Virtual Brain Online Logo

Bookmark: Root \ PHP \ Anti Spam Bot modification for FluxBB

Anti Spam Bot modification for FluxBB

Last Updated: 2011-03-08

Please don't use this anymore. It is very old and it is no longer maintained.
You can find my development thread for my latest CAPTCHAv2 mod here FluxBB 1.4 CaptchaV2 Mod

This is a mod for FluxBB, the mod is available as a download which allows you to simply extract the files within, copy them to your FluxBB root directory and overwrite the existing files. This page also explains how to manually adjust the required file to get the mod working. After the mod is installed, the FluxBB registration process will have these additional features:
- register.php will no longer accept POST values directly, the input form where a new user enters his/her username and E-Mail address must be loaded first.
- register.php will ask a simple question which must be answered correctly. Unlike other solutions, my modification will ask randomly selected questions from a question and answer file.
- Fixed problem when a user running the Firefox web browser enters an incorrect value and needs to go back, the submit button will stay disabled until the page is reloaded. Java script removed to fix issue on register.php
WARNING: I have been informed that the java script, which disables the button, has been added by the developers of FluxBB to prevent multiple submits of the same form. It is my personal opinion that this feature violates the number one rule of designing websoftware which is to "Never trust the client". Since java script can be easily turned off, which will disable this "protection", it is my opinion that this option is more trouble then it is worth and should be removed.

This guide was originally written for PunBB (available here PunBB CAPTCHA mod) but PunBB has forked into FluxBB and since I don't like the direction where PunBB is going I will only release guides on howto add the CAPTCHA to FluxBB releases (for now).

My modifications to the registration process of FluxBB protects against spam bots directly submitting POST variables to register.php and require the user to answer a simple question, such as: "What is five plus one?".
This easy to answer question is pretty hard for a computer to answer because the computer needs to recognize the question first.
Furthermore, the math problem is written out, a user may answer 6 or six so the validation step must support both ways to answer the question.

This sample image displays the modification in action

All modifications to FluxBB are limited to the register.php file. But before we get started I would like to suggest another modification to the register.php file. The file disables the submit button via javascript. If a user running the Firefox webbrowser enters an incorrect value and needs to go back, the submit button will stay disabled until the page is reloaded. Since Firefox is a very popular browser this should never happen, regardless if this is a browser bug or by design.
Line 268 (FluxBB 1.2.21) or 276 (FluxBB 1.4 BETA) should be changed from:

<form id="register" method="post" action="register.php?action=register" onsubmit="this.register.disabled=true;if(process_form(this)){return true;}else{this.register.disabled=false;return false;}">
<form id="register" method="post" action="register.php?action=register">

OK, let's get started. If you are running an unmodified version of register.php, FluxBB 1.2.21, you can download the zip package below and overwrite the existing file.
If you have modified your register.php or just prefer to modify register.php file yourself you can follow the instructions below to implement the protection. You also need to download the zip file but only copy QandA.php file into the FluxBB root directory.

Rename register.php-FluxBB-v1.2.21 to register.php if you are running FluxBB 1.2.21
Rename register.php-FluxBB-v1.4BETA to register.php if you are running FluxBB 1.4 BETA for version 1.2.21 and 1.4BETA

Manual modifications
Follow these steps to add the modifications your self instead of using the files provided by the download.

Open register.php with a text editor such as Kate or Notepad.
Goto line 36 and add the following lines after } and before "Load the register.php language file...."
//This is part of the human test, it will ensure that the values submitted to register.php come from the form and are not part of a spambot submitting POST variables directly to register.php
$hum_id = session_id();

Now goto line 83 and add the following lines after the { and before the comment "Check that someone from this IP didn't ...."
//Human validation, first check that the session ID is present in the session array.....
//This one should catch most "simple" bot programs because the form requires that step one is loaded. It prevents bots from submitting variables to register.php directly
if( $hum_id != $_SESSION['hum_sumtest'] ) {
message('Mhhh, maybe you should try and submit your values via the form and not submit them directly to register.php ..... byebye bot....');
} //if( $hum_id != $_SESSION['hum_sumtest'] )
//Now check that the correct human test answer was given, don't do anything if this fails
if( isset($_POST['human_test']) ) { $hum_answer = $_POST['human_test']; } else { $hum_answer = Null; }
if( !isset($_SESSION['hum_qna_i']) ) { //Ensure that the Question Index has been stored in the last step
message('Missing Question Index, please contact the administrator of the forum and report the issue, thank you.');
} //if( !isset($_SESSION['hum_qna_i']) )
$hum_q_index = $_SESSION['hum_qna_i']; //This is the question index, used to lookup the question
$hum_answ_correct = False; //Set to True if the answer given is correct
require_once 'QandA.php';
//Now test that the answer is correct, all tests are done in lower case
$hum_answ_cnt = count($hum_qna[$hum_q_index]); //First check how many possible answers there are
//Now loop through answers to check if the answer given is actually in the list of correct answers
for( $hum_x=1 ; $hum_x < $hum_answ_cnt ; $hum_x++ ) {
$hum_qna_line = $hum_qna[$hum_q_index][$hum_x];
if( strcasecmp( $hum_answer, $hum_qna_line) == 0 ) {
$hum_answ_correct = True; //The answer is correct, cool
} //if( strcasecmp( $hum_answer, $hum_qna_line) == 0 )
}//for( $hum_x=1 ; $hum_x >= $hum_answ_cnt ; $hum_x++ )
//The loop is over, check if the correct answer was given and issue error if not
if( $hum_answ_correct == False ) {
message('You supplied and incorrect answer at the "Human Test" field, please try again');
} //if( $hum_answ_correct == False )
//This should be it, the user should be human and not a bot

