What is JotForm?
JotForm is a free online form builder which helps you create online forms without writing a single line of code. No sign-up required.

At JotForm, we want to make sure that you’re getting the online form builder help that you need. Our friendly customer support team is available 24/7.

We believe that if one user has a question, there could be more users who may have the same question. This is why many of our support forum threads are public and available to be searched and viewed. If you’d like help immediately, feel free to search for a similar question, or submit your question or concern.


  • Profile Image

    Server not blocking Honeypot field when JavaScript is disabled

    Asked by cleverwebmonkey on August 15, 2013 at 09:17 AM

    When JavaScript is disabled, the server does not reject form submissions that have the "website" field filled out:

          <li style="display:none">
           Should be Empty:
           <input type="text" name="website" value="" />
         </li>

    I tested this by changing the CSS "display" property to "block" and then filling out the input. The form gets submitted and I'm receiving the results in my inbox.
    Submissions style name font
  • Profile Image

    Answered by jeanettebmz on August 15, 2013 at 01:55 PM

    I am not sure if I understood correctly, do you want to prevent the form being submitted when a certain field is filled out?

    I looked into your contact form which is the only one in your account and could not find the "Honeypot" field

    Can you please provide more details and describe in a more detailed way the desired scenario?

  • Profile Image

    Answered by cleverwebmonkey on August 15, 2013 at 02:48 PM

    Correct. I want the server to reject the form when the field "website" is filled out. This rejection should happen on the server end.

    That code snippet comes directly from the downloaded source code (from the menu: "Embed Form" > "Source" > "You can also download a compressed and refined version with separate .css and .js files from here"). 

    I think I reasonably assumed the purpose of the "website" field, enclosed in an element which has "display:none:", was to be a "Honeypot" field — especially because of the presence of the "Should be Empty:" text next to it.

    The technique I want to achieve is explained here, among other places: http://www.ngenworks.com/blog/invisible_captcha_to_prevent_form_spam/

  • Profile Image
    JotForm Support

    Answered by Welvin on August 15, 2013 at 05:43 PM

    The process given from the website simply tells you to hide the confirmation email field, then if the field is filled out, that means it is a SPAM message from Spam Bots.

    You can do that with our Form. Add another field, hide that field using custom CSS injection. Example:

    Form with the visible field: http://www.jotformpro.com/form/32266384052957

    Form without the visible field: http://www.jotformpro.com/form/32266834084962

    We can do a tweak, using our Conditional Logic, Hide the Submit Button when that field is filled.

    As you could see, the field is hidden from the editor but you can still see it when setting up a Conditional Logic (Conditional Logic on Forms).

    To simulate and or see the action when the field is filled out, see this URL: http://www.jotformpro.com/form/32266834084962?ifYou=DUH! (using URL parameters).

    Let us know if you are confuse about the process and or if you have any further questions for this process.

    Thanks

  • Profile Image

    Answered by cleverwebmonkey on August 16, 2013 at 02:13 AM

    I tried what you suggested, Welvin. As I suspected however, that functionality relies on JavaScript (I tested the form with JavaScript deactivated in my browser). As most (if not all) spambots don't process JavaScript and CSS, this would have minimal effect.

    The description of the honeypot technique might be clearer here: http://www.scorchsoft.com/blog/recaptcha-alternative-honeypot-spam-prevention/

    In this example, specifically, it's the PHP that is blocking the submission:

    if(isset($_REQUEST'honeypot') && $_REQUEST'honeypot' && $_REQUESThoneypot' != '')
    //Don't send the form
    else
    //Send the form

    Obviously this is just an example and geniune code needs to go in there.

    Again, I'm seriously wondering what's the purpose of this code snippet in the downloaded code from JotForm if it ain't for this very specific reason:

          <li style="display:none">
           Should be Empty:
          <input type="text" name="website" value="" />
        </li>

    Just to make it clear: I have not created this field — it has been generated by JotForm. If you check on other people's forms, you'll also find the same snippet of code in their forms. It's even in the examples you supplied, if you look at the rendered page's HTML source code.
  • Profile Image
    JotForm Support

    Answered by Welvin on August 16, 2013 at 03:30 PM

    Hi,

    I have no clear explanation about that codes, but I guess that's part of tracking to who accessed the form and should always be hidden which is sometimes called an empty element. I will try to reach our developers about this and let you know better later today.

    The honeypot technique seems new to me. There should be more explanation on how to use it. I have tried to do it using the form source codes but I am still able to receive the form email. I'll try to come up with this idea and give you the working example.

    Thanks

  • Profile Image
    JotForm Support

    Answered by EltonCris on September 07, 2013 at 01:00 AM

    @cleverwebmonkey 

    Do you still need help regarding this matter? If yes, you can use the following.

    Here I came up with a pure javascript code. Just add it at the bottom of your entire form source code, after the ending </form> tag.

    <script type="text/javascript">

    var emptyfield = document.getElementsByName("website");

    formz = document.getElementsByTagName("form");

    formz[0].onsubmit = function(){

    if (emptyfield[0].value != ""){

      alert ("Spammers alert!"); //trigger alert

      console.log("form cannot be sent"); //print log

      return false; //unsubmit form

    else{

    return true; //submit form

    }

    }

    </script>

    Also, you do not need to worry on the browsers with disabled javascript. JotForm has its own ability to detect it and redirect the form to a captcha page if javascript is disabled.

    Hope this helps. Thanks!