I use the honeypot technique to prevent spam-bots from filling out my forms. Recently I noticed how Chrome’s auto-complete will fill in the honeypot, even though it is an invisible field.
my honeypot field is named “url”
In my PHP I have:
if (!empty($_POST['url'])) { exit(); }
So by filling in the honeypot, Chrome is perceived as a spam-bot and prevents the rest of the script from running.
Anyone know of a workaround for this?
Why not give the honeypot an obscure name that chrome is not likely to have an entry for? Bots are plain stupid so they’ll fill it in anyway.
By the way, if by “invisible field” you mean <input type=“hidden” />, a better way is to make it <input type=“text” /> and then drag it off the screen using something like margin-left: -9999px; height: 0; in the CSS.
<input type=“hidden” /> is quite easy to detect whereas most bots don’t parse CSS and thus will never know that the field won’t be visible for anyone.
Thanks for the reply. In my CSS I use “display:none” which nukes it completely from the layout while leaving the html code intact.
I’ve tried giving the hidden field different names like “$f&)k4” or “muffin” and Chrome still fills it in.
If there is a field for a user’s first name and they type the first letter of their name, Chrome displays a list of “autofill options” that are tied to that person’s name from previous form entries. The autofill options include other data that was inserted with that name like address, email, etc. If the user chooses a selection in the list which contains other autofill details, Chrome then fills in the rest of the fields, continuing even into the hidden field, no matter what the name attribute of the field is.
Pretty much ruins the whole honeypot technique, which sucks.
in this case, it has nothing to do with PHP but a bug(well at least for me) in Chrome.
What about not creating the honey pot field when Chrome is the UA? The number of spam bots using a Chrome UA string is probably a vast minority.