GithubHelp home page GithubHelp logo

dominiquevienne / honeypot Goto Github PK

View Code? Open in Web Editor NEW
10.0 2.0 4.0 53 KB

This PHP library is used to manage honeypots in HTML forms. It will create the input form and do the necessary checks.

License: Apache License 2.0

PHP 100.00%

honeypot's Introduction

honeypot

This PHP library is used to manage honeypots in HTML forms. It will create the input form and do the necessary checks.

Installation

Recommended

Go to you project root directory and use composer using this command

composer require dominiquevienne/honeypot

Then create your application bootstrap using this kind of code

<?php
require __DIR__ . '/vendor/autoload.php';

$oForm  = new Dominiquevienne\Honeypot\Form();
echo $oForm->inputs();

Manual installation

  • Download latest stable release on Github
  • Uncompress the downloaded file
  • Place content into your project
  • Use similar code to load object
<?php
require __DIR__ . '/honeypot/src/Honeypot.php';
require __DIR__ . '/honeypot/src/Form.php';

$oForm  = new Dominiquevienne\Honeypot\Form();
echo $oForm->inputs();

Laravel

Using honeypot in Laravel is as simple as a

composer require dominiquevienne/honeypot

and add the following lines in your class

<?php
use \Dominiquevienne\Honeypot\Form;

class yourController {
  public function show() {
    /** some code of yours */
    $oForm  = new Form();
    return $oForm->inputs();
  }
}

Drupal 8

First of all, go to your root directory of your Drupal 8 project and type

composer require dominiquevienne/honeypot

In the Form controller (where you build your form), add

use Dominiquevienne\Honeypot\Form;

in order to gain access to Honeypot Form constructor.

Instantiate your form using the drupalForm config array key set to TRUE

Checks are done in the validate function using standard functions.

How it works

Once the package is installed the honeypot consists in enabling two steps

Form rendering

Where you will trigger Form::timeCheck() which will store date-time of the Form rendering and trigger Form::honeypotInput() used to return the honeypot form element.

Any of those two options are mandatory.

<?php
$oForm          = new Dominiquevienne\Honeypot\Form();
$oForm->timeCheck();
$honeypotInputs = $oForm->inputs();
?>
<html>
<?php 
// All your HTML code before your form
?>
<form action="yourLandingPage.php" method="post">
<?php
// The standard fields of your form
echo $honeypotInputs;
?>
<input type="submit"/>
</html>

Be aware that you'll need to hide the honeypot field. To do that, you'll have three solutions

  • use CSS (default class is hide)
  • remove the element from the DOM using JS (Pure Javascript, jQuery or other). This is already done by using default function $oForm->inputs() or by using $oForm->getHoneypotScript() which would return a script in pure javascript that would remove the honeypot field from the DOM.

Form action page

Before you do the real job in your script of the landing page of your form (action attribute of Form element), you will have to use this code

<?php
$oHoneypot  = new Dominiquevienne\Honeypot\Honeypot();
$checks     = $oHoneypot->checks();
if(!empty($checks)) {
  die('Your are a spammer');
}
// your code

Available configuration

When you create the object, you have the ability to pass config values through an array.

<?php
$config = [
  'honeypotInputClass'  => 'myCssClass',
  'honeypotInputNames'  => [
    'name1',
    'name2',
  ],
  'formMethod'          => 'GET',
];
$oForm  = new Dominiquevienne\Honeypot\Form($config);

Form

honeypotInputMask

This is the mask used to render the input field. You can use Form::getHoneypotInputMask() to get the current value.

honeypotInputClass

This is the CSS class used on the honeypot input field.

honeypotInputType

This is the HTML type of the input field

honeypotInputName

Way to force a specific name

honeypotInputNames

Array containing a list in which honeypot will take a random name followed by a hash.

formMethod

HTTP Method used to send the form

Honeypot

minFormCompletionTime

Time in seconds under which a form subscriber will be considered as a bot

maxFailureAttempts

Quantity of accepted failures per session before considered as a bot. When the number is reached and failureCheck is ON, every attempt will be considered as a failure during all the session lifetime.

maxAttempts

Quantity of accepted attempts per session before considered as a bot. When the number is reached and quantityCheck is ON, every attempt will be considered as a failure during all the session lifetime.

