Pavlos1316 Posted March 11, 2010 Share Posted March 11, 2010 Hello, I have a code to generate captcha in my site and the below code to check it during the registration, but I can't make it work. Any suggestions? //database info //database connection //check if username is empty exit(); } //check if password is empty exit(); } //check if username exists exit(); } //check if captcha is the same as the provided if($_SESSION['captchaCheck'] != $_POST['providedCaptcha'] && !empty($_SESSION['captchaCheck'])){ echo "The inserted text (".$_POST['providedCaptcha'].") does not match the rendered one (".$_SESSION['captchaCheck'].")!"; unset($_SESSION['captchaCheck']); exit(); } //post in database Everything is working (that's why I didn't write them) exept the captcha check. Thank you. Link to comment https://forums.phpfreaks.com/topic/194884-captcha-check/ Share on other sites More sharing options...
PFMaBiSmAd Posted March 11, 2010 Share Posted March 11, 2010 Since you did not tell anyone what it IS doing, it is not directly possible to help you fix anything. What symptom do you see in front of you that makes you think it is not working? Link to comment https://forums.phpfreaks.com/topic/194884-captcha-check/#findComment-1024667 Share on other sites More sharing options...
Pavlos1316 Posted March 11, 2010 Author Share Posted March 11, 2010 Sorry for that... It does nothing... I write the wrong captcha but the form procceeds to registration without checking. I hope I was clear this time... Link to comment https://forums.phpfreaks.com/topic/194884-captcha-check/#findComment-1024669 Share on other sites More sharing options...
Pavlos1316 Posted March 11, 2010 Author Share Posted March 11, 2010 Found it... was missing a session_start(); from the begining of the captcha code. Thank you.. Link to comment https://forums.phpfreaks.com/topic/194884-captcha-check/#findComment-1024673 Share on other sites More sharing options...
PFMaBiSmAd Posted March 11, 2010 Share Posted March 11, 2010 I think you will find that if someone (or a bot script) visits your form processing code without first visiting your form to set the $_SESSION['captchaCheck'] variable, that your existing code can be bypassed. Give this a try - <?php // if the session variable is empty (someone visited the processing code without first visiting the form), or // if the post variable is empty (someone either did not enter a value or a bot script did not supply that form field), or // if the two values don't match - if(empty($_SESSION['captchaCheck']) || empty($_POST['providedCaptcha']) || $_SESSION['captchaCheck'] != $_POST['providedCaptcha']){ echo "The inserted text (".$_POST['providedCaptcha'].") does not match the rendered one (".$_SESSION['captchaCheck'].")!"; unset($_SESSION['captchaCheck']); exit(); } // at this point, the session variable contained something, the post variable contained something, and the two values matched // unset the session variable at this point to prevent repeated submissions unset($_SESSION['captchaCheck']); ?> Edit: You will also find that bot scripts that don't support sessions can bypass your current logic. Link to comment https://forums.phpfreaks.com/topic/194884-captcha-check/#findComment-1024681 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.