Is this method sufficient?
<?php
// User pressed "Register"
if (!empty($_POST['name']) && $_POST['email']) {
if (!empty($_POST['antispam']))
exit("bye");
}
?>
<form>
<input type="hidden" name="antispam" value="" />
Accname: <input type="text" name="name" value="" />
Email: <input type="text" name="email" value="" />
......
</form>
In all basic sense of the idea, sure. Only thing I would recommend for your simple implementation is that most spam scanners that you're trying to block out look for fields titled "username", "name", "user", etc ..
So, isntead of naming your honeypot "antispam" I would name it "username" or something similar that does not conflict with your existing form.
probably the best name for a form-field designed to trigger a spam bot would be url
The chances of a bot parsing the html for type=text attributes or textarea tag a and ignoring all others are quite reasonable.
Your chances of trapping a spambot can be improved with a few extra lines of code:
styles.css:
#commentUrl {
display: none;
}
script.js:
function setFlag() {
document.getElementById('commentUrl').value = 'Javascript check ok';
}
form.html:
<form onsubmit="setFlag();" method="post" action="comment.php">
<label for="commentName">Accname:</label>
<input type="text" id="commentName" name="comment_name" value="" />
<label for="commentEmail">Email:</label>
<input type="text" id="commentEmail" name="comment_email" value="" />
<label for="commentUrl">Url:</label>
<input type="text" id="commentUrl" name="comment_url" value="http://" />
</form>
comment.php:
<?php
if ($_POST['comment_url'] <> 'Javascript check ok' && $_POST['comment_url'] <> 'http://') {
// Let's increase their server load.
header('Location: http://' . $_SERVER['REMOTE_ADDR'] . '/', 307);
}
?>
Because you use three different languages you improve the chances of catching the spammer considerably.
You could improve the javascript by dynamically appending the <link rel="stylesheet" dynamically to the DOM for example.
I wouldn't recommend making the input type hidden or let it have something with "spam" in it. The best way would be to give it a neutral name ("message" maybe) and hide it from the page via css. Additionally I would measure how long it took to fill out the form (as this will be very fast or very slow by robots) by adding a timestamp field (and again give it a neutral name and maybe encode it).
I would not use a hidden field as bots might be looking for only elements of type="text". The naming should be something common but something you have no use for, examples being:
firstname
lastname
email
username
password
bio
description
You should change your input from
<input type="hidden" name="antispam" value="" />
to something more along the lines of
<input type="text" name="username" value="" style="display:none; height: 0; width: 0; border: none; background: transparent; margin: 0; padding: 0;" />
Related
I am working on a project that is developed using Kohana and due to some conditions I have no access to use NAME in the forms instead I have an option to use ID but I tried using the following method which didn't work.
<form action="sendmail.php" method="post">
<p><input type="text" size="30" style="border-radius:15px; border:2px solid #000; padding:5px;" placeholder="Name" id="contname" /><br />
<br />
<input type="text" size="30" style="border-radius:15px; border:2px solid #000; padding:5px;" placeholder="Email" id="contemail" /><br />
<br />
<input type="text" size="30" style="border-radius:15px; border:2px solid #000; padding:5px;" placeholder="Subject" id="contsubject" /><br />
<br />
<textarea style="border-radius:5px; border:2px solid #000; padding:5px; width:320px; height:120px;" id="contmessage" placeholder="Message"></textarea><br />
<br />
<input type="submit" value="SUBMIT" style="background-color:#9377dd; border-radius:10px; padding-top:3px; padding-bottom:3px; padding-left:16px; padding-right:16px;" /></p>
</form>
sendmail.php
<?php
$from = $_POST["contemail"];
$message = $_POST["contname"] . "<br/>". $_POST["contsubject"] . "<br/>" . $_POST["contmessage"];
mail("me#mail.com","From contact form",$message,"From: $from\n");
mail("me#mail.com","From contact form",$message,"From: $from\n");
header('Location: faq');
?>
Any alternate method please???
When you post the form then in server side you can access that field by their name. Now you are not using the name and instead of you are using the id then I will suggest you to use javascript ajax method to post the form. This is the only alternative method is available.
When you post a form, the form is converted into key/value pairs and sent to the server. For example...
<input name="MyName" value="MyValue">
Is sent to the server as
MyName=MyValue
Unless the browser can form a key/value pair it won't send the data - this is true whether you are missing the key (from the name attribute) or a value (for example a checkbox that is not checked).
You could iterate over the form using JavaScript and create a form post using a different attribute (such as your ID), but if you have access to add JavaScript to this form, it would be easier to just add names.
I have the below for that works well, but is open for spam bots.
I want to put in a honeypot, not a captcha.
