Deploying now to a few contact forms I have Live. Thanks Patrick!
1 Like
Any chance of a little tutorial or a few screen shots to show how to do this?
You first need to create the session and a random value for it, not sure what did @patrick use for this, but this will do the job fine:
<?php
session_start();
$_SESSION['honey'] = md5(uniqid(rand(), true));
?>
Make sure to place it before the opening <html> tag. This will generate a new value on each page refresh.
Then in your honeypot field use the session as a value:
<input type="text" name="inp_honey" id="inp_honey" value="<?php echo $_SESSION['honey'] ?>" autocomplete="off"/>
On the server side add the session under Globals > $_SESSION:
In the condition check if the honeypot $_POST equals the $_SESSON variable, the rest is the same as in the tutorial i linked:
{{$_POST.inp_honey == $_SESSION.honey}}
So, if the honeypot input value changes in any way, the condition will be false.
4 Likes
I’m sure works very well and is a good solution. I’m just wondering if a robot would be less inclined to fill in a field which already had a default value. Might it not be more tempted to fill in only blank fields - including the honey-pot field? (As far as robots are ‘tempted’ to do anything.)
Just duplicate the honey pot ( say honeypot2) leave it blank and check in server action that it is still blank on submission. That way you cover both angles.
There would certainly be an option to make it even more secure.
I mentioned in a thread a year ago that I had used this technique for a while and had no reports from the customer that he had received any spam. This is still the case and I’ve received about 1800 messages from the server to date, informing me that a robot has used the form.
2 Likes
Have to say, great result with this solution… not one bit of spam today. 
1 Like
Hi
How do I check if my {{$_POST.name-honey}} has a value, can someone give the steps in the server action please?
CK
Use the Condition action where the condition is your post variable.
As in {$_POST.name-honey==$_POST.name-honey}} ?
Just {{$_POST.name-honey}} should do it.
If there’s a value it will return true and do the THEN actions, if empty it will be false and do the ELSE actions
OK, thank you.
Finally, where is the set status action, I can’t seem to find it in the actions menu?
It’s under Core Actions and it is called Response.
Thank you
I’ve followed the directions detailed above and it has helped stop spam to a point.
I now see someone has figured out how to utilise the send mail function to bypass the honey pot trap!
Looks like the form is being submitted directly e.g.;
dmxConnect/api/Categories/RequestInfo.php
Is there a way to stop this or hide the send function pages so they can only be run from the actual request page?
CK
Of course! You need to put the recaptcha as a first step in your server action to prevent this!
as you can from above people don’t like recaptcha, is there not a way to prevent robots directly accessing these function files?
Well at least apply serverside validation to your POST vars for example, apply required validation to the inputs that are required.
I already have several required form fields, this Russian robot is simply filling out all the required fields which it finds in the dmxConnect/api file.
Add a form field that contains the time taken to fill in the form. On the server, determine if that time is too short to enable a human to fill in the form. If so, reject the submission.
Also, @patrick’s solution is an important one.