Now goto line 333 (FluxBB 1.2.21) or 341 (FluxBB 1.4BETA) and add the following after </div> and before <div class="inform">
<div class="inform">
<legend>Human Test</legend>
<div class="infldset">
Please answer the question below to verify that you are not a computer program, thank you.<br>
//If the form is not loaded but the values send via POST directly to register.php then
// $_Session['hum_sumtest'] will be empty at the next step.
$_SESSION['hum_sumtest'] = $hum_id; //Save generated value in session array
require_once 'QandA.php';
$hum_cnt = count($hum_qna) -1; //Find out how many questions there are, -1 since the count starts at zero
$hum_qna_i = rand(0, $hum_cnt); //Get random number within question range
$hum_question = $hum_qna[$hum_qna_i][0]; //Get the question and save it
$_SESSION['hum_qna_i'] = $hum_qna_i; //Store the index of the question
Question: <strong><?PHP echo $hum_question; ?></strong><br>
Answer: <input type="text" size="30" maxlength="100" name="human_test" value="" />

That is it as far as modifications to register.php, now you need to download the Questions and Answers file and place it into the same directory where register.php is located in. The file already contains a few simple questions and answers but I urge you to replace them with your own. Edit the file with a text editor such as Kate or Notepad and follow instructions within the QandA.php file on how to add your own questions.

Important Notes Regarding Question Selection:
Because the validation scheme supports many questions it is possible to make the mod almost useless if you have a lot of questions with the same answer or very short answers.
Assume that you have added 10 questions, most of the questions are simple math problems such as 1+1 or 2-1 which only have a one digit answer, then a spammer can adjust his SPAM bot to attempt a brute force attack. When brute forcing, the bot will attempt to try any possible combination so any simple question can be broken very quickly.
It is a good idea to apply standard password policies to the answers, no answer should be shorter then 6 characters.
It is also a good idea not to include the word which is supposed to be typed into the answer field within the question.
The question index within the QandA.php file must be sequential or validation will most likely fail. For better protection check out CAPTCHAv2! You can find the link in the main menu.

Here are a few not so good examples:
- What is 1+1?
- Write the word red into the field below.

Here are a few good questions you may want to modify to build your question/answer file:
- Remove all occurrences of the number 2 from the word "2jel2ly2" and type it into the box below (without quotes)
- Fill in the missing character and enter the word into the box below: cof_ee
- Fill in the missing character and enter the word into the box below: mat_ematics
- What does one hundred PLUS thirty PLUS twenty five PLUS two hundred equal to?
- What year did Apollo 11 land on the moon?
- Write the number one thousand three hundred thirty three in numbers.

Please report any problems or suggestions via the Contact Form.


Posted By: saxamo On: 2009-06-25 07:56
Running: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)
Just want to thank you for your help on this. Excellent mod! Love it. Keep up the great work and thanks for being such a nice person. It is unusual that someone would be as willing as you are to get something working properly. I appreciate your help and your time.

Kind regards,
Posted By: Ehtime On: 2009-06-25 10:30
Running: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Thank you!
Posted By: Pamella & Karolina On: 2010-09-05 03:37
Running: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv: Gecko/20100722 Firefox/3.6.8
Yes! Fluxbb is an "old-school" forums board ;-) but many thanks for your mod... used since more 1 year and our number of f**king registration is none! Now...

Then we'll try your CAPTCHAv2 but installation seems really more "difficult"
Posted By: Skylinux On: 2010-09-05 08:33
Running: Opera/9.80 (X11; Linux i686; U; en) Presto/2.2.15 Version/10.10
@ Pamella & Karolin
"Yes! Fluxbb is an "old-school" forums board"
I am talking about issues like FireFox users having to deal with disabled Submit buttons when registering and the devs not caring. They also require that your browser sends the referrer information when accessing the control panel. The referrer information is easily forged so nothing should rely on it. It scares me that PunBB/FluBB makes use of this for security measures.
I never bothered to check what they use the information for but they do and that shows me another area of questionable design.

"Then we'll try your CAPTCHAv2 but installation seems really more "difficult""
I wrote it so that it installs with a few mouse clicks and it even supports PostgreSQL. So as long as you have the forum running then CAPTCHv2 should install with a few mouse clicks.
I recommend you try it since it works quite well. A part of the German government is about to use the bot trapping feature of CAPTCHAv2 to protect one site from scripted attacks.
Feel free to contact me (Contact link in top menu) if you run into problems with CAPTCHAv2.
Posted By: Pamella On: 2010-08-20 00:37
Running: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv: Gecko/20100722 Firefox/3.6.8
Many thanks ;-) but is it working with lataest version (1.4.2) ?
Posted By: Karolina On: 2010-08-27 02:25
Running: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv: Gecko/20100722 Firefox/3.6.8
Thanks but Fluxbb v1.4.2 is supported too ;-) isn't ?
Posted By: Skylinux On: 2010-08-27 12:08
Running: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.127 Safari/533.4
@Pamella + Karolina

It will most likely work with 1.4.2, I don't use Pun/FluxBB anymore because I don't like their design philosophy.
For a better CAPTCHA solution you should check out the CAPTCHAv2 link in the main menu on the left.


Add Your Comment:

Note: All posts require administrator approval. Please allow 24 hours for message approval.

Plain text only, less then 65 000 characters.

How many apples does Peter have left if Peter has 25 apples but little Jane eats one of his apples?

Please answer the question above and type the answer into the text box below.