Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

HoneyPot Captcha


Jack_mcs

Recommended Posts

This addon prevents multiple emails from being sent through the forms on the site by adding a hidden challenge. Sending
emails through the forms is a favorite thing to do by spammers.

This has traditionally been handled by Googles Recaptcha code but that causes too much of a challenge in many cases and can
easily frustrate your customers. This code doesn't present a challenge for the customer at all. The checking is done without
the customer even knowing it.
 
The code will work in any version of oscommerce but the instructions are just for the Community Edition and just for the
contact us page (due to time constraints).

Edited by Jack_mcs
Remove extra link

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

3 hours ago, ArtcoInc said:

@Jack_mcs

Does this add-on require View Counter?

No, it doesn't. I must have clicked on something I shouldn't have when creating this thread. I have removed the mention of View Counter now. I apologize for the confusion

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

This is pretty interesting idea Jack....good thinking.   In installing it, I also noticed that the action recorder is implemented on the contact us page....that must also slow the bots down a lot.  

Dan

Link to comment
Share on other sites

Thanks, but it isn't my code. The Honeypot code has been around for years. The action Recorder helps as does the code in email validate function (for newer versions of oscommerce) that limits how many email addresses can be entered at one time. I would have thought the latter was enough to stop spammers but it doesn't.  

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

8 hours ago, Jack_mcs said:

I would have thought the latter was enough to stop spammers but it doesn't.  

I was thinking the same thing but your module makes it easy to take things a step further.   Thanks for taking the time to both develop and contribute it to the community. :thumbsup:

Dan

 

Link to comment
Share on other sites

A new version has been uploaded with these changes:

  • Added a tell-a-friend file to the changed files.
  • Changed the module code to use a different function for the create account page. 

If you don't use this addon on either of those pages there's no reason to update. But if you don't and you enable it for the create account page, that page won't validate correctly.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

I am running v2.3.2 and added the changes to the contact_us page and it does not seem to reject the form if the honeypot is not empty.

If I view source I do have the onsubmit="return validateMyForm();"

and

  <div style="display:none;">
  <label>Keep this field blank</label>
  <input type="text" name="honeypot" value="die bots" id="honeypot" />
  </div>

(before buttonSet)

What could I be missing?

I am not getting any errors from apache

Tom

Thomas A. Moulton, W2VY

osCommerce core developer osc2.1 to osc 2.3.x

Support the developers!

http://www.oscommerce.com/about/team

Link to comment
Share on other sites

You have to include the validateMyForm code. For newer 2.3.4 and Responsive versions of oscommerce that is done by installing the included module. For all others you have to manually add the code.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

A new version has been uploaded. Since any spam email I have ever seen contained an email address and/or a url, I added options to check for those on the contact us page and to reject the submission if found. It seems unlikely that a legitimate visitor would have those in their emails but there are options to control them if you don't want to use them.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

I wonder if changing the honeypot input to something email2 or something would encourage spammers to fill it in

<input type="text" name="email2" id="honeypot" />

or

<input type="text" name="email2" id="altemail" />

tom

Thomas A. Moulton, W2VY

osCommerce core developer osc2.1 to osc 2.3.x

Support the developers!

http://www.oscommerce.com/about/team

Link to comment
Share on other sites

The Honeypot input box should not be visible on the page. If it is, then there is a mistake in your installation. The whole idea with the code is that legitimate people can't fill in that box but spammers use scripts that automatically fill in all boxes so they are stopped.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Well, if you think about it from the automated spammer point of view...

They don't LOOK at the page, the BOT can READ the HTML see excepts below

<script type="text/javascript">
  function validateMyForm() {
    // The field is empty, submit the form.
    if(!document.getElementById("honeypot").value) {
    return true;
  }
  // the field has a value it's a spam bot
  else {
    return false;
  }
}
</script>


</div>
<div style="display:none;">
<label>Keep this field blank</label>
<input type="text" name="honeypot" id="honeypot" />
</div>

 

Thomas A. Moulton, W2VY

osCommerce core developer osc2.1 to osc 2.3.x

Support the developers!

http://www.oscommerce.com/about/team

Link to comment
Share on other sites

I don't understand your point nor why you would want to encourage spammers to fill it in but you're free to change it as you see fit.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

12 minutes ago, Jack_mcs said:

I don't understand your point nor why you would want to encourage spammers to fill it in but you're free to change it as you see fit.

I'm sure Tom will clarify but I think his point is that smarter bots, or perhaps AI bots, might be programmed to recognize traps like that, where the names were so obvious, and might skip the input.  An interesting point and one that might become obvious over time ie. you'll know about it.

Dan

Link to comment
Share on other sites

Oh Yes I think we WANT to encourage them to fill it in, so we know the 'client' was not using a web browser.

But if we think of AI, the very directive that tells the browser not to display the input may tell the bot also to leave it blank.

You have to think like a Bot and look at what the bot sees! Your HTML code

It might be interesting to see how many requests it blocks.

Tom

Thomas A. Moulton, W2VY

osCommerce core developer osc2.1 to osc 2.3.x

Support the developers!

http://www.oscommerce.com/about/team

Link to comment
Share on other sites

OK, I understand your point now. I don't think the scripts would do that but it is certainly possible. It is probably worth changing the code just to eliminate that possibility. But if it's going to be done, the javascript should probably be moved to a separate file and loaded in so it doesn't display in the source.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

The code only checks for urls with http or https. If those aren't included the email will get by. I may change that in a future release but it involves more than the javascript check I used. If that isn't the problem, try submitting the form yourself with a copy of the url that is getting through to see if you can duplicate the problem. If you can, please send me what fails so I can see what the problem is.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Считается, что повышенный уровень глюкозы в крови является главной причиной развития диабета 2-го типа. Однако немецкие ученые доказали: резистентность клеток к инсулину может быть вызвана увеличением концентрации в крови метилглиоксаля (MG) - метаболита глюкозы. Подробнее читайте на сайте _a href=http://dom-lady.ru_dom-lady.ru_/a_

But if I enter that text the form is blocked.

I am starting to think that the javascript is not being executed on the server side 

If the code is assuming it will run on the client side, then it is no wonder the checks are not performed on some spammers

Maybe we should just move the checks to PHP code on the form submit action, that could NEVER fail!

Edited by w2vy

Thomas A. Moulton, W2VY

osCommerce core developer osc2.1 to osc 2.3.x

Support the developers!

http://www.oscommerce.com/about/team

Link to comment
Share on other sites

Are you able to create an account? The create an account has the javascript in it too but it also has the original javascript in it. So if javascript is failing on your site, that would fail too. Blocking via the php code would probably be better but that would require further code changes and not be what this addon was intended for.

If you updated to the latest version and are using the Responsive version of the addon, you needed to uninstall the module first, replace the files and install again. If you didn't do that, the javascript may not function correctly.

Edited by Jack_mcs

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

I've been thinking about this and testing some things out...

This code worked best for my needs (which were; stop spammers, use as little code as possible)

<input type="text" name="inputHP" pattern="[0]{0}" aria-describedby="atHP" hidden>
<span id="atHP" hidden>This is a Test for weeding out Spammers.  You must leave this input box totally blank.</span>

What have I missed by just using that code ?

Note that I did hardcode it, if I was to spend time on it, it'd be a Hook most likely.

Link to comment
Share on other sites

I haven't tested it but that looks like a good idea. But a second hook would be needed to add the code to check for emails and url's, if those options were wanted. That is more in-line with not changing the core code and is probably a better solution for the community edition. Actually, it might be a good addition to the stock shop. A generalized package that would protect any form in the shop by just calling a hook with the forms name, or something like that.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...