patrick.net

Thanks for telling me!

I was trying to reduce the total number of SQL calls and accidentally pushed test code to the server.

Should have just been for a minute or two at most.

Is the username "Bob';drop table threads" still available?

Hopefully I've got things clean enough that that could actually be a username and wouldn't hurt anything.

But just in case I think I'll re-check...

I just got this message

No more than 5 links per comment allowed.

and I only had http links, all to images. Explicitly putting in the img tag fixed it.

Strange restriction. I'd rather there be a rule that you had to have at least 5 links every time you post, a sort of requirement for people to back up their assertions.

Some spammers post comments with vast numbers of links, so I assumed a limit would be good.

OK, it's now 10 links per comment.

Anyway, explicitly putting in the img tag should not have fixed it. That sounds like a bug in itself.

Are spammers registering accounts on patrick.net so they can post spam?

Yes, vast numbers. They attempt a new registration a few times a minute.

Fortunately, they have certain characteristics that let me detect them, such as typically being from Russia, Ukraine, or a few other countries, posting links immediately, and using certain keywords that are easy to block, like drug names or brand names.

Ah, the problem is your not using captcha's when registering new users. You're just using email confirmation. I just registered user "test111" and didn't have to enter a captcha.

Without such a human-verification challenge, people will write code to automatically register users. It's not worth their time to register a single account by hand. I'd recommend adding a ReCaptcha challenge for registering new users.

Since a real user only needs to register once, this is hardly an inconvenience. But it kills the automated registering of accounts. Plus it helps digitize books.

Something about captcha's always bothered me. They seem unfriendly.

Also, I've heard it's pretty easy to get around them by just making some porn site require the entry of a captcha, which is copies from the site you're trying to get into.

I've heard it's pretty easy to get around them by just making some porn site require the entry of a captcha, which is copies from the site you're trying to get into.

lol. Crowdsourcing captcha's in exchange for porn. Priceless.

Well, there is another way. You could make registration computationally intensive, say running a JavaScript function to factor two large primes. It would only take a few seconds on a browser, but automated registers won't want to execute the JavaScript and won't want to spend the time factoring the product.

Tell me more. Do you have an example bit of code?

http://arachnoid.com/prime_numbers/index.html

Basically get a table of large primes from some math site, multiply two or more together to produce a very large number, and run the JavaScript from the above site (after removing the maximum value limitation) and it could take a few seconds to a few minutes of JavaScript execution to get the factors out.

Use AJAX to send the result back to your server and compare with the original numbers you used in the product. If they match, accept the registration.

Basically, it's like a captcha, but a machine can do it. No human intervention is required, but it's not worth spending computational time doing to register lots of accounts. At most, a human needs to keep a browser tab or window open for a few minutes while doing this verification. And since this only needs to be done once per legitimate user, it's not that inconvenient.

Speaking of spam...

http://www.anwy2MPT5RE

Dan8267 says

Basically, it's like a captcha, but a machine can do it. No human intervention is required, but it's not worth spending computational time doing to register lots of accounts. At most, a human needs to keep a browser tab or window open for a few minutes while doing this verification. And since this only needs to be done once per legitimate user, it's not that inconvenient.

I'd prefer registration to be instant and as convenient as possible for human users, since merely having registration already discourages people a bit from commenting.

If I could somehow easily charge users one cent to register, that would be perfect. The spammers won't pay even a cent, but most other people wouldn't care.

I recommend SQL paste. That's how I fix my leaking SQL server issues.