The code below works with the validation for the name, email, message,
but I can not get it to work with the honeypot.
Can anyone look at the "honeypot" code and tell me how to fix it?
I would like for the form to give an $success2 = "No Spamming allowed" that acts like the form was submitted, but does not actually submit the form.
Thanks
The Form:
<form id="contactform" action="send2.php" method="post"><div id="success"></div><div id="error"></div>
<label for="name">Name:</label><input type="text" id="name" name="name"/>
<label for="email">Email:</label><input type="text" id="email" name="email"/>
<label for="message">Message:</label><textarea id="message" name="message" rows="12" cols="20"></textarea>
<label id="robot">Are you a robot?</label><input type="text" name="robot" id="robot">
<input type="submit" value="Send your message" id="send" />
</form>
The PHP:
can be found here: http://goviewmy.com/contact/showcode/
Sorry, but i cannot get the PHP code to post in this question, so I attached a link to it.
Thanks
Honeypots work best if they have a field name that sounds legit, they should also be hidden using javascript to change the css after the page loads. (Most) bots don't have javascript enabled so they cannot process that this field should not be filled out.
I use something like this:
<div class='req'>
<label for='website'>Leave blank</label>
<input type='text' name='website'>
</div>
Hide it with jquery:
$(document).ready(function(){
$(".req").hide();
});
reject it server side if the field is filled out with something like this
if($_POST['website'] != ''){
echo "It appears you are a bot!";
}
else{
//process the rest of the form
}
I know there are lots others question like this and i found 1.000 answer on the web but none of those work with my code :(
So can someone help me with how to keep email value after submit?
<form name="login-registration" onSubmit="return validateForm()" method="post" action="" >
<label>Email</label>
<input type="email" name="emailinput" id="emailinput" value ="" />
<p id="emptyEmail" class="hidden">Email field is required</p>
<p id="invalidEmail" class="hidden">Email you insert is invalid!</p>
<label>Your password</label>
<input type="password" name="pswinput" id="pswinput" value=""/>
<p id="pswMinMax" class="hidden">Password should be from 4 to 8 caracters</p>
<p id="pswLettNum" class="hidden">Password should be letters and numbers. No special caracters are allow</p>
<label>Repeat password</label>
<input type="password" name="pswrepeatinput" id="pswrepeatinput" value="" onblur="isValidPswRep()"/>
<p id="pswR" class="hidden">Your passwords is different</p>
<input type="checkbox" id="policy" name="policy" value="policy" /> <label>I agree</label>
<p id="checkN" class="hidden">You must agree to our term</p>
<input type="submit" name="submit" value="Login" />
</form>
I try to put some code like:
<input type="email" name="emailinput" id="emailinput" value = "<?php echo htmlspecialchars($_GET['lastname']); ?>" />
But that php line is just displayed inside the field input.
try using $_POST['lastname'] instead of $_GET['lastname']
1)If i am not wrong,i don't see any field with name="lastname" in your code above.
2)Use $_POST because you are posting your form data with method="post".
Assuming that your file have .php as extension and php is installed on your server i would like you to notice that you have an error because you used a POST form while when you apply value to your input field you are trying to use $_GET Further more you did not assign lastnameto any input field, so use emailinput as you apply to this field name="emailinput". You should change htmlspecialchars($_GET['emailinput']); to be htmlspecialchars($_POST['emailinput']);
So your code would look like this
<input type="email" name="emailinput" id="emailinput" value = "<?php echo htmlspecialchars($_POST['emailinput']); ?>" />
This should print your variable inside your input field
There are at least 2 problems there.
The fact that the php is displayed inline suggests that either you have wrong file extension (like the comments suggested), either file is not included in your "know how to read by php" (for lack of a better way to say it, my English is not perfect) directory.
You echo a get when you sent a post (as other answer suggested)
Also... WHY DOES YOUR QUESTION HAVE JS TAG (sorry for caps, wanted to be sure it sticks out)?
I have a form for a 'user profile' with the following fields:
<form>
First Name: <input id="first_name" />
Last Name: <input id="last_name" />
Phone Number: <input id="phone_number" />
City: <input id="city" />
</form>
However, what if I don't want "phone number" and "city" to be visible to a select set of users?
How can I dynamically hide these fields, depending on, say for example, which user is logged in? I am currently using PHP and MySQL. Would it be best to add the "field id's" to the database, and then query the database record to see which fields should be hidden and which fields should be visible? Or is there a better way to do this?
My apologies if this is a bit ambiguous. If it doesn't make sense, I can try to clarify.
Thanks very much.
