Is this a good way to catch bots?
Is this method sufficient?
<?php
// User pressed "Register"
if (!empty($_POST['name']) && $_POST['email']) {
开发者_开发问答 if (!empty($_POST['antispam']))
exit("bye");
}
?>
<form>
<input type="hidden" name="antispam" value="" />
Accname: <input type="text" name="name" value="" />
Email: <input type="text" name="email" value="" />
......
</form>
In all basic sense of the idea, sure. Only thing I would recommend for your simple implementation is that most spam scanners that you're trying to block out look for fields titled "username", "name", "user", etc ..
So, isntead of naming your honeypot "antispam" I would name it "username" or something similar that does not conflict with your existing form.
probably the best name for a form-field designed to trigger a spam bot would be url
The chances of a bot parsing the html for type=text
attributes or textarea
tag a and ignoring all others are quite reasonable.
Your chances of trapping a spambot can be improved with a few extra lines of code:
styles.css:
#commentUrl {
display: none;
}
script.js:
function setFlag() {
document.getElementById('commentUrl').value = 'Javascript check ok';
}
form.html:
<form onsubmit="setFlag();" method="post" action="comment.php">
<label for="commentName">Accname:</label>
<input type="text" id="commentName" name="comment_name" value="" />
<label for="commentEmail">Email:</label>
<input type="text" id="commentEmail" name="comment_email" value="" />
<label for="commentUrl">Url:</label>
<input type="text" id="commentUrl" name="comment_url" value="http://" />
</form>
comment.php:
<?php
if ($_POST['comment_url'] <> 'Javascript check ok' && $_POST['comment_url'] <> 'http://') {
// Let's increase their server load.
header('Location: http://' . $_SERVER['REMOTE_ADDR'] . '/', 307);
}
?>
Because you use three different languages you improve the chances of catching the spammer considerably.
You could improve the javascript by dynamically appending the <link rel="stylesheet"
dynamically to the DOM for example.
I wouldn't recommend making the input type hidden or let it have something with "spam" in it. The best way would be to give it a neutral name ("message" maybe) and hide it from the page via css. Additionally I would measure how long it took to fill out the form (as this will be very fast or very slow by robots) by adding a timestamp field (and again give it a neutral name and maybe encode it).
I would not use a hidden field as bots might be looking for only elements of type="text"
. The naming should be something common but something you have no use for, examples being:
- firstname
- lastname
- username
- password
- bio
- description
You should change your input from
<input type="hidden" name="antispam" value="" />
to something more along the lines of
<input type="text" name="username" value="" style="display:none; height: 0; width: 0; border: none; background: transparent; margin: 0; padding: 0;" />
精彩评论