This is just an informative post for PHP dummies like myself. I read over a lot of the SPAM posts around here and determined that I wanted to make a honeypot field named "email" that spam robots would want to fill out. I didn't find specific directions on how to do this, however. Here's how I did it:

  1. In your section editor, rename your normal email field to something else, I did "address"
  2. In your HTML code for the form, create an extra field named "email", give it a special style, but don't use input type="hidden"
  3. Use that style in your CSS to make it display:hidden, or text-indent:-9999px, or whatever works best for you
  4. In Symphony create an event for this form, if you haven't already.
  5. Open up that PHP event in your favorite code editor, find the public function load() code.
  6. Replace the whole function with this function, but make sure to change out the name of your event instead of "save-response" like mine was named:
  7. Try testing out your form. It should submit like normal when the field is empty, but should do nothing when that field is filled out.

Would any of the more knowledgable people around here suggest any changes to this method? Hope this is helpful to someone.

Depending on the method one uses to hide the field, it might still be visible to people who use screen readers. So you might want to add something that indicates they should leave this field blank. Perhaps add something to the label like "fill this out if you are a robot".

In case Pastie kills the code, here it is again for reference:

public function load(){
    if(isset($_POST['action']['save-response']) && $_POST['email'] == ""){ 
    return $this->__trigger();

With Symphony events, the fields are generated with the "fields" prefix. ie fields[email]. Does this throw spam bots off at all? Having the input name on the honeypot field without that prefix? Would they be smart enough to detect the difference and prevent filling it out?

Also, the only real problem I see with changing the real email fields name to something like "address" is that error messages on an unsuccessful submission might not be as clear to the user? This might not be that big of an issue, but a message saying, "Address is required" may raise a few eyebrows?

I am using another solution for a honeypot:

  • I have added a Text Input to the section to protect
  • I gave it the validation rule /^$/i (which says the field must be empty)
  • With the field suppressor extension I am hiding the field
  • The input field is hidden by applying the css sytle attributes position: absolute, left: -5000px
  • To prevent users from accessing the field with the tab key, I gave it tabindex=-1 which excludes it from the tab order

The input field is hidden by applying the css sytle attributes position: absolute, left: -5000px

Is this proven more beneficial than display: none? Having the element still on the page, that is.

I'm digging using the suppressor extension though, removes the necessity to manually alter the Event.

Can't tell whether it makes any difference to use display: none or position: absolute. I had used the latter to make sure bots don't grasp I have included a honeypot but then I experienced problems with Chrome and Safari (which both still display the field) and I am now applying display: none with javascript after page loading.

Create an account or sign in to comment.

Symphony • Open Source XSLT CMS

Server Requirements

  • PHP 5.3-5.6 or 7.0-7.3
  • PHP's LibXML module, with the XSLT extension enabled (--with-xsl)
  • MySQL 5.5 or above
  • An Apache or Litespeed webserver
  • Apache's mod_rewrite module or equivalent

Compatible Hosts

Sign in

Login details