Allow multiple hidden form elements [#2467743]

Problem/Motivation

On a large site, we've seen much better spam prevention (from bots) using a modified version of honeypot that allows multiple honeypot form elements instead of only one element.

Proposed resolution

Attached patch allows multiple form elements. Instead of entering a single value in the admin form, the administrator can enter multiple values, separated by commas.

Remaining tasks

Still need to modify the test, as well as write patches for 6.x and 8.x releases.

User interface changes

Administrator can now enter multiple form element names, separated by comma. Entering a single value still works fine.

Comment	File	Size	Author
#1	allow_multiple_honeypot_form_elements-2467743-1-against_7.x-1.17.patch	4.55 KB	krisahil
#1	7.x-1.x: PHP 5.6 & MySQL 5.5, D7 Patch failed to apply
#1	allow_multiple_honeypot_form_elements-2467743-1.patch	4.75 KB	krisahil
#1	7.x-1.x: PHP 5.6 & MySQL 5.5, D7 Patch failed to apply

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

krisahil CreditAttribution: krisahil commented 8 April 2015 at 17:18

File	Size
allow_multiple_honeypot_form_elements-2467743-1.patch	4.75 KB
7.x-1.x: PHP 5.6 & MySQL 5.5, D7 Patch failed to apply
allow_multiple_honeypot_form_elements-2467743-1-against_7.x-1.17.patch	4.55 KB
7.x-1.x: PHP 5.6 & MySQL 5.5, D7 Patch failed to apply

Attached is patch against latest 7.x-1.x branch (c60a524a8f7a6135149aa26df9e6580556f31966).
Also attached is a patch against 7.x-1.17 tag release.

Comment #2

geerlingguy CreditAttribution: geerlingguy commented 20 April 2015 at 19:08

@krisahil - I can see generally that adding more elements could potentially trick certain bots, but it seems the main value might just be in picking a better / non-default element name instead of adding multiple names. I'm wondering if this is the right route to go—it might be almost as effective (yet less complicated, code-wise and form-wise) to simply allow multiple field names, and just pick one at random each time a form is rendered?

Comment #3

geerlingguy CreditAttribution: geerlingguy commented 11 March 2016 at 04:44

Status:

Active

» Needs review

Comment #4

11 March 2016 at 04:46

The last submitted patch, 1: allow_multiple_honeypot_form_elements-2467743-1.patch, failed testing.

Comment #5

11 March 2016 at 04:46

Status:

Needs review

» Needs work

The last submitted patch, 1: allow_multiple_honeypot_form_elements-2467743-1-against_7.x-1.17.patch, failed testing.

Comment #6

geerlingguy CreditAttribution: geerlingguy commented 9 August 2018 at 20:31

Status:

Needs work

» Closed (works as designed)

After giving some more consideration, I'd rather leave it at one element, as this trick may be enough to trip up some human spammers, but one or a hundred fields won't make much difference to bots, IMO. It would be better to go for more advanced/'intelligent' spam control like Akismet or Cleantalk if necessary.