1

I have a form on my web page. I often get empty submission from what I assume are web bots. In order to stop this, I followed the advice of the accepted answer on this post and made a "honey trap" in order to stop automated submissions.

I'm not sure if I did something wrong, but I still get empty submissions about once a day.

Have I done something wrong, or is there another reason that this method will now work?

My HTML:

<form action="post.php" method="post">
      <label for="email"></label>
      <input type="email" placeholder="Enter your email address..."
         name="email" required>
      <input type="checkbox" name="contact_me_by_fax_only" value="1" style="display:none !important" tabindex="-1" autocomplete="off">
      <button type="submit" class="signupbtn">Sign Up</button>
</form>

My PHP:

<?PHP
$honeypot = FALSE;
$email = $_POST["email"];
if (!empty($_REQUEST['contact_me_by_fax_only']) && (bool) $_REQUEST['contact_me_by_fax_only'] == TRUE) {
    $honeypot = TRUE;
    log_spambot($_REQUEST);
    # treat as spambot
} else {
  mail("my@email.com", "Message from $email", "message here");
  header('Location: thanks.html');
}
?>
Krupal Panchal
  • 1,553
  • 2
  • 13
  • 26
user1551817
  • 6,693
  • 22
  • 72
  • 109
  • 1
    you could set the form target to a specific script that doesn't really process the data ( it could be a script that ties them up for several seconds for example )and use javascript to set the actual form action. It's not inconceivable that a bot is written in javascript but most will not be I'd suggest. If nothing else it adds another layer to the defences. – Professor Abronsius Oct 27 '19 at 16:01

1 Answers1

1

It is better practice to use isset() with checkboxes, rather than !empty(). Your checkbox has a value of 1 so it is considered as not being empty.

The way checkboxes work is that if it is checked, then it is "set".

This is more of a logic issue.

If you want to prevent a bot from automatically executing your code, check to see if the checkbox was "not" set/clicked and handle it from there.

Logic:

  • If the checkbox is checked, a human did that action, then proceed.

  • Check for empty fields that would require someone to type it in.

  • If everything checks out, proceed with mailing.

  • If the checkbox was not checked, halt the script from going any further and possibly show a message about it and log it.

You could make the checkbox "required" also, but using a server-side method to handle it all.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • Sorry if I'm misunderstanding. But there is no checkbox visible to a human as it is hidden. So the idea is that if it IS checked, you can be sure that it was checked by a bot. – user1551817 Oct 27 '19 at 16:29
  • @Samad Yes you are right. Yet what I think would be best for them, would be to use the logic I included in the answer. Even Google suggested this some years ago and is still in use today. – Funk Forty Niner Oct 27 '19 at 16:37
  • But a human cannot check the box as it is hidden. The box only exists as a honey trap. – user1551817 Oct 27 '19 at 16:40
  • @user1551817 Hiding an input with CSS won't guarantee it won't be used / manipulated. If you yourself look at the HTML source, you will still see the input. That isn't IMHO the best practice. It's best to use full server-side methods. – Funk Forty Niner Oct 27 '19 at 16:42
  • Thanks for your comments. I understand it may not be best practice, but until I can learn how to implement something better, I would like to get this method working if I can. I would just like to understand why it doesn't currently. – user1551817 Oct 27 '19 at 16:48
  • @user1551817 You're welcome. Personally, I'd just make the checkbox required. No bot can tick it, it must be ticked off by a human. As I mentioned to the other member here, even Google suggested using this same method and is still in use today. – Funk Forty Niner Oct 27 '19 at 16:51
  • @user1551817 Either what I said above, or use a RECAPTCHA. – Funk Forty Niner Oct 27 '19 at 16:53