checks

Array of checks to be made when submitting form. By default, checks are ['timeCheck','honeypotCheck','tokenCheck','failureCheck','quantityCheck']

drupalForm

If set to TRUE, Form::inputs() will return a Drupal FAPI array instead of raw HTML

honeypot's People

Contributors

dominiquevienne avatar sir-code-a-lot avatar

Stargazers

Jérémy avatar Biznatch Enterprises avatar Christian Boyle avatar avatar Brett Wilcox avatar Camilo avatar Márcio Duarte avatar Imtiaz Mahbub avatar Chun-Sheng, Li avatar

Watchers

avatar Imtiaz Mahbub avatar

Forkers

qiksoft gridonic gloomyspark rlaecio

honeypot's Issues

Add noscript tag for users who have javascript disabled

Hello dominique,

here is another idea to prevent users with javascript disabled of filling out the honeypot field. I am not sure if bots can read this noscript tag and will be warned not to fill out the field or not.
It would be just a small addition to change the input mask of the honeypotfield by adding a configurable noscript tag.

private $_honeypotInputNoscriptText = 'Please leave this field empty'; if(!empty($config['honeypotInputNoscriptText'])) { $this->setHoneypotInputNoscriptText($config['honeypotInputNoscriptText']); } private $_honeypotInputMask = '<noscript>[$honeypotInputNoscriptText]</noscript><input class="[$honeypotInputClass]" type="[$honeypotInputType]" name="[$honeypotInputName]" autocomplete="off" value="" />';

So its just an idea

Replace input type on token field

Hello dominique,

this was a misunterstanding. I dont mean the honeypot field, I mean the token field. The token field will not be hidden with JS.

Maybe you could change the input type of the token field from text to hidden.

private $_tokenInputType = 'hidden'; //line 30 of Form.php

So no need to hide it with CSS.

Best regards

Honeypot failure attempts per page instead of global?

Hello,
I have a question: I have included honeypot in several forms of my site. Is it a usual behavior that that honepot attempts of one form will be also taken for other forms on the site?

Fe. If I have done 5 failed attempts in my contact form without success and I switch to another page with fe a newsletter form, all the failed attempts from the contact form will be taken into account of the newsletter form.

So I start on the newsletter form with attempt 6 and not 1.

Wouldnt it be better that the failed attempts will be counted individually on each form. Fe to start an individual session for each form to count the attempts?

Best regards

Can you provide a working example

Hello,

I have tried to get this package to work, but I am not able.

I have installed this package via composer.
In my template file of the form I have included the following lines of code:

$configarray = array( 'honeypotInputClass' => 'uk-hidden', 'honeypotInputName' => 'hiddenfield1' ); $oForm = new Dominiquevienne\Honeypot\Form($configarray); $oForm->timeCheck(); $honeypotInputs = $oForm->inputs();

The object contains the changed classes but if I echo the inputs in my form nothing has changed. The class is the same (hide) and the name too (honeypotToken).

The honeypot validation doesnt work in my case too. I have included this lines of code after the isset $POST:

if (isset($_POST['maincontactform_button'])) { $oHoneypot = new Dominiquevienne\Honeypot\Honeypot(); $checks = $oHoneypot->checks(); print_r($checks); if(!empty($checks)) { die('Your are a spammer'); }

$checks is always empty in my case. Even if I send it after 2 seconds (min time 10 seconds).

Just to mention:

  • I didnt redirect to another page after form submission, I use a query string after the url after submission.
  • I use another namespace (processwire) in my template.
  • I didnt include the codelines before the html tag. They are somewhere on the page
  • Page is php and not html

Maybe you can post a working example or you can give me a hint how to get it working.

Best regards

Counter of attempts increases if page is reloaded without pressing submit button

Hi,
I have my honeypot validation code inside the if ( isset( $_POST['Submit'] ) ) { } statement but if I press the page reload button of the browser the failed attempts will be increased.
I think the attempt counter should not be increased if the submit button will not be clicked.

I have discovered this behavior by loading the form via Ajax in a modal first. Everytime the modal was loaded the counter increases by 1.

Maybe if you have time to take a look at this issue.

Just to clearify: A user (or a bot) will not be blocked if the reload button of the browser is clicked more than the max failure attempts, but the counter increases. In this case no values are entered in the form. Every page reload force a counter increament, but the counter increament should only take place if the submit button was clicked. A page reload should not be counted as a failed attempt. As I pointed out above it will especially leads to problems if the form is loaded via Ajax. Every Ajax page load will be counted as an failed attempt.

Thank you

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.