How do I add Honey pot fields to my forms?

2019-01-25 07:51发布

问题:

I've been reading about adding Honey pot fields to my forms for combating bots/spam. Only problem is theirs no guides or anything on where to start. Many sites say to make a field that is hidden that only the spam bot would fill out. But as I'm new to this, don't know where I would start in my application. Could anyone give me the advice on how to set this up? I am trying to make my Devise registration page use honey pot fields.

回答1:

The basic idea behind honeypot captchas is that you have a hidden (via CSS) field named something like "form" or "email" or "content" that (to a bot just reading the field name) looks like it should be filled in. Then, when the server looks at the submission, you make sure these hidden fields are blank. If they aren't, then you flag the post as a bot.

Here's a well explained example (with some code in ASP), and here's a Rails Gem that provides honeypot captchas.

That Rails Gem I linked looks like it's very easy to use once installed:

  <% form_tag comments_path, :honeypot => true do -%>
  ...
  <% end -%>

Although if you're interested in learning about the approach rather than just having it implemented, I'd recommend you roll your own. If you're rolling your own, it's important to make sure that the field is hidden by CSS (or some other style/positioning trick) and not input type="hidden" - as otherwise the bot might not fill out the field.

As Michael Mior pointed out in the comments, it's important to have a message next to the hidden field telling the user to leave it blank - otherwise users with screen readers might erroneously fill it in. This feature is missing from the gem I linked to - so if you're making an accessible website (which you almost certainly should be) you may need to modify it or roll your own.


Keep in mind that this trick isn't foolproof - there's nothing stopping a bot from rendering the page and determining which fields are actually visible to the user before filling any in - but that kind of bot would be considerably more complex than one that just looked at the form html. A honeypot captcha is likely to be very effective at stopping simple bots.



回答2:

HTML - 
<input type="text" name="verifyEmail" id="verifyEmail">

PHP Validation -
if(strlen($_POST['verifyEmail']) > 0){
   header('location: {some redirect URL here..}'); //Send them way away from your form :)
die(); //Stop execution of the script
}

CSS - 
#verifyEmail{
position:fixed; 
visibility: hidden; 
top:-500px; left:-500px;
}

dislplay: none; does not show to a bot in HTML (try it with view source) visibility: hidden; left:-500px; top:-500px; (displays when you view source)

I used display:none honey pots for a while, then switched to visibility option when it occurred to me that the field didn't show in the source code. Do it with a class or id in CSS, not inline style. Notify users with label is good idea, and name is not so important because most bots generally fill in all fields.

Definitely not a catch all but very effective if used with a basic math captcha.



回答3:

Try invisible_captcha (supports Rails 3, 4 and 5).

It works pretty well for small and medium (in terms of traffic) sites, with a simple and flexible approach. It also provides time-sensitive submissions.

Basic usage

In your form:

<%= form_for(@topic) %>
  <%= invisible_captcha %>
  ...
<% end %>

In your controller:

class TopicsController < ApplicationController
  invisible_captcha only: [:create, :update]
  ...
end


回答4:

<div id="honeypotdiv">
If you see this, leave it blank. Only bots should see this
<input type="text" name="body" value="" />
</div>


回答5:

and this is my honey pot:

<input id="email" name="emails" style="border:none"></br>

If you are still paranoid with this, try some more approach: Use javascript to clear out the field once user mistakenly filled in the value and focus on the next textbox. You can also ask user to do a simple math like answering: 1+2=?