them back to original using your backups. Installation is way easier now for new sites.
zenNonCAPTCHA

[DrByte]

it is actual html but it's really screwy stuff like http://v.ht/bcudae as the first name.

Strictly speaking, that's not HTML. It's text containing a URL. The HTML version of it would be something like:

Code:

<a href="http://v.ht.stuff">otherstuff</a>

trapping for both of those cases is entirely different for each, as you've seen. Your approach is fine, although the die() will alert them that something's gone wrong instead of just blindly ignoring it and letting them think it submitted fine so they can move on to some other site to spam.

[davewest]

Question? Is it html in the name fields or is it text that might resemble html?.

For me, I can not even test a link.. dots are blocked in my patterns.. I'll have to play with some of my tools when I get time..

@DrByte
Nice Doc.. will have to add your edits.. thanks
thoughts.. I use strip_tags on some fields as

Code:

 zen_db_prepare_input(strip_tags($_POST['field_name']));

never had a need to use it on standard forms