EDIT: I'd like to clarify what I am trying to achieve. I am trying to dynamically show the fields based on which user logs in. Also, when I said "hidden", I actually should have said "removed." See my example below
E.g.,
If JoeUser logs in, he would see:
<form>
First Name: <input id="first_name" />
Last Name: <input id="last_name" />
Phone Number: <input id="phone_number" />
City: <input id="city" />
</form>
But, if JaneUser logs in, she would see (based on preferences set in the database):
<form>
First Name: <input id="first_name" />
Last Name: <input id="last_name" />
</form>
My question is: What is the best way to achieve this? I'm assuming these preferences need to be database-driven. Any input would be great.
Depending on how you've built the site there are quite a few ways to do this but since you're new to PHP I'll assume that it's just an inline procedural script. In which case you need to check whether or not the user is set in the session and then show or hide depending on the output.
Something similar to the following
<?php if(isset($_SESSION['id'])) : ?>
<form>
First Name: <input id="first_name" />
Last Name: <input id="last_name" />
Phone Number: <input id="phone_number" />
City: <input id="city" />
</form>
<?php endif; ?>
The if statment checks if a session ID is set (this will likely change depending on how you're handling user sessions etc) and then shows the form.
Edit:
Just noticed that you've edited your original question. To do this you could so something similar to the following, this assumes once again that you're using sessions and that you have the users user type set in a session (not great, but as a beginner it's quick).
<?php if(isset($_SESSION['id'])) : ?>
<form>
First Name: <input id="first_name" />
Last Name: <input id="last_name" />
</form>
<?php else if(isset($_SESSION['id']) && (isset($_SESSION['user_type']) && $_SESSION['user_type'] == 'phoneuser')) : ?>
<form>
First Name: <input id="first_name" />
Last Name: <input id="last_name" />
Phone Number: <input id="phone_number" />
City: <input id="city" />
</form>
<?php endif; ?>
You can hide dinamycally on the server side inside php file or try set variable via php for js and operate with fields on the client side via javascript.
Can you explain what you want do with these forms? I don't understood
1) You should use jQuery (don't forget to include this library to head section).
$('#hide_name').click(function() {
$('#first_name').hide('slow', function() {
});
});
First Name: <input type="text" id="first_name" /> <a href="#" id="hide_name" /> Hide name </a>
2) OR next way:
if ($_SESSION['login']) {
$visible = "visibility: visible;";
}
else {
$visible = "visibility: hidden;";
}
First Name: <input type="text" style=<?php echo $visible; ?> />
3) OR easiest way:
if ($_SESSION['login']) {
First Name: <input type="text" id="first_name" />
}
You'll need to store some kind of data that defines what the user sees, or what they don't. Pick whatever feels intuitive based on your data. Once you know the user is logged in, get the data on what to show them. You could make an array of boolean values based on this, let's call it form_fields[]. Then output the form with PHP, and decide what parts to show based on this data, possibly like so:
$form = "<form>\n";
if(form_fields['first_name'])
{
$form .= 'First Name: <input id="first_name" />';
}
if(form_fields['last_name'])
{
$form .= 'Last Name: <input id="last_name" />';
}
if(form_fields['phone'])
{
$form .= 'Phone Number: <input id="phone_number" />';
}
if(form_fields['city'])
{
$form .= 'City: <input id="city" />';
}
$form .= "</form>";
Keep in mind, validating your data gets more complex too - your form processing script will also need to know what fields it's lookling for.
I have a phone number input field that looks like this:
<input type="text" name="phone" maxlength="10" size="40" value="{$tmp.phone}"><>
Can I apply a code inside here? Or would I apply a function in an external .php file to do this?
What would the code look like?
I am new to all this coding stuff and need some help...
You can use the new HTML5 attribute pattern. New browsers will not send the form until it is filled correct:
<form>
<input type="text" name="phone" pattern="^[0-9]{6}|[0-9]{8}|[0-9]{10}$" />
<input type="submit" />
</form>
If a user is using an older browser, the attribute is ignored. In this case you still should check it as Daniel and Pheonix recommended.
Even if get some way to put a check in HTML, always do validation on your server side. Client side Validations can always be by-passed.
in server side
$phone = $_GET['phone'];
if(!(strlen($phone)==6 ||strlen($phone)==8 ||strlen($phone)==10)){
//Error
}
For better user experience you can validate using javascript, and for security reasons is mandatory to use server side validation as Pheonix said.
<form id="form_id">
<input id="phone_id" type="text" />
<input type="submit"
onclick="if (document.getElementById('phone_id').value.length != 6
&& document.getElementById('phone_id').value.length!=8
&& document.getElementById('phone_id').value.length!=10)
{
alert('Error message...');
return false;
}" />
</form>