(2011-02-24, 11:32 PM)- G33K - Wrote: I didn't go the dynamic route not because of too much load, I decided against it because even after the addition of dynamic ids the questions will still be crackable for a bot that is customized to the site. Bots that are not customized to a particular site will not go through even without dynamic linking so when the end result is going to be the same why not keep it simple?The idea is to make it as difficult for a bot to be customised for a site, as well as reduce the effectiveness of bots (ie require multiple tries).
As you've said, no system is uncrackable, so really, the only thing you can do is make it as difficult as possible to bots, which your system isn't really doing.
(2011-02-24, 11:32 PM)- G33K - Wrote: As far as the multiple questions go, its more of a user convenince than a protection against bots which is why I included the ajax call to change the question. If the user does not know the answer to the question, they can choose another.I find it amusing that you think you can make it a user convenience over something that is entirely controlled by the forum administrator. One would assume that the forum administrator should be able to pick an appropriate question/answer which all the users they care about should be able to answer.
But oh well, let's take your assumption on board. Your plugin design is still questionable. Why are the questions randomised? If it's for user convenience, surely it would make more sense to allow the admin to select an order in which questions are displayed? The admin can choose a question they think most users will be able to answer, and order it first, then when the user chooses to try a different one, your AJAX script will select the next one. Surely this is simpler, and also fixes up issues such as your plugin potentially selecting duplicate questions, which is anything but user friendly.
BTW, does this code even work if there's only one question?
$query = $db->query("
SELECT q.*
FROM ".TABLE_PREFIX.$prefix."questions q
WHERE q.qid != {$regq_id}
ORDER BY RAND()
LIMIT 1
");
$q = $db->fetch_array($query);
$regsecureq_id = $q['qid'];
$regsecureq = $q['question'];
(2011-02-24, 11:32 PM)- G33K - Wrote: Also changing the question often will invalidate the bots that are customized for a particular site causing them to have to reprogram for the new question.No reprogramming necessary, the only thing that needs to be done is to add in a new question/answer combo. But if the bot has already been targeting your website, I don't think it would take much for the person running the bot to do this.
(2011-02-25, 12:27 PM)frostschutz Wrote: reCaptcha: While the interface can be translated, the captcha itself is usually English, and that alone can be a barrier for non-english speaking forums, and sometimes it asks for very odd words... I was hoping to use something simpler, and so far this question plugin works for the intended purpose. I'm aware of its weaknesses (was aware of them from the start), but even so.Fair point, though for non-English readers, it would just be random characters like the MyBB captcha.
Still, one point which makes reCAPTCHA a bit easier to read is the fact that it uses words.
I find reCAPTCHA readable enough, but maybe others don't think so.
Still, I'm not recommending the system per-se, rather, it might be more effective to use a more complex system maintained externally.
Anyway, I'm wasting my time over something I don't even care about...