Tighten validation of honeypot field, perhaps? #160
StephenPickles
started this conversation in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
If a bot provides the value "0" in the honeypot field, the request will pass the anti-spam test. The code that tests this is in src/SpamProtection.php:
if (! empty($honeypotValue))But empty("0") returns true in php.
I tested this by publishing the honeypot-views tag to my application's views, and changing the honeypotFormFields.blade.php to put "0" in the value attribute of the honeypot field.
I suggest tightening the validation a little because the present approach opens up a possible strategy for bots to increase their success rate.
Thanks for the package, which fills a gap; I've been seeing more and more spam user registrations in my app.
Beta Was this translation helpful? Give feedback.
All reactions