I was thinking of how I (or we) could build a fully functional PHP form that could do two things:
- Be randomly generated
- Keep original formatting when parsing to e-mail
For anyone who's not familiar with the honeypot method I will briefly explain it. The honeypot method uses a visually invisible field (display: none) that should be kept empty when posted. Because bots will only inspect the source code it will be very likely that a bot will automatically fill in this field and thus be blocked by a if / else check when the form is posted.
I wrote a concept that explains the algorithm that has to do this. I added a few example arrays, just to demonstrate.
I'm very curious if someone could help me strengthen the method. Is this safe enough? Or is there something that I'm missing.
$fields = [
[
"name" => "name",
"type" => "text",
"class" => "input--text",
"required" => true
],
[
"name" => "email",
"type" => "text",
"class" => "input--text",
"required" => true
],
[
"name" => "phone",
"type" => "text",
"class" => "input--text",
"required" => true
],
];
$classes = [
"input--town",
"input--city",
"input--country",
"input--date",
"input--subject",
"input--town",
"input--town",
];
$names = [
"city",
"birthday",
"genre",
"location",
"agreement",
"year",
"month",
"day",
"strength",
];
$types = [
"date",
"email",
"text",
"time",
"search",
"checkbox",
"radio",
"week",
];
// $_POST
$_POST = [
"birthday" => "",
"name" => "Jim",
"city" => "",
"email" => "text@example.com",
"phone" => "1234567890"
];
$fields = (count($fields) + rand(2, 6));
// Concept algorithm
/*
=== Goal
Randomize both real and fake fields in order to prevent
AI / Spider(s) / Bot(s) to figure out our honeypot method
=== Parsing of field
- For loop the amount of fields
- Create new array with fields
- Include the fields with index $i in new array (with encrypted CSS order slug, md5 into sha1 with substring)
- If all included randomize the remaining (random: class, random: type, random: order)
- Shuffle array
- Loop and parse into <form></form>
- Add ReCAPTCHA
=== Retrieving of $_POST and markup of e-mail
- Check for ReCAPTCHA validity
- Loop through $_POST
- Check:
- If "name" in $names => If so => check if empty. If empty, continue
- Save all collected $_POST fields to new array
- Loop through the original array of $fields
- Use name attribute in fields to index $_POST fields
- Escape, sanitize and parse to e-mail message
---------
- DONE => Send
---------
- Else => It's a field that should be empty so it's filled by a bot... SPAM!
=== Featured
- Random amount of fields (both fake and true)
- Randomized order of fields in HTML
- Structurized with CSS
- Algorithmic check if fake or real field
- Keep original field order in e-mail markup