SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Zealot bopjo1's Avatar
    Join Date
    Jun 2007
    Location
    Tampa, FL
    Posts
    110
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Trouble with Chrome filling in honeypot

    I use the honeypot technique to prevent spam-bots from filling out my forms. Recently I noticed how Chrome's auto-complete will fill in the honeypot, even though it is an invisible field.

    my honeypot field is named "url"

    In my PHP I have:

    Code:
    if (!empty($_POST['url'])) { exit(); }
    So by filling in the honeypot, Chrome is perceived as a spam-bot and prevents the rest of the script from running.

    Anyone know of a workaround for this?

  2. #2
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,069
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    Why not give the honeypot an obscure name that chrome is not likely to have an entry for? Bots are plain stupid so they'll fill it in anyway.

    By the way, if by "invisible field" you mean <input type="hidden" />, a better way is to make it <input type="text" /> and then drag it off the screen using something like margin-left: -9999px; height: 0; in the CSS.
    <input type="hidden" /> is quite easy to detect whereas most bots don't parse CSS and thus will never know that the field won't be visible for anyone.
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  3. #3
    SitePoint Zealot bopjo1's Avatar
    Join Date
    Jun 2007
    Location
    Tampa, FL
    Posts
    110
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the reply. In my CSS I use "display:none" which nukes it completely from the layout while leaving the html code intact.

    I've tried giving the hidden field different names like "$f&)k4" or "muffin" and Chrome still fills it in.

    If there is a field for a user's first name and they type the first letter of their name, Chrome displays a list of "autofill options" that are tied to that person's name from previous form entries. The autofill options include other data that was inserted with that name like address, email, etc. If the user chooses a selection in the list which contains other autofill details, Chrome then fills in the rest of the fields, continuing even into the hidden field, no matter what the name attribute of the field is.

    Pretty much ruins the whole honeypot technique, which sucks.

  4. #4
    SitePoint Addict
    Join Date
    Jul 2008
    Posts
    220
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    in this case, it has nothing to do with PHP but a bug(well at least for me) in Chrome.
    I've never been born, nor will I die.
    I am just a passer-by who stumbled across a planet called Earth,
    for a short period of visiting......

  5. #5
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What about not creating the honey pot field when Chrome is the UA? The number of spam bots using a Chrome UA string is probably a vast minority.
    mikehealy.com.au
    diigital.com art, design . Latest WorkSaturday Morning


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •