Need help concerning image verification

[digitalLotus]

I'm quite new to the whole PHP platform and I've been searching for a image verification script for my registration form.

Found this rather simple script for two files, tried it out quickly, however it doesn't seem to work. No matter what code I enter, I receive the response "You are verified". Here's the code for both files:

 

verification.php:

 <?php
Header("Content-Type: image/png");

session_start();

$new_string;

session_register('new_string');

echo "<html><head><title>Verification</title></head>";
echo "<body>";

$im = ImageCreate(200, 40);

$white = ImageColorAllocate($im, 255, 255, 255);
$black = ImageColorAllocate($im, 0, 0, 0);

srand((double)microtime()*1000000);

$string = md5(rand(0,9999));

$new_string = substr($string, 17, 5);


ImageFill($im, 0, 0, $black);

ImageString($im, 4, 96, 19, $new_string, $white);

ImagePNG($im, "verify.png");
ImageDestroy($im);

echo "<img src=\"verify.png\">";
echo "<br><br>";
echo "Type the code you see in the image in the box below. (case sensitive)";
echo " <form action=\"formhandler.php\" method=post>";
echo "<input name=\"random\" type=\"text\" value=\"\">";
echo "<input type=\"submit\">";
echo "</form>";
echo "</body>";
echo "</html>";
?>

 

formhandler.php:

 <?php

session_start();

$random = trim($random);

if ($new_string == $random){
echo "You are verified";
}
else{
echo "Please go back and get verified.";
}
?>

 

The problem seems to be here, I guess:

$random = trim($random);

if ($new_string == $random)

 

 

Thanks in advance for any help.

Cheers.

[HeyRay2]

The script you found relies on a session side effect that no longer works on most web hosts that have "register_globals" turned off. Most web hosts have this setting turned off because it poses a security risk.

 

Let's update this script to use a more secure method of session variable registering and variable passing. First, in the verification.php file, we'll place the $new_string variable into the session by adding to the $_SESSION array directly, like so:

 

$_SESSION['new_string'] = $new_string;

 

So the full code for that page will now look like this:

 

verification.php

<?php
Header("Content-Type: image/png");

session_start();

$new_string;

echo "<html><head><title>Verification</title></head>";
echo "<body>";

$im = ImageCreate(200, 40);

$white = ImageColorAllocate($im, 255, 255, 255);
$black = ImageColorAllocate($im, 0, 0, 0);

srand((double)microtime()*1000000);

$string = md5(rand(0,9999));

$new_string = substr($string, 17, 5);

ImageFill($im, 0, 0, $black);

ImageString($im, 4, 96, 19, $new_string, $white);

ImagePNG($im, "verify.png");
ImageDestroy($im);

$_SESSION['new_string'] = $new_string;

echo "<img src=\"verify.png\">";
echo "<br><br>";
echo "Type the code you see in the image in the box below. (case sensitive)";
echo " <form action=\"formhandler.php\" method=post>";
echo "<input name=\"random\" type=\"text\" value=\"\">";
echo "<input type=\"submit\">";
echo "</form>";
echo "</body>";
echo "</html>";
?>

 

... next, on the formhandler.php file, regarding this line:

 

if ($new_string == $random){

 

... because of the session side effect and "register_globals" most likely being turned off on your

web host, both of these variables are NULL. So, you always get the verification success because this line basically

reads:

 

if ( NULL == NULL ){

 

... which is always TRUE. So the way we want to access these variables is using the $_POST and $_SESSION arrays, like so:

 

formhandler.php

<?php

session_start();

$random = trim($_POST['random']);

if ($_SESSION['new_string'] == $random){
echo "You are verified";
}
else{
echo "Please go back and get verified.";
}
?>

 

... and that should make a successful check of the generated image.

 

[digitalLotus]

Thanks HeyRay2

Works fine now...

Cheers