- About the University
- Campuses
- Academics
- Research & Outreach
- Athletics & Recreation
- News & Events
- Employment
- URI A-Z
Protecting Online Forms Using HashCash
What is HashCash?
HashCash refers to a ‘proof of work’ anti-spam measure originally proposed by Adam Beck in 1997. It was originally intended to fight email spam, but the concept has been adapted for spam on web-based forms, as well.
HashCash works by requiring the client (the user’s computer) to spend a modest amount of CPU time computing a value. This value is then submitted to the server, and checked with negligible work. Since spambots profit from their ability to send a great deal of spam in a short amount of time, requiring them to spend up to several seconds computing a value is a deal-breaker. A well-balanced HashCash implementation requires a complicated enough calculation to make spamming unprofitable, but not to inconvenience human users.
Advantages of HashCash
- Currently 100% effective against spambots, since almost none have the ability to read and execute Javascript.
- Easy to implement
- Invisible to users
- Can be scaled to increased difficulty as hardware becomes faster and faster
Disadvantages of HashCash
- Requires a browser with Javascript enabled (this is standard, but some people disable Javascript for security reasons)
- Can take up to several seconds to compute on a slow machine
Implementing HashCash on your web-based form
- Download and extract our HashCash package (in zip).
- Copy the files to the directory where your online form is.
- In the head of your HTML form, add the following lines:
<script language= "JavaScript" src= "hashcash.php"></script> - In the body tag of your HTML, add the following attribute:
<body onload= "find_salt();"> - In the script part of your form (the script that processes your form specified in the form action), add the following lines just before the main part of your script (within the php tag)
<?php
session_start();
$hex_key = "2:".$_SERVER["REMOTE_ADDR"].':'.$_SESSION["request_time"].':'.$_POST['hashcash'];
$pattern = '/^0{'.$_SESSION['level'].'}/';
if ( preg_match($pattern, sha1($hex_key) ) ) {
- Add the following lines at the end of your script:
} else {
print "Form submission error!";} unset ($_SESSION['request_time']);
?>
You're all set! Whenever a user comes to your form, their system will automatically start calculating the secure HashCash value, which make spamming impossible without causing inconveniences for human users.
Enhancing your form with Javascripts (Optional)
To further protect your form, you may also add additional Javascripts to check and validate required fields. You can easily customize it to match your unique form.
- Specify which fields to validate:
- In the head of your HTML form, add the following line to specify which fields are required:
<script language= "JavaScript" src= "required_fields.js"></script> - In the head of your HTML form, add the following line to check for correctly formed emails:
<script language= "JavaScript" src= "emailCheck.js"></script>
- In your Submit button, change the following attributes:
- Change type from "submit" to "button"
- Add onclick= "CheckRequiredFields();"
- In the required_fields Javascript, customize the CheckRequiredFields() function to customize your form name and field names and to check which fields are required for your script. You can add additional functions to perform more specific kinds of checks, if desired. The default fields are phone, email (both checked for validity), affiliation, department and comment.
You're done! Whenever a user forgets to fill out a required field, an alert box will appear to remind them which fields they missed. The form will not submit unless all the required fields are filled out.
