Please Help A Noob: Simple Honeypot

[Vector28]

Hi,

I use a simple formmail script that sends HTML mails and redirects to a "thank you"- page, but I need to add a honeypot now because one of the sites gets spammed.

I added a hidden textfield with a value to the pages

 

<input id="botcheck" type="text" style="display: none;" value="spambot" /></td>

 

With a click on the send-button I want to clear the value of the textfield. IMHO this reverse honeypot works better. But this isn't my problem. My problem is that I have no clue about PHP and can't get a simple if-else- statement to work. My code currently looks like this (without the cleared value, just for testing):

 

 

<?php
if (($form['botcheck']) == 'spambot')
{
	 print("something");
 }
else
{

$destination = "test@mail.com";
$message = "<html>
<body style=\"font-family:Arial; font-size:10pt;\">
Hello,<br>
blablabla<br><br>
";
foreach($_POST as $keys => $vars){
$message .= "<b>$keys</b>: $vars<br>";
}
$message .= "
</body>
</html>
";
mail($destination,"This is a message",$message,"From: $email\n".
"Content-Type: text/html; charset=\"iso-8859-1\"\n".
"Content-Transfer-Encoding: quoted-printable".
"Content-Transfer-Encoding: 7bit\n".
"MIME-Version: 1.0\n");
header("Location: http://www.example.com");
}
?>

 

But the if-else-statement doesn't work. I always receive the mails, although the textfield still has the value"spambot"?! Any help is appreciated. Thanks a lot.

Edited November 22, 2012 by Vector28

[Muddy_Funster]

what is $form and where is it being populated?

[Vector28]

what is $form and where is it being populated?

 

To be honest... I don't have a clue, sorry.

I copied this part from a script I otherwise couldn't use (because I need the HTML part of my current script), and thought, or better hoped, that

($form['botcheck']) == 'spambot')

means something like "check if the textfield named "botcheck" in the sent form has the value "spambot"". Looks like I was wrong.

Sorry again, but as I said, I'm a PHP noob, and until now I never had a real spam problem. Looks like I have to learn a bit PHP too. :\

Edited November 22, 2012 by Vector28

[Muddy_Funster]

yeah, learning how the tools work before weilding them has it's advantages. Lets see your full code, and the form aswell

[jcbones]

Your honeypot should NOT have a value, it should be empty, as the spambot may not change values that already exist. You should also be hiding it via a css external file, and not an inline style. As some spambots may read inline styles, but not load external css files. You shouldn't name it 'botcheck' either, as some spambots may look for any type of botchecks. I typically name mine either address2 or email2, leaving the value empty, and steer away from any class definitions that hint at any kind of checks being run on that input.

 

All you have to do scripting wise, is make sure that the honeypot is passed as an empty value.

[mrMarcus]

Your honeypot should NOT have a value, it should be empty

 

This is true. Leave the hidden field empty and check whether that field has an added value during form submission rather than trying to remove that value.

 

Another trick that works like a charm is setting a timer from page load to form submission. Bots burn through forms/sites as quick as possible, where a human might takes several to many seconds before successfully submitting a form.

 

For example:

 

$_SESSION['start_time'] = time();

if (isset($_POST['submit'])) {

$current_time = time();

if (!empty($_POST['start_time'])) {
	if (($current_time - $_POST['start_time']) < 5) { // 5 is number of seconds differential; change as you sit fit
		// someone/something has submitted this form in under 5 seconds from reaching the page
		// probably a bot
		exit(0);
	}
}
}
?>
<form action="" method="post">
<input type="hidden" name="start_time" value="<?php echo $_SESSION['start_time']; ?>"/>

<!-- other form fields -->

<input type="submit" name="submit"/>
</form>

Edited November 22, 2012 by mrMarcus