I'm looking for a way to encrypt a HTML form in PHP in a way so I can then decrypt it in the browser using JavaScript. This should work transparently to the user and JavaScript input validation must also work on the form (I know how to do this). When user submits the form, it must be encrypted again and sent to the server using an "AJAX" request.
我正在寻找一种方法来加密PHP中的HTML表单,以便我可以使用JavaScript在浏览器中解密它。这应该对用户透明地工作,JavaScript输入验证也必须在表单上工作(我知道如何做到这一点)。当用户提交表单时,必须再次加密并使用“AJAX”请求将其发送到服务器。
Edit: this will be used as an alternative CAPCHA system, so scripts cannot submit forms, unless by some clever design.
编辑:这将用作替代CAPCHA系统,因此脚本无法提交表单,除非通过一些聪明的设计。
Edit 2: I know this is brakeable, everything is. Car locks are brakeable, but we still use them. It is not meant to be ultimate CAPTCHA, but a speed bump, which will drive all but the most persistent people away.
编辑2:我知道这是可以制动的,一切都是。汽车锁可以制动,但我们仍然使用它们。它并不意味着是最终的CAPTCHA,而是一个减速带,它将驱动除了最坚持不懈的人之外的所有人。
Thank you
4 个解决方案
#1
If you're trying to use this to stop spam, I've got some bad news for you:
The price of humans who'll spam blogs is falling to zero
如果你试图用它来阻止垃圾邮件,我会给你带来一些坏消息:那些垃圾博客的人的价格会降到零
This is a reality. On a site I run, I had a captcha system set up that spam was getting through. All but about 2 were coming from poorer regions of the world, so I had suspicions that there were companies paying people to spam. To test this I set accounts created by people in certain regions to be only visible to them and after they posted some content to alert them to the fact that their account was auto hidden. I provided them a form to contact us and complain if they were a legitimate user. Upon doing this we started getting about 10 emails a day from people angry that we had hidden their account, however upon checking the content they had added, they were spammers! It sounds crazy, but unfortunately it now seems to be humans doing the bulk of the spam. The spammers know we use captcha's, so they have adapted. :(
这是现实。在我运行的网站上,我设置了一个垃圾邮件系统,垃圾邮件正在通过。除了大约2个以外,其他所有地区都来自世界上较贫穷的地区,所以我怀疑是否有公司向人们发送垃圾邮件。为了测试这一点,我将某些地区的人创建的帐户设置为仅对他们可见,并在他们发布一些内容后提醒他们他们的帐户是自动隐藏的。我向他们提供了一份表格,如果他们是合法用户,请与我们联系并投诉。一旦这样做,我们开始每天收到大约10封电子邮件,因为我们隐藏了他们的帐户,但是在检查他们添加的内容时,他们是垃圾邮件发送者!这听起来很疯狂,但不幸的是,现在似乎人类在做大部分垃圾邮件。垃圾邮件发送者知道我们使用验证码,所以他们已经适应了。 :(
CAPTCHAs are fast becoming useless (if not so already). Adding a link so users can report spam and having karma levels where users are granted admin privileges so that their flagging leads to automatically hiding spam without prior confirmation (like * does) is really the only effective way to stop spam now.
CAPTCHAs正在快速变得无用(如果不是这样)。添加一个链接,以便用户可以报告垃圾邮件并具有业力级别,其中用户被授予管理员权限,以便他们的标记导致自动隐藏垃圾邮件而无需事先确认(如*),这实际上是现在阻止垃圾邮件的唯一有效方法。
#2
This is the same problem as with DRM: User has the ciphertext. The decryption is done on user's system, so user must have the key too. If user has both key and ciphertext, all encryption is pointless.
这与DRM的问题相同:用户具有密文。解密是在用户的系统上完成的,因此用户也必须拥有密钥。如果用户同时具有密钥和密文,则所有加密都是毫无意义的。
If you just want to transmit data safe from outside snoopers, why not just use SSL (HTTPS)?
如果您只想从外部窥探者传输数据,为什么不使用SSL(HTTPS)呢?
#3
You can use base64.
你可以使用base64。
<?php
echo base64_encode('html source');
<?
and then you can use jquery plugin: http://plugins.jquery.com/project/base64 or javascript http://www.webtoolkit.info/javascript-base64.html to decode that.
