Honey pot fields are HTML form fields that you put into your forms designed to catch bots (automated scripts that fill in forms attempting to spam). These fields are put in so that bots see them but humans do not. Perhaps the field is put into the form but hidden from normal users using a CSS style like “display: none;” or “visibility: hidden;”. Since most bots download forms as HTML only format, they don’t render the CSS and thus see the fields. They then fill them in thinking they are filling in a normal field. Since humans don’t see these fields (because their browser renders the CSS and hides them), you can assume that if they are empty on submission and that the user is real. If these hidden fields have a value, then a bot must have seen the field and filled it out.
For example, most forms contain some field called “Username” and another called “Email”. These are pretty common names. Bots download your form (in HTML format) and look for fields with those names. They then fill them in with spammy text that may try to sell you something or just contains some form of garbage. They then do this hundreds or thousands of times and flood your forms. Honey pot fields counter this by putting in fields with the usual names like “Username” so that the bot sees it and tries filling it out. Meanwhile your submission script will use another field called “usernm” or “usrname” etc.
The best way to see this in action is to take a brief look at some code that implements the form and how we would process it on the back end. For our example we will use HTML and CSS for the form and some PHP on the back end to process it. We will start with a super basic form.
<form method="post" action="ourform.php" name="example_form"> Username: <input type="textbox" name="username" style="display: none;"><input type="textbox" name="usr_name"><br/> Email: <input type="textbox" name="email" style="display: none;"><input type="textbox" name="usr_email"><br/> <input type="submit" name="submit" value="Submit form"> </form>
As you can see from the form above that we have two fields called “username” and “email” which are our honey pot fields. I want you to notice that these fields have a style applied to them which is of the value “display: none;”. This style hides the fields from human browsers. Instead, users will see the other two fields called “usr_name” and “usr_email”. These are the fields we will actually process in our script. The bot downloads the HTML, so they see the “username” and “email” fields and fill those in. On the back end of processing if there are values in these fields, we know that a bot must have filled them in.
The “honey” part of this is that we are attracting bots to fill in those fields instead of our normal fields (like a fly to honey). They think they have a successful submission and yet we throw away the submission.
In the code below we show that when a submission is made, we go about checking those hidden fields first. If either of them have an actual value (that is not empty) then we know that a bot filled them in and redirect them to a bogus success page. The thing you need to do here is that once we have determined it is a bot that we pretend they were successful. The reason is that if we flag it as not working for them, then it may draw the attention of an actual human who will see what we have done and adjust accordingly.
<?php
if (isset($_POST['submit'])) {
$honeypot_user = isset($_POST['username']) && (trim($_POST['username']) !== '');
$honeypot_email = isset($_POST['email']) && (trim($_POST['email']) !== '');
// If either of these two fields are true, then we have a bot so pretend their submission was successful (important) but throw away the response
if ($honeypot_user || $honeypot_email) {
// Send them to some success page
header("Location: success.php");
exit;
}
$username = isset($_POST['usr_name']) && (trim($_POST['usr_name']) !== '') ? trim($_POST['usr_name']) : '';
$useremail = isset($_POST['usr_email']) && (trim($_POST['usr_email']) !== '') ? trim($_POST['usr_email']) : '';
// Go about processing $username and $useremail as normal...
}
Stepping through our code we first check if there was a submission of our form. We then check if the username and email fields have been set and they contain a value other than empty. If either of these fields are set, we have a bot and so we send them off to the success page (without actually processing them) and we are done. If they do pass the check, then we collect the values from usr_name and usr_email and process those. These are the fields that humans do see.
This is not going to catch all the bots that may reach your form and this trick should be used in tandem with other tricks such as timestamping your forms, nonces, and for extreme cases graphic CAPTCHAs like those from Google reCAPTCHA can be used. If you are ok with having a CAPTCHA to begin with perhaps you just use that. I try to avoid those since they can make forms look uninviting at times. Each of these tricks catch bots in a different way and mixing them together can reduce the number of bots that get through.
In this article we covered what honey pot fields are in HTML forms, we then demonstrated their use in a simple form and processing script. We created two fields, hid them with CSS so that humans won’t see them but bots will. We talked about what to do once we found a bot and how it is important that we make the bot think they actually made it through. We also covered the idea that this is only one trick in a bag of tricks that you should deploy for combating bots when it comes to your forms. You should use this trick along with timestamping, nonces and CAPTCHAs to make your forms bullet proof.
If you have any other tricks you like to put into your forms that were not mentioned here, please let us know in the comments below! We always like to hear more from our community and sharing great tips and solutions is what we are all about. If you would like to practice your honey pot fields in a bigger project, don’t forget to check out our projects ebook or subscribe to our list to be kept up to date as to what we are doing. Thank you again for reading! 🙂
