I want a form to be submitted atleast 15 seconds after the page has loaded (because thats how long it takes on average for the form to be filled in).
I know I can do something like $time_page_loaded = time() at the top;
if (time() < $开发者_JS百科time_page_loaded + 15)
{
// show reCaptcha
}
else
{
// submit to database
}
Is this correct? Also when you re-factor this into a function how would you make it?
you would be able to use cookies for this bit as this is a security measure i would advise you use sessions.
sessions is a way to store small amounts of content within a file on your server that is only valid with a cookie hash.
at the very beginning of your script you need to put the following command:
<?php
session_start();
When the page loads you can assign a timestamps to the session, and upon submission you can calculate the time taken with the above:
if (time() < $_SESSION["time_page_loaded"] + 15)
{
// Captcha
}
To detect the time-to-submission on the server, you'd have to store the original time the form was sent to the user somewhere. In a session variable (good), or in a hidden form field (bad, unless you encrypt/heavily obfuscate the value), etc... When the form's submitted, you take the current time, compare it to that stored value, then decided on showing the captcha or not.
However, since the form HAS been submitted, and it was done in less than the cutoff time, you'd have to rebuild the entire form (including the extra captcha) stuff and show it to the user again - if the form allows file uploads, you'd be forcing the user to upload the file at least twice.
Implementing this client-side in javascript would be a bit more userfriendly (as long as you had server-side handling as well). Store the current time in a javascript variable when the page is loaded. Put an "onsubmit" handler onto the form. When the form's submitted, the handler fires, compares times, and either allows the form submission to proceed, or aborts the submission and inserts the recaptcha sections into the form.
With the approach you are discussing you would need to put a <input type="hidden" value="<?php echo time(); ?>" />
(or use a session variable) in your page and compare that value to the current output of the time()
function and take action from there. The boilerplate code you wrote above would work fine.
If I may though, I'm not sure this is a very nice user experience you are providing. The user doesn't know until after the fact (IE submitting the form) that he has done something 'wrong.' Using jQuery you could provide a fairly nice experience:
http://www.erichynds.com/jquery/a-new-and-improved-jquery-idle-timeout-plugin/
You should put a hidden input field with the page loaded time (generated by PHP) and when the form is submitted, compare the submit time against the hidden input value
BUT this is not secure at all. You should use something like javascript in order to do that
精彩评论