然后你可以使用jquery插件:http://plugins.jquery.com/project/base64或javascript http://www.webtoolkit.info/javascript-base64.html进行解码。
#4
For a CAPTCHA, the only way to defeat scripts is something that can only done by a human - such as recognizing something in an image, or doimg some math.
对于CAPTCHA来说,击败脚本的唯一方法是只能由人类完成 - 例如识别图像中的某些东西,或者做一些数学运算。
All decryption that's done by the browser can be just as easily done by automated scripts.
浏览器完成的所有解密都可以通过自动脚本轻松完成。
#1
If you're trying to use this to stop spam, I've got some bad news for you:
The price of humans who'll spam blogs is falling to zero
如果你试图用它来阻止垃圾邮件,我会给你带来一些坏消息:那些垃圾博客的人的价格会降到零
This is a reality. On a site I run, I had a captcha system set up that spam was getting through. All but about 2 were coming from poorer regions of the world, so I had suspicions that there were companies paying people to spam. To test this I set accounts created by people in certain regions to be only visible to them and after they posted some content to alert them to the fact that their account was auto hidden. I provided them a form to contact us and complain if they were a legitimate user. Upon doing this we started getting about 10 emails a day from people angry that we had hidden their account, however upon checking the content they had added, they were spammers! It sounds crazy, but unfortunately it now seems to be humans doing the bulk of the spam. The spammers know we use captcha's, so they have adapted. :(
这是现实。在我运行的网站上,我设置了一个垃圾邮件系统,垃圾邮件正在通过。除了大约2个以外,其他所有地区都来自世界上较贫穷的地区,所以我怀疑是否有公司向人们发送垃圾邮件。为了测试这一点,我将某些地区的人创建的帐户设置为仅对他们可见,并在他们发布一些内容后提醒他们他们的帐户是自动隐藏的。我向他们提供了一份表格,如果他们是合法用户,请与我们联系并投诉。一旦这样做,我们开始每天收到大约10封电子邮件,因为我们隐藏了他们的帐户,但是在检查他们添加的内容时,他们是垃圾邮件发送者!这听起来很疯狂,但不幸的是,现在似乎人类在做大部分垃圾邮件。垃圾邮件发送者知道我们使用验证码,所以他们已经适应了。 :(
CAPTCHAs are fast becoming useless (if not so already). Adding a link so users can report spam and having karma levels where users are granted admin privileges so that their flagging leads to automatically hiding spam without prior confirmation (like * does) is really the only effective way to stop spam now.
CAPTCHAs正在快速变得无用(如果不是这样)。添加一个链接,以便用户可以报告垃圾邮件并具有业力级别,其中用户被授予管理员权限,以便他们的标记导致自动隐藏垃圾邮件而无需事先确认(如*),这实际上是现在阻止垃圾邮件的唯一有效方法。
#2
This is the same problem as with DRM: User has the ciphertext. The decryption is done on user's system, so user must have the key too. If user has both key and ciphertext, all encryption is pointless.
这与DRM的问题相同:用户具有密文。解密是在用户的系统上完成的,因此用户也必须拥有密钥。如果用户同时具有密钥和密文,则所有加密都是毫无意义的。
If you just want to transmit data safe from outside snoopers, why not just use SSL (HTTPS)?
如果您只想从外部窥探者传输数据,为什么不使用SSL(HTTPS)呢?
#3
You can use base64.
你可以使用base64。
<?php
echo base64_encode('html source');
<?
and then you can use jquery plugin: http://plugins.jquery.com/project/base64 or javascript http://www.webtoolkit.info/javascript-base64.html to decode that.
然后你可以使用jquery插件:http://plugins.jquery.com/project/base64或javascript http://www.webtoolkit.info/javascript-base64.html进行解码。
#4
For a CAPTCHA, the only way to defeat scripts is something that can only done by a human - such as recognizing something in an image, or doimg some math.
对于CAPTCHA来说,击败脚本的唯一方法是只能由人类完成 - 例如识别图像中的某些东西,或者做一些数学运算。
All decryption that's done by the browser can be just as easily done by automated scripts.
浏览器完成的所有解密都可以通过自动脚本轻松完成。