search

dominiquevienne / honeypot

This PHP library is used to manage honeypots in HTML forms. It will create the input form and do the necessary checks.
Apache License 2.0
10 stars 5 forks source link

Can you provide a working example #1

Closed juergenweb closed 7 years ago

juergenweb commented 7 years ago

Hello,

I have tried to get this package to work, but I am not able.

I have installed this package via composer. In my template file of the form I have included the following lines of code:

$configarray = array( 'honeypotInputClass' => 'uk-hidden', 'honeypotInputName' => 'hiddenfield1' ); $oForm = new Dominiquevienne\Honeypot\Form($configarray); $oForm->timeCheck(); $honeypotInputs = $oForm->inputs();

The object contains the changed classes but if I echo the inputs in my form nothing has changed. The class is the same (hide) and the name too (honeypotToken).

The honeypot validation doesnt work in my case too. I have included this lines of code after the isset $POST:

if (isset($_POST['maincontactform_button'])) { $oHoneypot = new Dominiquevienne\Honeypot\Honeypot(); $checks = $oHoneypot->checks(); print_r($checks); if(!empty($checks)) { die('Your are a spammer'); }

$checks is always empty in my case. Even if I send it after 2 seconds (min time 10 seconds).

Just to mention:

Maybe you can post a working example or you can give me a hint how to get it working.

Best regards

dominiquevienne commented 7 years ago

Hi @juergenweb , Great news you wanted to try the package. A working example has been added to the sources and it contains a short description on how to make it work. See example directory.

I see you are using a CSS classname "uk-hidden" and input name "hiddenfield1". Best practices for honeypots are to avoid "hidden..." and use more generic word based strings like "address-zipcode". For the input name, if you use the default config, the package will choose a name in a list and will add a generated string so it'll be more difficult for bots to consider this field as a honeypot. This is not the reason the package does not work for you.

From what you are giving as a feedback, it's possible that config is fixed and is not used... I will check and give you some feedback.

$checks should always contain something. An array if you used $oHoneypot->checks(true) or a simple boolean for $oHoneypot->checks()

Coming back to you very soon... try the working example on your side and tell me

dominiquevienne commented 7 years ago

@juergenweb I just tested to change Form config with success... Here is the code I used: `<?php /**

if(!empty($_GET['destroy'])) { session_start(); var_dump($_SESSION); session_destroy(); var_dump($_SESSION); die(); } require DIR . '/vendor/autoload.php'; $config = array( 'honeypotInputClass' => 'uk-hidden', 'honeypotInputName' => 'hiddenfield1' ); $oForm = new Dominiquevienne\Honeypot\Form($config);

if(!empty($_POST)) { $config = [ 'minFormCompletionTime' => 20, ]; $oHoneypot = new Dominiquevienne\Honeypot\Honeypot($config); $checks = $oHoneypot->checks(true); var_dump($checks); die(); }

$oForm->timeCheck(); $inputs = $oForm->inputs(); ?>

`

Rendered HTML is the attached files. view-source_app.dev_simpleForm.php.zip

Please, let me know

juergenweb commented 7 years ago

Hi dominique,

thanks for the example. It helps me a lot!! The tests I have been done so far shows that the validation is now working, but I have still troubles with the custom configuration. It will not be taking into account if I try to change fe the CSS class of the form field.

So this is my code to change it:

$configarrayform = array( 'honeypotInputClass' => 'myCssClass' ); $oForm = new Dominiquevienne\Honeypot\Form($configarrayform); print_r($oForm);

The print command of the object shows me that the CSS class "myCSSClass" is there:

