SitePoint Sponsor

User Tag List

Results 1 to 5 of 5

Thread: Trouble with Chrome filling in honeypot

  1. Jan 22, 2011 12:08 #1
    bopjo1
    bopjo1 is offline
    SitePoint Zealot bopjo1's Avatar
    Join Date
    Jun 2007
    Location
    Tampa, FL
    Posts
    109
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Trouble with Chrome filling in honeypot

    I use the honeypot technique to prevent spam-bots from filling out my forms. Recently I noticed how Chrome's auto-complete will fill in the honeypot, even though it is an invisible field.

    my honeypot field is named "url"

    In my PHP I have:

    Code:
    if (!empty($_POST['url'])) { exit(); }
    So by filling in the honeypot, Chrome is perceived as a spam-bot and prevents the rest of the script from running.

    Anyone know of a workaround for this?
    David Crisler
    Bopjo Design Web Services
  2. Jan 22, 2011 18:06 #2
    ScallioXTX
    ScallioXTX is offline
    Do. Or do not. There is no try silver trophy
     SitePoint Award Recipient ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    8,344
    Mentioned
    87 Post(s)
    Tagged
    2 Thread(s)
    Why not give the honeypot an obscure name that chrome is not likely to have an entry for? Bots are plain stupid so they'll fill it in anyway.

    By the way, if by "invisible field" you mean <input type="hidden" />, a better way is to make it <input type="text" /> and then drag it off the screen using something like margin-left: -9999px; height: 0; in the CSS.
    <input type="hidden" /> is quite easy to detect whereas most bots don't parse CSS and thus will never know that the field won't be visible for anyone.
    Rémon - Hosting Advisor

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy
  3. Jan 22, 2011 18:17 #3
    bopjo1
    bopjo1 is offline
    SitePoint Zealot bopjo1's Avatar
    Join Date
    Jun 2007
    Location
    Tampa, FL
    Posts
    109
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the reply. In my CSS I use "display:none" which nukes it completely from the layout while leaving the html code intact.

    I've tried giving the hidden field different names like "$f&)k4" or "muffin" and Chrome still fills it in.

    If there is a field for a user's first name and they type the first letter of their name, Chrome displays a list of "autofill options" that are tied to that person's name from previous form entries. The autofill options include other data that was inserted with that name like address, email, etc. If the user chooses a selection in the list which contains other autofill details, Chrome then fills in the rest of the fields, continuing even into the hidden field, no matter what the name attribute of the field is.

    Pretty much ruins the whole honeypot technique, which sucks.
    David Crisler
    Bopjo Design Web Services
  4. Jan 22, 2011 18:33 #4
    leelong
    leelong is offline
    SitePoint Addict
    Join Date
    Jul 2008
    Posts
    220
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    in this case, it has nothing to do with PHP but a bug(well at least for me) in Chrome.
    I've never been born, nor will I die.
    I am just a passer-by who stumbled across a planet called Earth,
    for a short period of visiting......
  5. Jan 22, 2011 21:56 #5
    cranial-bore
    cranial-bore is offline
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,633
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What about not creating the honey pot field when Chrome is the UA? The number of spam bots using a Chrome UA string is probably a vast minority.
    mikehealy.com.au
    diigital.com art, design . Latest WorkSaturday Morning
« Previous Thread | Next Thread »

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules