compguru910 Posted January 14, 2009 Share Posted January 14, 2009 Hello, im having a weird issue with this captcha script that I learned from a tutorial. It seems like this ia problem that is very slight and im overlooking it. So, to test, I made it submit the actual CAPTCHA text when it sends the form, and everytime its submitted its blank. So, this bot is spamming my page without putting in the CAPTCHA. Can anyone look at the code and possibly tell me why? and how <form name="form1" method="post" action="contact.php"> <div align="justify"> <p><span style="font-weight: bold; font-size: 16px; color: #000000">Email Address:</span><br /> <input type="text" name="email" id="email"> <br> <span style="font-size: 16px; color: #000000; font-weight: bold">Comments</span> <br> <textarea name="comments" id="comments" cols="45" rows="5"></textarea> </p> <p>Captcha (Stop Spamming Bots)<br /> <img src="captcha.php" /> <input name="check" type="text" id="textfield" size="15" /> </p> <p> <input type="submit" name="submit" id="submit" value="Talk To Us!"> </p> </div> </form> <p style="font-size: 18px; color: #CCCCCC"></p> <? if (isset($_POST['submit'])) { //Checks to see if th CAPTCHA validated, if it does, then proceed with validating forms if ($_POST['check'] == ($_SESSION['check'] / ) { // Lets the user know if the email and comments have been filled out $captcha_correct = TRUE; if (empty($_POST['email'])) { print 'You have not entered your email address'; } if (empty($_POST['comments'])) { print 'You have not entered any comments'; } // If the email and comments section have been filled out then proceed with SQL // This section adds the comments into the comments database for records if ($_POST['email'] && $_POST['comments'] && $captcha_correct = TRUE) { $dbc = mysql_connect('localhost','breadcorn','wat1964') ; mysql_select_db('cookshack'); $query = "INSERT INTO comments (date, comment, email) VALUES (NOW(), '{$_POST['comments']}','{$_POST['email']}');"; // If the query ran fine, then print thank you if (@mysql_query($query) ) { print "<p align=\"left\" style=\" font-family: Verdana, Arial, Helvetica, sans-serif\">Thank you for your comments</p>"; //Set up the format so that the comment can be emailed $date = date('g:i a l F j Y'); $body = "Comment Sent By $email at $date\nComment: $comments\n '{$_POST['check']}'"; mail('swalsh@atsystemsonline.com','Comments',$body); mail('tdonaldson@atsystemsonline.com','Comment',$body); $query = "INSERT INTO mailinglist VALUES ('{$_POST['email']}');"; @mysql_query($query); //If the query fails on the first query, then display why } else { print '<p>The comment could not be added because: ' . mysql_error() . '</p>'; } //Check to see if the email is already in the database, if not, add it include('includes/dbconnect.php'); $query = "SELECT email FROM phplist_user_user WHERE (email = '{$_POST['email']}');"; $returned = mysql_query($query); if (mysql_num_rows($returned) > 0 ) { print "<p align=\"left\" style=\"color: #CCCCCC; font-family: Verdana, Arial, Helvetica, sans-serif\"></p>"; } else { $uniqid = md5($_POST['email']); $query = "INSERT INTO phplist_user_user (id, email, confirmed, blacklisted, bouncecount, uniqid, htmlemail) VALUES (0, '{$_POST['email']}', '1', '0', '0', '$uniqid', '1');"; if (mysql_query($query)) { $query = "SELECT id FROM phplist_user_user WHERE (email = '{$_POST['email']}') LIMIT 1;"; $returned = mysql_query($query); $id = mysql_fetch_array($returned); $query2 = "INSERT INTO phplist_listuser (userid,listid,entered) VALUES ('$id[0]','2',NOW());"; $returned = mysql_query($query2); } } } } else { print "The CAPTCHA you have entered is incorrect, please try again"; } } Here is the captcha.php code. <?php session_start(); //imagecreatefrompng :: create a new image //from file or URL $img = imagecreatefrompng('black.png'); //displaying the random text on the captcha $numero = rand(100, 999); $_SESSION['check'] = ($numero * ; //The function imagecolorallocate creates a //color using RGB (red,green,blue) format. $white = imagecolorallocate($img, 255, 255, 255); imagestring($img, 10, 8, 3, $numero, $white); header ("Content-type: image/png"); imagepng($img); ?> So, the number that is generated by the captcha is multiplied by 8 and stored in the session, then divided by 8 on the page. Its still getting past it. Im stumped... Quote Link to comment Share on other sites More sharing options...
rhodesa Posted January 14, 2009 Share Posted January 14, 2009 you need a session_start() at the top of your page with the form. otherwise, $_SESSION['check'] will always be 0: 0 / 8 = 0 so, if no captcha text is submitted, empty == 0, and it gets through. also, in your php, you will want to validate that $_SESSION['check'] has a value. if it's a bot, the browser will never pull captcha.php, therefore not setting a value for $_SESSION['check'] and then you have the same problem Quote Link to comment Share on other sites More sharing options...
compguru910 Posted January 14, 2009 Author Share Posted January 14, 2009 In the header of the page (not included there) I have session_start(); and ob_start(); . The captcha works, I cant get past it, somehow this bot is without entering a captcha at all. The webs link is www.cookshackbarbq.com/contact.php Quote Link to comment Share on other sites More sharing options...
premiso Posted January 14, 2009 Share Posted January 14, 2009 Are you sure it is a bot? If it is a bot, chances are it is reading the image. You could try to do Re-Catcha (google it for more info) and see if that stops them. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 14, 2009 Share Posted January 14, 2009 That is about the weakest captcha image possible. Commonly available OCR software will match that probably 95+ percent of the time. Quote Link to comment Share on other sites More sharing options...
compguru910 Posted January 14, 2009 Author Share Posted January 14, 2009 The thing is, its not even going through the captcha. The captcha field on the page is not even being posted. Quote Link to comment Share on other sites More sharing options...
rhodesa Posted January 14, 2009 Share Posted January 14, 2009 The thing is, its not even going through the captcha. The captcha field on the page is not even being posted. then check to make sure a CAPTCHA is posted and that a captcha value is in the SESSION Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 14, 2009 Share Posted January 14, 2009 also, in your php, you will want to validate that $_SESSION['check'] has a value. if it's a bot, the browser will never pull captcha.php, therefore not setting a value for $_SESSION['check'] and then you have the same problem I'll second that, since I doubt you changed your code to check that $_SESSION['check'] exists and has something in it. NULL == NULL is TRUE and your code will operate as though a matching value was entered. Quote Link to comment Share on other sites More sharing options...
compguru910 Posted January 15, 2009 Author Share Posted January 15, 2009 Ok, I have specifically checked to make sure the session has a value. If you go to the page I posted, and try to submit without the captcha in there (hence NULL) then it comes back saying the captcha hasnt been inserted and wont go through. I dont check to see if the field is left empty, I simply check to see if the captcha matches the session value. So, in order to submit this page, CAPTCHA has to be filled out. The bot is getting past that without putting anything in there when my code specifically checks to see if the session has been filled. If you dont believe me, get in firefox, and change the settings so that when a new cookie is created, to notify you. When you go to that page, it will notify you that a new cookie is being created (because most sessions are stored in cookies). The issue is not the bot cracking the captcha, or even the fact that the session is empty, hes getting past without even messing with that, and im just confused on how. Quote Link to comment Share on other sites More sharing options...
