helraizer Posted December 12, 2007 Share Posted December 12, 2007 Hi Folks, http://www.helraizer.co.uk/comments/ In order to post a comment on my site you need to insert part of a captcha code, as to which characters, who knows? Sometimes though, it seems to be intermittent. Could you guys please test it for whether it works, and also whether it can be exploited? Thanks, Sam Link to comment https://forums.phpfreaks.com/topic/81421-test-my-captcha-please/ Share on other sites More sharing options...
therealwesfoster Posted December 13, 2007 Share Posted December 13, 2007 You really should sanitize your input.. if i was mean enough, I would delete your entire site and take over your domain right now... Link to comment https://forums.phpfreaks.com/topic/81421-test-my-captcha-please/#findComment-413345 Share on other sites More sharing options...
helraizer Posted December 13, 2007 Author Share Posted December 13, 2007 You really should sanitize your input.. if i was mean enough, I would delete your entire site and take over your domain right now... How would you manage that, though? HTML inject won't work because I don't use GET; XSS won't work because the user, email and comment fields are sanatised and the captcha input doesn't appear on the page it directs to. It is only used to verify the post and session, if the value in the captcha field isn't that of what is needed from the captcha image the page is redirected to the index page (the form) and everything is blank once again. If it is correct the comment is posted and then the page shown; the session is unset. So how would it be possible to 'delete my entire site'? Sam Link to comment https://forums.phpfreaks.com/topic/81421-test-my-captcha-please/#findComment-413360 Share on other sites More sharing options...
tippy_102 Posted December 13, 2007 Share Posted December 13, 2007 Interesting idea for a captcha, but I find some of the images way too dark, making it impossible to view the characters. Also, on a couple of the images, the 6th character was half run off the edge, making it difficult to figure out. A really nice feature on some captchas is the "click here to get a new image" - that would be very helpfull on some of your darker ones. I didnt test for security, as I prefer to leave that to the master - Agent Steel. Link to comment https://forums.phpfreaks.com/topic/81421-test-my-captcha-please/#findComment-413545 Share on other sites More sharing options...
therealwesfoster Posted December 13, 2007 Share Posted December 13, 2007 You really should sanitize your input.. if i was mean enough, I would delete your entire site and take over your domain right now... How would you manage that, though? HTML inject won't work because I don't use GET; XSS won't work because the user, email and comment fields are sanatised and the captcha input doesn't appear on the page it directs to. It is only used to verify the post and session, if the value in the captcha field isn't that of what is needed from the captcha image the page is redirected to the index page (the form) and everything is blank once again. If it is correct the comment is posted and then the page shown; the session is unset. So how would it be possible to 'delete my entire site'? Sam I was able to use sql injection and delete your database info.. but I didn't.. It was in the "message" field and btw, i like the idea of the captcha system, but it would certainly get annoying counting the "3rd, 6th" letters etc... maybe make them stand out a little bit more? OR, have 3 of the 12 letters bold and have the user identify (in order) which ones are bold Link to comment https://forums.phpfreaks.com/topic/81421-test-my-captcha-please/#findComment-414076 Share on other sites More sharing options...
helraizer Posted December 13, 2007 Author Share Posted December 13, 2007 and btw, i like the idea of the captcha system, but it would certainly get annoying counting the "3rd, 6th" letters etc... maybe make them stand out a little bit more? OR, have 3 of the 12 letters bold and have the user identify (in order) which ones are bold Yeah, I can see what you mean. I will get working on something. =) Could be a challenge though, since which characters are required eachtime is completely random.. but I can try and work something out. I was able to use sql injection and delete your database info.. but I didn't.. It was in the "message" field I don't see how you could have tested it though.. because if you just wrote it in the field it's just a string of characters.. it would only work if you submitted it, but you just said you didn't. All three fields are used with mysql_real_escape_string; I will add even more security just to make sure. Sam Link to comment https://forums.phpfreaks.com/topic/81421-test-my-captcha-please/#findComment-414105 Share on other sites More sharing options...
helraizer Posted December 13, 2007 Author Share Posted December 13, 2007 Added security for that. There is a filter now on the words: Select, Drop, Alter, Delete, Where, Top, Disinct, From, Insert, Values, Create, Join, Table, *, Order By, ASC, DESC, Update and Group By. If they appear (case insensitive) in the message field an error message appears and the comment isn't added to the database. Just to foil Wes90 and his injection. Link to comment https://forums.phpfreaks.com/topic/81421-test-my-captcha-please/#findComment-414208 Share on other sites More sharing options...
[-_-] Posted December 15, 2007 Share Posted December 15, 2007 maybe describe what to type in on the pic. Like split them up into numbered grids, post 1 first, 2 second........... Link to comment https://forums.phpfreaks.com/topic/81421-test-my-captcha-please/#findComment-415389 Share on other sites More sharing options...
JamieThompson90 Posted December 15, 2007 Share Posted December 15, 2007 Ah crap, typing this for the second time. Worked fine for me, alough a bit tedious to find out what you were actually wanting on the captch. A bit longwinded maybee! Good example though yet I am sure a more human readable one would do just fine. Captchas do not have to be code's, if you wanted you could make a basic maths one much like the one I use, and ask the user for an result of the calculation. I received no error messages when it failed mind. Using opera Version 9.24. I tried a javascript injection and failed, and the feild was too small to enter an base64 url! Seems good, the captcha works if I proveded nothing else! Link to comment https://forums.phpfreaks.com/topic/81421-test-my-captcha-please/#findComment-415726 Share on other sites More sharing options...
Recommended Posts