
User/Developer guide Hashcash1.0

![]() | Forcing the spammer to pay the price (computing power) before submitting rubish to Your homepage (in comments or guestbook section for example). The user will have to create a new cryptographic value of a hidden field (Javascript code provided) and that may take 1 to 2 seconds, but may be more with RSA 1024…. User developer guide of the cryptographic component framework for Mambo: com_hashcash |
A version 1.0 will be release soon….GNU/GPL |
Developer Documentation
@component: com_hashcash
@copyright (C) 2005 Walter Cedric for Mambo Integration
@license http://www.gnu.org/copyleft/gpl.html GNU/GPL
Free Software
3rd partly Javascript
- RSA: http://www.ohdave.com/rsa/
- SHA1/MD5/MD4: http://pajhome.org.uk/crypt/md5/index.html
3rd partly PHP
- MD5/RSA/SHA1 part of PHP language.
Based on:
- Plugin Name: WordPress Hashcash Manual Version
- Plugin URI: http://dev.wp-plugins.org/wiki/wp-hashcash
- Description: This is a manual version of wp-hashcash.
- Author: Matt Mullenweg, Elliott Back
- Author URI:
http://photomatt.net/,
http://elliottback.com
Version: 1.6 - Hat tips:
C.S. – http://www.cimmanon.org/
Gene Shepherd – http://www.imporium.org/
John F. – www.stonegauge.com
Magenson – http://blog.magenson.de/
Matt Mullenweg – http://photomatt.net/
Matt Warden – http://www.mattwarden.com/
Paul Andrew Johnston – http://pajhome.org.uk/crypt/md5/
Kudo to all developer above! Thanks to GPL I do not have to reinvent the wheel…
Links:
- http://dev.wp-plugins.org/browser/wp-hashcash/trunk/
- http://www.cypherspace.org/adam/hashcash/
- http://www.lapo.it/hashcash.html
- http://www-128.ibm.com/developerworks/linux/library/l-hashcash.html
- www.hashcash.org
Requirements
- Component: com_hashcash – cryptographic facility for Mambo
- Component already using com_hashcash: com_akobook 3.42 and hashcash1.0 and com_akocomment 2.0 and hashcash 1.0
- Required prior to installation: com_log4php
Principe:
Forcing the spammer to pay the price (computing power) before submitting rubish to Your homepage. The user will have to create a new cryptographic value of a hidden field (Javascript code provided) and that may take 1 to 2 seconds, but may be more with RSA 1024….
This also do not allow robot to easily sumbit code without parsing Your HTML page before…
How It works in details
This code add a supplementary hidden field in all html form submitted to the user.
– The hidden field name has a random name (Hname), each time different at each load of the page
– The hidden field value is a cryptographic hashcode (MD5, MD4 or RSA) value. (Hvalue),
Hvalue = Crypt(UserSessionID + mosConfig_absolute_path + UserBrowserAgent + TodayDate(F j, Y, g a))
Crypt is the cryptographic PHP function: MD5, MD4 or RSA
If the user want to submit a comment, the browser with the help of a small javascript will have to
– locate the hidden field name (Hname) with javascript: (function replace())
– rehash with MD5 the hidden field value (Hvalue) (it is time consuming)
and send everything back to server.
If the spammer do not follow the challenge, the comment wont be accepted….
You Can switch ON/OFF this feature in Admin control panel under the tab posting of component akocomment and akobook
Configuring HashCash
open file /com_hashcash/settings.php with Your favorite text editor:
key in file | values | notes | |
$hashcash_use = ‘md5’ | ‘md4′,’md5’ or ‘sha1’ | md4, md5 or sha1 | |
$hashcash_debug | true/false | Will write all informations in page by from submit | |
$hashcash_log_active | true/false | Spams submission will be written to logs | |
$hashcash_log_all | true/false | Log accepted and refused post -> be careful with size of logs! | |
$hashcash_log_file | $GLOBALS[‘mosConfig_absolute_path’] . "/components/com_hashcash/hashcash.log" | Location of the logs file | |
$hashcash_Notify_Admin | true/false | Notify an administrator by email? | |
$hashcash_log_size | integer | each 64kb a mail will be sent to admin with the content of logs | |
$hashcash_AdminEmail | valid email | admin email |
Note: An Administrator frontend will be shipped with release 1.0
Protecting Your Mambo Forms against Spammers and Robots
php code send to the client (in the code where You create the form) |
# include and instance of Object, in the portion of code where Hashcash is needed, note that I have here a strong reference to the algorithm…(Here MD5) # This will be soon a factory include($mosConfig_absolute_path.’/components/com_hashcash/plugins/md5/php/CodeInliner.php’); $MD5CodeInliner =& new MD5CodeInliner(true); … #Insert this JS (js1), the browser will use this js during submit to localize the random hidden field name, and encrypt its value … #Insert this code in your submit or validation JS method, this will call js1 … #add the hascash input field in Your form |
Verifying on the server in Your code that the user submission can be accepted
in the code where You validate and do somethig interesting with the submission |
include($mosConfig_absolute_path.’/components/com_hashcash/HashcashChecker.php’); $HashcashChecker =& new HashcashChecker(); $submission = $HashcashChecker->check($submission, $contentid); $commentIsAccepted = strlen($submission) != 0; if ($commentIsAccepted) … } else |
Changelog:
Real object model, abstract class and factory still missing…