Home/ Questions/Q 7932421
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-03T21:00:54+00:00

I have been reading this blog post and this stack overflow post but I

  • 0

I have been reading this blog post and this stack overflow post but I don’t have much experience with hashing form fields (the honeypot part, there seems to be a lot of examples on the web) So I have a few questions.

Question 1

Is it something like this or am I way off base? (Note, this is a simplified example with just the timestamp for brevity)

PHP on the form:

$time = mktime(); 
$first_name = md5($time + 'first_name');

HTML on the form:

<form action="register.php" method="post">
<input type="text" name="<?php echo $first_name ?>" >
<input type="hidden" name="check" value="<?php echo $time ?>" >
<input type="submit" name="register">
</form>

Register.php

// check to see if there is a timestamp
if (isset($_POST['check'])) {
    $time = strtotime($_POST['check']);

    if (time() < $time) {
    // original timestamp is in the future, this is wrong
    }

    if (time() - $time < 60) {
    // form was filled out too fast, less than 1 minute?
    }

    // otherwise
    $key = $_POST['check'];

    if (md5($key + 'first_name') == $_POST['whatever-the-hash-on-the-first_name-field-was']) {
        // process first_name field?
    }
}

Question 2:

How does the hashing of the field name make things more secure? I get the timestamp check (although I don’t understand the part in the blog post “too far in the past”…wouldn’t a bot fill it out too fast if anything??) but I am not sure what hashing the name attribute does exactly.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You need to hash the field names server side before you send them to the client:

    <form action="register.php" method="post">
<? $timestamp = time() ?>
<!-- This is where the user would put the email. Don't put this comment in for real -->
<input type="text" name="<?php echo md5("email" . $timestamp . $secretKey) ?>" >
<input type="hidden" name="check" value="<?php echo $timestamp ?>" >
<input type="submit" name="register">
</form>

    That will randomize the names of the fields. On your server when the data is posted you need to re-hash the field names to find the correct post variables:

    <?
    if (isset($_POST['check'])) {
        $email = $_POST[md5("email" . $_POST['check'] . $secretKey)];
    }
?>

    The author of the blog says this is a way to prevent replay attacks. I think there is some merit to the idea, and here is how it would work:

    1. An attacker would visit your site, and manually fill out the form, recording all of your field names.
    2. He would then input those recorded field names into his bot and program the bot to re-fill your form at a later time.
    3. The attacker might record this for the ’email field’ <input type="text" name="0c83f57c786a0b4a39efab23731c7ebc" /> and for the hidden check field <input type="hidden" name="2012/05/11 12:00:00" />
    4. The bot would then post those very same fields with different data.
    5. This is where your “too far in the past” check would be triggered. The bot would be posting a timestamped form with an old date and you would reject it.

    I hope this helps you understand what the blog author was getting at.

    • 0