Jump to content

Recommended Posts

Hi guys,

I have an email form on a website that sends the form data to an external php file (contact-form-handler.php) I have recently tried to add a captcha however I have been unsuccessful in getting the external php file to check if the captcha code was entered correctly.. At the moment it says that it is incorrect even when I enter the correct code. The website is ********

 

The form code:

               <form method="POST" name="contact_form" action="/templates/onlinespark/contact-form-handler.php">
                    <label for='name'>Name: </label>
                    <input type="text" name="name" value='<?php echo htmlentities($name) ?>'>
                    <label for='email'>Email: </label>
                    <input type="text" name="email" value='<?php echo htmlentities($visitor_email) ?>'>
                    <label for='phone'>Phone: </label>
                    <input type="text" name="phone" value='<?php echo htmlentities($phone) ?>'>
                    <label for='message'>Message:</label>
                    <textarea name="message" rows=8 cols=30><?php echo htmlentities($user_message) ?></textarea>
                    <label><img src="/templates/onlinespark/captcha.php"></label>
                    <?php $salt = 'some-random-text'; ?>
                    <input type="text" name="code" />
                    <input type="hidden" name="code_key" value="<?php echo sha1('Text in the image' . $salt); ?>" />
                    <input type="submit" value="Submit" name='submit' class="quoteButton">
                </form> 

The external php file:

 <?php
        if (isset($_POST['submit'])) {
        $error = "";

        if (!empty($_POST['name'])) {
        $name = $_POST['name'];
        } else {
        $error .= "You didn't type in your name. <br />";
        }

if (!empty($_POST['phone'])) {
        $name = $_POST['phone'];
        } else {
        $error .= "You didn't enter your phone. <br />";
        }

        if (!empty($_POST['email'])) {
        $email = $_POST['email'];
         if (!preg_match("/^[a-z0-9]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/i", $email)){
         $error .= "The e-mail address you entered is not valid. <br/>";
         }
        } else {
        $error .= "You didn't type in an e-mail address. <br />";
        }

        if (!empty($_POST['message'])) {
        $message = $_POST['message'];
        } else {
        $error .= "You didn't type in a message. <br />";
        }

$salt = 'some-random-text'; // same salt string as in the original file
if ($_POST['code_key'] == sha1($_POST['code'] . $salt)) {
// captcha is correct
} else {
$error .= "The captcha code you entered does not match. Please try again. <br />";
}

        if (empty($error)) {
        $from = 'From: ' . $name . ' <' . $email . '>';
        $to = "mail@mail.com.au";
        $subject = "New contact form message";
        $content = $name . " has sent you a message: \n" . $message;
        $success = "<h3>Thank you! Your message has been sent!</h3>";
        mail($to,$subject,$content,$from);
        }
        }
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>ERROR - Please fill in all fields!</title>
</head>
<body>
<!-- This page is displayed only if there is some error -->
<h1>ERROR - Please go back and fill in all fields!</h1>
<?php
            if (!empty($error)) {
            echo '<p class="error"><strong>Your message was NOT sent<br/> The following error(s) returned:</strong><br/>' . $error . '</p>';
            } elseif (!empty($success)) {
            echo $success;
            }
        ?>
</body>
</html>
Edited by gizmola
Link to comment
https://forums.phpfreaks.com/topic/279103-how-do-i-verify-the-catpcha/
Share on other sites

I don't see where the form synchronizes with the captcha image. You have this code:

 

<?php echo sha1('Text in the image' . $salt); ?>
I would expect to see something like:

 

<?php echo sha1($captchaText . $salt); ?>
It's really not clear what syncs the image produced by /templates/onlinespark/captcha.php with the plaintext version of that image in your script, which is something you would need for this to scheme to work.

Ah yes, to be quite honest I'm really not sure how to do that. I origonally had areyouahuman.com installed on the page, however the client did not want it and wanted a captcha instead, so I'm trying to get this captcha to work as it's small and doesn't ruin the design.

 

PHP is certianly not my strong point, is there any chance you could help me out?

 

Cheers!

Oh, sorry here is the code for the captcha.php file which generates the image:

<?php 
session_start(); // start a session
$image = imagecreate(50, 20); //create blank image (width, height)
$bgcolor = imagecolorallocate($image, 0, 0, 0); //add background color with RGB.
$textcolor = imagecolorallocate($image, 255, 255, 255); //add text/code color with RGB.
$code = rand(1000, 9999); //create a random number between 1000 and 9999

$_SESSION['code'] = ($code); //add the random number to session 'code'
imagestring($image, 10, 8, 3, $code, $textcolor); //create image with all the settings above.
header ("Content-type: image/png"); // define image type
imagepng($image); //display image as PNG
?>

Thanks!

You need to change the way your code is generated. For PHP file containing the form should generate the code, then have the image generation script read the code. Eg:

<?php
//...
$_SESSION['code'] = mt_rand(1000, 9999);
?>
<img src="captcha.php">
//...
imagestring($image, 10, 8, 3, $_SESSION['code'], $textcolor); //create image with all the settings above.
header ("Content-type: image/png"); // define image type
Then to verify, compare what they enter with $_SESSION['code'] and see if they match.

if your captcha.php image code was working and saved the $code value to the $_SESSION['code'] variable, all you need to do is check in your form processing logic if the submitted value the user entered in the form is not empty and that it is not exactly equal to the value in the $_SESSION['code'] variable,

 

all the code you have leftover that is passing the "code_key" as a hidden field (which was insecure anyway) and testing that value with the submitted code from the user would go away, unless you are trying to confuse bot scripts by tricking them to submit that hidden field's value.

not very likely.

 

you are producing a value, passing that value through a session variable, and comparing that value with another value that was submitted from a form. make an attempt at performing those steps. the first two steps are already in your code and wherever you found the captcha.php image code probably contained examples of the rest of what is needed.

This is the tutorial I got the code from:
http://devingredients.com/2011/03/building-a-php-contact-form-with-captcha-from-scratch/

It seems nothing is different from my code other than they are using a self executing script, for some reason my server wont allow this so I need to do it with an external php file to send the email.

 

Any ideas?

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.