Websites. Software. Consulting

The Honeypot Trap

By Jamie Frankel

Added Monday 14/09/2009

In today's ever increasing security conscious world, we have become more aware of how important it is to protect online forms when building a website/application. For this reason, I have written this post, to inform fellow developers of a method of achieving just that.

A while ago, I was creating a very simple contact form that would email the website administrator when the form was submitted. I included some validation on it to make sure all fields were completed and that the email address was valid (using a regular expression).

This was working fine, but then I received an email from this client saying he was getting about 20 emails a day, ALL of them spam.

I started looking for a suitable method of filtering out these spam messages, and stumbled upon the method known as "the honey pot".

The idea behind the honey pot is that when a spam-bot encounters a form, it fills in all the fields and submits the data. The way we can beat this is to add an invisible field (to humans anyway), and check if the field has any data posted
with it. If there is, it means that a computer has sent the form, and can then be dealt with appropriately.

This method is very simple to implement and also doesn't require any use of CAPTCHA technology which is often unusable by some users (due to disabilities).

< ? php
if ($_POST['submitForm']) {
// add extra validation here to make sure that everything that
you need filled in is!
// if noFill text field is empty, then we can continue
if (empty($_POST['noFill'])) {
// send email or DB code here
} else {
// computer sent the form, so send error
}
}
?>
< form id='contactForm' method='post' action=''>
< input type='text' name='name' />
< input type='text' name='emailAddress' />
< input type='text' name='noFill' style='display:none />
< input type='submit' value='Send Form' name='submitForm' />
< /form>