PHP Build a Basic PHP Website (2018) Enhancing a Form Setting an Error Message Variable

Jaime Rios
PRO
Jaime Rios
Pro Student 21,100 Points

About implementing this solution.

Hi, I've been learning in Treehouse for a while. About two weeks ago I was attacked by a robot that sent me about 130 emails with code until I disabled the form in the website and proceeded to look for and implement a security solution.

Instead of a honeypot I decided to use a form generated in foxyform.com, which provides a code to embed and implements a captcha in the form. Then I found this course and found about SMTP.

So, I want to know which solution is better or in which cases I should choose one over another, thanks in advance for your responses.

1 Answer

Codin - Codesmite
Codin - Codesmite
8,591 Points

I find CAPTCHA's to be useless, I've ran websites with over 1 million views a day and found that CAPTCHA's do not work, most bots are intelligent enough to read them.

The one CAPTCHA I did have some success with is http://areyouahuman.com/solutions but I do not approve of their new corporate advertising snuck into the mini-games and do believe now it is so popular that a lot of bots have cracked how to solve the mini-games.

I have been using honeypots for over 10 years, well before they were even common practice, and have not really had any spam bot issues at all even on websites with huge traffic.

There is key points to watch out for though.

NEVER use the keywords pass, password, login, username, etc anything that resembles a password or login field for your actual password field. This also means do not use HTML to mask your passwords in forms and also do not hide your form fields with HTML either.

Example:

<form action="register.php">
Username: <input type="text" name="user"><br>
Password: <input type="password" name="address">
<input type="hidden" name="password">
</form>

This above Form is an obvious honeypot that even the most basic Spam Bots can recognise as a trap.

What gives it away:

  1. input type="password" A bot can easily detect the real password field by input type, your best bet is to find another solution to masking the password, I use PHP to do this, I know a lot of people use Javascript.

  2. "Password" Label The above example the Password: label is directly next to the real password field, to better hide this you can position the label in an obscure place in your code flow, and then reposition it where it supposed to be with absolute positioning.

  3. input type="hidden" The most basic of bots is going to know it's a trap if it reads in the code that the input type is hidden, find a more creative way to hide the field from human view, positioning it off the page also will not work as bots can detect from the DOM if something is not within the rendering area.

Unfortunately most spam bot creators always find a way to crack any techniques we may try to prevent them, it is a never ending battle that developers will always be on the loosing end of, but you can atleast filter out the mass basic bots with a well devised honeypot.

You will never be spambot free though, as many companies resort to paying real people to sign up on sites to spam, and there is very little you can do to prevent these type of spammers unless bringing in new user restrictions or hoops to jump through which I personally do not like doing to my users.