Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I add Honey pot fields to my forms?

I've been reading about adding Honey pot fields to my forms for combating bots/spam. Only problem is theirs no guides or anything on where to start. Many sites say to make a field that is hidden that only the spam bot would fill out. But as I'm new to this, don't know where I would start in my application. Could anyone give me the advice on how to set this up? I am trying to make my Devise registration page use honey pot fields.

like image 699
LearningRoR Avatar asked Jan 15 '12 22:01

LearningRoR


People also ask

What is a honeypot field?

A honeypot is a field added to the form that the users can't see due to CSS or JavaScript (which hides the field). Honeypots are awesome because they don't inconvenience users like a captcha and they are a valid tool for thwarting spam bots.

How do you implement a honey pot captcha?

The honeypot captcha method is actually fairly simple. Put a field onto your form that humans won't fill out. Most spam bots search for forms, fill out every field and submit it. If the honeypot captcha field is filled out then you know that it is a spam submission.

What is honeypot in PHP?

The Honeypot Class makes it possible to determine when a Bot makes a request to a CodeIgniter4 application, if it's enabled in Application\Config\Filters. php file. This is done by attaching form fields to any form, and this form field is hidden from a human but accessible to a Bot.


4 Answers

The basic idea behind honeypot captchas is that you have a hidden (via CSS) field named something like "form" or "email" or "content" that (to a bot just reading the field name) looks like it should be filled in. Then, when the server looks at the submission, you make sure these hidden fields are blank. If they aren't, then you flag the post as a bot.

Here's a well explained example (with some code in ASP), and here's a Rails Gem that provides honeypot captchas.

That Rails Gem I linked looks like it's very easy to use once installed:

  <% form_tag comments_path, :honeypot => true do -%>
  ...
  <% end -%>

Although if you're interested in learning about the approach rather than just having it implemented, I'd recommend you roll your own. If you're rolling your own, it's important to make sure that the field is hidden by CSS (or some other style/positioning trick) and not input type="hidden" - as otherwise the bot might not fill out the field.

As Michael Mior pointed out in the comments, it's important to have a message next to the hidden field telling the user to leave it blank - otherwise users with screen readers might erroneously fill it in. This feature is missing from the gem I linked to - so if you're making an accessible website (which you almost certainly should be) you may need to modify it or roll your own.


Keep in mind that this trick isn't foolproof - there's nothing stopping a bot from rendering the page and determining which fields are actually visible to the user before filling any in - but that kind of bot would be considerably more complex than one that just looked at the form html. A honeypot captcha is likely to be very effective at stopping simple bots.

like image 172
Timothy Jones Avatar answered Oct 08 '22 16:10

Timothy Jones


Try invisible_captcha (supports Rails 3, 4 and 5).

It works pretty well for small and medium (in terms of traffic) sites, with a simple and flexible approach. It also provides time-sensitive submissions.

Basic usage

In your form:

<%= form_for(@topic) %>
  <%= invisible_captcha %>
  ...
<% end %>

In your controller:

class TopicsController < ApplicationController
  invisible_captcha only: [:create, :update]
  ...
end
like image 33
markets Avatar answered Oct 08 '22 15:10

markets


HTML - 
<input type="text" name="verifyEmail" id="verifyEmail">

PHP Validation -
if(strlen($_POST['verifyEmail']) > 0){
   header('location: {some redirect URL here..}'); //Send them way away from your form :)
die(); //Stop execution of the script
}

CSS - 
#verifyEmail{
position:fixed; 
visibility: hidden; 
top:-500px; left:-500px;
}

dislplay: none; does not show to a bot in HTML (try it with view source) visibility: hidden; left:-500px; top:-500px; (displays when you view source)

I used display:none honey pots for a while, then switched to visibility option when it occurred to me that the field didn't show in the source code. Do it with a class or id in CSS, not inline style. Notify users with label is good idea, and name is not so important because most bots generally fill in all fields.

Definitely not a catch all but very effective if used with a basic math captcha.

like image 39
user3653635 Avatar answered Oct 08 '22 15:10

user3653635


I will share what works 100% for my site right now.

For almost a week we have been testing ways to prevent the high number of fake users called "Spam Bots" as well as "Brute Force Registrations" both are FAKE USERS.

You can find on the internet many ways to apply what is called a honeypot or a hidden field in the registration form.

The purpose of this trick is we fool the FAKE REGISTRATION as it will always fill data in the hidden field thus causing the registration process to DIE preventing the fake registrations.

Now we mentioned many variations of this trick can be found on the internet, and we will explain why our code is quoted as 100% working as for 2 days now it stopped all SPAM BOTS, and all Brute force registrations.

The secret is how we hide the field with a name like "field1" as bots will catch on if we use a common name like password or zip code etc. Using a name like field1 and autocomplete = off force the BOTS to fill in the field and prevents it from determining what the field is for, so it will keep filling it in with data killing the registration attempt.

This image below shows the code we used in the registration form.

  <input type="text" name="field1" style="display:none !important" tabindex="-1" autocomplete="off">

Registration Form

This image below shows the code we placed in the PHP form that processes the command to kill the registration if data is entered into the field

 if(!empty($_POST['field1'])) die();

PHP Form

For the past 48 hours this code has yielded ZERO SPAM BOTS and ZERO Brute Force Registrations. Enjoy from all of us at AFFA Social

If you wish to manually test this code simply remove the style="display:none from the registration form code above. Try to register putting data in the hidden field, and then registration dies, and if you remove the data from the field the registration will continue.

like image 31
Charles Norton Avatar answered Oct 08 '22 16:10

Charles Norton