hasenj blog

Doing away with captcha

Posted in webdev by hasen on 19/09/2009

I don’t include any form of captcha in anything I develop, mainly because I never took the time to invest into figuring out how to do it. But also because I really *hate* captchas. Also, my audience is largely composed of non-geeks and a captcha would be too confusing. So for me, putting captcha is a no-no.

So what do I do? How do I get away with it? Some people have described methods that revolve around a combination of css/javascript:
Honeypot Captha, Javascript Captcha

The way I do it, is simpler in a sense; it doesn’t even have a concept of captcha. I simply do everything in javascript. There’s no submit button, so there’s nothing for bots to do anyway.

I use a regular button with an onclick event that’s attached to a javascript function.

function submit_form()
            "type": "POST", // or GET, or even PUT or DELETE
            "url": 'action_url', // The url you wish to send the data to, the url you'd put in the "action" attribute on the form tag
            "data": jQuery("form#the-form").serialize(), // The data you'll send. You need to get the form somehow. Easiest way is to give it an id.
            "dataType": "json", // Only put this if the server sends the response in json format
            "success": function(data, textStatus) // server responded with http status 200
                // do success stuff, this is the happy case
            "error": function(req, textStatus, errorThrown) // maybe HTTP 404 or HTTP 500
                // something went wrong. let the user know, or something
            "complete": function(req, textStatus) // This one always gets called anyway
                // cleanup after yourself
            }  // careful: if you put a comma here, IE6 will fail

At first glance this might not seem so simple, but if you’re doing everything as ajax, then this is just a natural part of it.

You can add action="javascript:return false;" inside the `form` tag, just in case.

The reason why spambots can’t get through is simple: they don’t know what to do. There’s no url in the “action” attribute on the form tag. There’s no submit button. Most importantly, most spambots don’t have javascript.

While it’s possible that some spambots will have javascript, they still won’t know what to do since there’s no submit button. They might try to guess what button to click, or maybe they’ll just click all of them, but that would still be easy to circumvent. You can add a hidden button (that regular users won’t see) that disabled the real send button, so if a spambot tries to click every button it finds, it would likely hit the wrong button and then never be able to send the form.

Though unfortunately, if someone is targeting your site specifically, this kind of thing won’t work.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: