Preventing automated account creation - PHP

coding@digital-data.co.uk wrote:
> Hi,
>
> I have been investigating ways of preventing automated account
> creation on the e-commerce system I am currently working on. Obviously I
> have seen the graphical solutions to this problem, a small image containing
> several letters and numbers which must be typed in by the user to confirm
> account creation. However, this (it seems to me) is a bit overkill for what
> is a pretty small client, I'm not entirely sure it's a good use of time to
> create this script solely for them, does anyone know of anything
> pre-packaged? Furthermore is it really worth doing this, what risks do
> automated account creation present to an e-commerce site?

Google CAPTCHA for those verify image scripts.

I hope you are kidding about this "what risks do automated account
creation present to an e-commerce site".

coding@digital-data.co.uk wrote:

>Hi,
>
> I have been investigating ways of preventing automated account
>creation on the e-commerce system I am currently working on. Obviously I
>have seen the graphical solutions to this problem, a small image containing
>several letters and numbers which must be typed in by the user to confirm
>account creation. However, this (it seems to me) is a bit overkill for what
>is a pretty small client, I'm not entirely sure it's a good use of time to
>create this script solely for them, does anyone know of anything
>pre-packaged? Furthermore is it really worth doing this, what risks do
>automated account creation present to an e-commerce site?
>
>
>
>Tom Williams,
>
>Digital Data
>
>
>
>
Well, CAPTCHA ( http://en.wikipedia.org/wiki/Captcha) is a pretty neat
solution ( http://www.pear.php.net/package/Text_CAPTCHA ). You can also
generate random numbers (www.php.net/rand www.php.net/mt_rand) and
combining it with this PEAR package
http://www.pear.php.net/package/Numbers_Words which is also a good
solution. The pass-string if I can call it so is best to be kept as a
session variable, since it's stored on the server-side and the user
can't view it. Storing its hash in a cookie can be also pretty fine, but
storing it in a GET variable is more than stupid.

Hope this helps,

--
Josip Dzolonga
http://josip.dotgeek.org

jdzolonga[at]gmail.com

> Well, CAPTCHA ( http://en.wikipedia.org/wiki/Captcha) is a
> pretty neat solution (
> http://www.pear.php.net/package/Text_CAPTCHA ). You can also
> generate random numbers (www.php.net/rand
> www.php.net/mt_rand) and combining it with this PEAR package
> http://www.pear.php.net/package/Numbers_Words which is also a
> good solution. The pass-string if I can call it so is best to
> be kept as a session variable, since it's stored on the
> server-side and the user can't view it. Storing its hash in a
> cookie can be also pretty fine, but storing it in a GET
> variable is more than stupid.

http://phpsec.org/articles/2005/text-captcha.html is a good primer on how to
use CAPTCHA effectively

HTH,

Mikey