rhodesa Posted January 15, 2009 Share Posted January 15, 2009 ok...i went through and reworked the code the way I would do it. i got confused at the last part of PHP code though, so i commented it out...is that for a separate database? <?php session_start(); $message = ""; if($_SERVER['REQUEST_METHOD'] == 'POST'){ if(empty($_SESSION['check']) || empty($_POST['check'])){ //Checks to make sure there is a values in the session and form $message = "No CAPTCHA was provided"; }elseif($_POST['check'] == ($_SESSION['check'] / ){ //Checks to see if th CAPTCHA validated, if it does, then proceed with validating forms $message = "The CAPTCHA you have entered is incorrect, please try again"; }elseif(empty($_POST['email'])){ //Lets the user know if the email has not been filled out $message = 'You have not entered your email address'; }elseif(empty($_POST['comments'])){ //Lets the user know if the comments has not been filled out $message = 'You have not entered any comments'; }else{ //If the email and comments section have been filled out then proceed with SQL //This section adds the comments into the comments database for records mysql_connect('localhost','breadcorn','wat1964') or die(mysql_error()); mysql_select_db('cookshack') or die(mysql_error()); $query = sprintf( "INSERT INTO comments (date, comment, email) VALUES (NOW(),'%s','%s')", mysql_real_escape_string($_POST['comments']), mysql_real_escape_string($_POST['email']) ); //If the query ran fine, then print thank you if(@mysql_query($query)){ $message = "<p align=\"left\" style=\" font-family:Verdana,Arial,Helvetica,sans-serif\">Thank you for your comments</p>"; //Set up the format so that the comment can be emailed $date = date('g:i a l F j Y'); $body = "Comment Sent By {$_POST['email']} at $date\nComment: {$_POST['comments']}\n '{$_POST['check']}'"; mail('swalsh@atsystemsonline.com,tdonaldson@atsystemsonline.com','Comments',$body); $query = sprintf("INSERT INTO mailinglist VALUES ('%s')",mysql_real_escape_string($_POST['email'])); @mysql_query($query); }else{ //If the query fails on the first query, then display why $message = '<p>The comment could not be added because: ' . mysql_error() . '</p>'; } // Is this a different database? //Check to see if the email is already in the database, if not, add it // include('includes/dbconnect.php'); // $query = sprintf("SELECT email FROM phplist_user_user WHERE email = '%s'",mysql_real_escape_string($_POST['email'])); // if(mysql_num_rows(mysql_query($query)) > 0 ){ // print "<p align=\"left\" style=\"color: #CCCCCC; font-family: Verdana, Arial, Helvetica, sans-serif\"></p>"; // } else { // $uniqid = md5($_POST['email']); // $query = "INSERT INTO phplist_user_user (id, email, confirmed, blacklisted, bouncecount, uniqid, htmlemail) VALUES (0, '{$_POST['email']}', '1', '0', '0', '$uniqid', '1');"; // if (mysql_query($query)) { // $query = "SELECT id FROM phplist_user_user WHERE (email = '{$_POST['email']}') LIMIT 1;"; // $returned = mysql_query($query); // $id = mysql_fetch_array($returned); // $query2 = "INSERT INTO phplist_listuser (userid,listid,entered) VALUES ('$id[0]','2',NOW());"; // $returned = mysql_query($query2); // } // } // } } } ?> <form name="form1" method="post" action="contact.php"> <div align="justify"> <p><span style="font-weight: bold; font-size: 16px; color: #000000">Email Address:</span><br /> <input type="text" name="email" id="email"> <br> <span style="font-size: 16px; color: #000000; font-weight: bold">Comments</span> <br> <textarea name="comments" id="comments" cols="45" rows="5"></textarea> </p> <p>Captcha (Stop Spamming Bots)<br /> <img src="captcha.php" /> <input name="check" type="text" id="textfield" size="15" /> </p> <p> <input type="submit" name="submit" id="submit" value="Talk To Us!"> </p> </div> </form> <p style="font-size: 18px; color: #CCCCCC"></p> <?php echo $message; ?> Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 15, 2009 Share Posted January 15, 2009 For your last post, you would need to post all your current code because it sounds like you are not using sessions correctly. Are you testing this on a system with error_reporting set to E_ALL and display_errors set to ON so that you would know if php was detecting a problem when the code executes? Also the following line is not testing if $captcha_correct is TRUE, it is setting $captcha_correct = TRUE and using that value, which is TRUE in the comparison (you need two == to test if it is TRUE) - if ($_POST['email'] && $_POST['comments'] && $captcha_correct = TRUE) { Quote Link to comment Share on other sites More sharing options...
compguru910 Posted January 15, 2009 Author Share Posted January 15, 2009 That was the issue that I didnt have == as opposed to =. Somehow the bot made it past that, when I couldnt. The sessions are working fine (I know sessions pretty well, and I did put in the code at the end of the page <? print $_Session['check'] ?> to make sure that the session was being set. The problem seems to be solved now as I have added the = sign, and in the send function for the email, I made it check to make sure that 'check' form was not blank. No more spam emails, good thing cause that was getting obnoxious. Thanks for the help guys Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.