Simple Honeypot Form Check with PHP and AJAX

Question

I've been trawling through all the suggested posts for this topic but can't seem to find a solution that either works for me or I quite understand.

I am just trying to do a simple honeypot which checks if a hidden field is filled in by bots and breaks the form if so. My problem seems to be when it comes to using AJAX to see if the PHP value cleared. Hope that makes sense as I'm not well versed in coding languages.

My original idea was to disable the submit button for any bots that fill out the field. However seeing as the field is blank straight out the form loads the submit button and the point is lost.

This is the part of the form checking for the bots:

<!-- THE HONEYPOT -->
<li id="artificial-detect">
       <label for="artificials">If you see this, leave this form 
       field blank and invest in CSS support.</label>
       <input name="artificials" type="text" value="">
</li>
<!-- /HONEYPOT -->

<?php 
$spam = $_POST['artificials']; // This is our Honeypot field
if($spam) {  // If the Honeypot field has been filled in
    die("No spamming allowed bitch!"); 
} else { ?>
<li class="last">
        <input class="submit" type="submit" name="submit">
</li>
<?php } ?>

I don't understand what to do now:

jQuery.('#salesforce-crm-form .submit').click(function(){
     jQuery.ajax({
     // Get PHP function that determines whether the honeypot has been snatched.
     });
});

I am using an external URL for the action="" so I thought maybe that could only be inserted if the PHP returns clean of bots.

Answer 1

You cannot do the things in the order you think.

First PHP runs to deliver your form.

Then the browser acts, displays the form to the user. He might enter data and send it back.

Then PHP is on again, checking the form values.

You pretty much have the code you want to check if the honeypot field is filled. You should not try to use AJAX, because this PHP check can only be taking place after sending the form. Simply don't do what the form is intended to do if you detect spam.

BTW, Bots dont press submit buttons. Bots send Request based on parsing forms, disabling all Javascript.

[EDIT] If your form goes to an external URL, then you cannot control any spam detection. Because bots do not use Javascript, anything on this level will not work, either, but thats what you are trying to do.

Only thing that will work is to NOT send the form to the external URL directly, but to a PHP script on your server that will check for spam an then send it to the original destination. Don't know if this will mess up anything else because now it is not the users browser sending the form, but your server. If there is any detection and/or usage of request metadata on that side, you are interfering with this.