Dominiquevienne\Honeypot\Form Object ( [_timeCheckSessionVarName:Dominiquevienne\Honeypot\Form:private] => honeypotTimeCheckStart [_methodSessionVarName:Dominiquevienne\Honeypot\Form:private] => honeypotMethod [_honeypotInputSessionVarName:Dominiquevienne\Honeypot\Form:private] => honeypotInputName [_honeypotInputMask:Dominiquevienne\Honeypot\Form:private] => [_tokenInputMask:Dominiquevienne\Honeypot\Form:private] => [_honeypotInputClass:Dominiquevienne\Honeypot\Form:private] => myCssClass [_honeypotInputType:Dominiquevienne\Honeypot\Form:private] => text [_honeypotInputName:Dominiquevienne\Honeypot\Form:private] => [_honeypotInputNames:Dominiquevienne\Honeypot\Form:private] => Array ( [0] => phoneNumber [1] => address [2] => zipCode [3] => contactPerson [4] => completeName ) [_tokenInputClass:Dominiquevienne\Honeypot\Form:private] => hide [_tokenInputType:Dominiquevienne\Honeypot\Form:private] => text [_tokenInputName:Dominiquevienne\Honeypot\Form:private] => honeypotToken [_method:Dominiquevienne\Honeypot\Form:private] => POST [_tokenSessionVarName:Dominiquevienne\Honeypot\Form:private] => honeypotToken [_failureAttemptsSessionVarname:Dominiquevienne\Honeypot\Form:private] => honeypotFailureAttempts [_attemptsSessionVarname:Dominiquevienne\Honeypot\Form:private] => honeypotAttempts )

I output the hiddenfield with this piece of code:

$honeypotInputs = $oForm->inputs(); echo $honeypotInputs;

But a look into the source code of this field shows me that that class was not changed:

<input class="hide" type="text" name="honeypotToken" autocomplete="off" value="i9ARLnzxHXroHVqV_i7Jq76k" /><script>var t = document.getElementById("phoneNumberKmR_outer");if (t) { t.parentNode.removeChild(t); } </script>

You are using $config in your example. But I have to use another name ($configarrayform) because $config is a variable of my CMS (Processwire) to make API-calls and therefore not useable in other cases. Maybe could this be the problem.

Best regards

juergenweb commented 7 years ago

Here is another issue I have discovered: If all is ok the validation array looks like this:

array(5) { ["timeCheck"]=> bool(true) ["honeypotCheck"]=> bool(true) ["tokenCheck"]=> bool(true) ["failureCheck"]=> bool(true) ["quantityCheck"]=> bool(true) }

As you can see everything is set to true. Thats ok, but you have an example code on your page to check if there are errors which goes like this:

if(!empty($checks)) { die('Your are a spammer'); }

So if everything is set to true (no errors) array $checks is not empty because it contains all the true values. The result will be that "You are a spammer" will be displayed.

I have solved this problem by checking if all values are set to true - do nothing, else (if one or more values are set to false) show "You are a spammer".

Here is my code for this check:

$af = array_filter($checks); if ($af == $checks) { .....everthing ok} else { ....you are a spammer}

juergenweb commented 7 years ago

Sorry dominique,

The CSS-class manipulation works!!!!! I was always looking at the wrong field (not the hiddenfield but the token field). After disabling JS in my browser the hiddenfield is visible and it has the right CSS class. So forget the post about non working configuration. Sorry!!!

juergenweb commented 7 years ago

Maybe wouldnt it be better to add the input type hidden instead of input type text to the token field? I am always using the hidden type for token fields. Only disadvantage: If you want to test it by token manipulation it will not be visible.

dominiquevienne commented 7 years ago

@juergenweb Thanks for your feedback

Why the honeypot field is not using hidden type? Using hidden type will increase the chance for a bot to detect the fact that this field is in fact a useless field that is used to detect bots. By using a common type, a bot will have a tendancy to fill the field. The best way to 'hide' the field is to remove it from the DOM with JS.

Validation checks example The given example is not using $honeypot->checks(true). When using $honeypot->checks() or $honeypot->checks(false), object will return a simple boolean. That's why the if(empty($checks)) syntax is ok. Please open a new issue if there is anything wront in documentation or code.