Jump to content

php/sql/captcha problem

ea7p0

By ea7p0
in PHP Coding Help

 Share

Recommended Posts

ea7p0 Newbie

ea7p0

Posted
Posted

First and foremost I have to say that I am relatively new to php. I started out with a WYSIWYG-approach to web design. However, like most people I found out that it is literally impossible to write decent dynamic pages without any coding skills. However, I am still a php-newbie and because I only have some basic knowledge I'm pretty much lost here. The problem is this: I tried to include a CAPTCHA in my page because of massive spamming-attacks on my "guestbook". I think I adapted the code-fragment correctly (at least I hope so) and now what has given me a terrible headache for the last 1 1/2 weeks is where to put the if/else query. I also tried other php-boards but for some reason nobody came up with a suggestion that worked. Most people basically said that they have no clue how CAPTCHAs work in a form that sends data to a SQL-database. The CAPTCHA is displayed correctly, so obviously there is nothing wrong with the GD-library. I get no error-messages but the CAPTCHA just doesn't work. The results I get putting the query in various positions in the code is included as annotations. I would be really grateful if somebody could help me.

 

.

<?php require_once('../../Connections/testverbindung.php'); ?>
.<?php 
.error_reporting (E_ALL); 
session_start ();
function encrypt ($string, $key)
{
   $result = '';
   for($i=0; $i<strlen ($string); $i++)
   {
      $char = substr ($string, $i, 1);
      $keychar = substr ($key, ($i % strlen($key))-1, 1);
      $char = chr (ord ($char)+ord ($keychar));
      $result.=$char;
   }
   return base64_encode ($result);
}
if (isset ($_POST['sicherheitscode'])){
  $sicherheits_eingabe = encrypt ($_POST["sicherheitscode"], '8t3479u97'); 
  $icherheits_eingabe = str_replace ("=", "", $sicherheits_eingabe);
}

if (!function_exists ("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval ($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval ($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  } 
// after typing in right or wrong CAPTCHA-code always: "wrong code", no guest book entry 
  return $theValue;
}
}
//"wrong code" loads immediately
$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities ($_SERVER['QUERY_STRING']);
}
//"wrong code" loads immediately
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
  $insertSQL = sprintf("INSERT INTO guestbook (name, entry, email, hompage) VALUES (%s, %s, %s, %s)",
                      .GetSQLValueString ($_POST['name'], "text"),
                      .GetSQLValueString ($_POST['entry'], "text"),
                      .GetSQLValueString ($_POST['email'], "text"),
                      .GetSQLValueString ($_POST['hompage'], "text"));.

  mysql_select_db ($database_testverbindung, $testverbindung);
  $Result1 = mysql_query ($insertSQL, $testverbindung) or die(mysql_error());

  $insertGoTo = "../the_blogs/stefan.php";
  if (isset($_SERVER['QUERY_STRING'])) {
    $insertGoTo .= (strpos ($insertGoTo, '?')) ? "&" : "?";
    $insertGoTo .= $_SERVER['QUERY_STRING'];
  }
  // "wrong code" is displayed after entering right/wrong code and guestbook entry is sent to database anyway
  header (sprintf ("Location: %s", $insertGoTo));
}
//"wrong code" loads immediately
mysql_select_db ($database_testverbindung, $testverbindung);
$query_stefan_guestbook = "SELECT * FROM guestbook ORDER BY ID DESC";
$stefan_guestbook = mysql_query ($query_stefan_guestbook, $testverbindung) or die(mysql_error());
$row_stefan_guestbook = mysql_fetch_assoc ($stefan_guestbook);
$totalRows_stefan_guestbook = mysql_num_rows ($stefan_guestbook);
?>
[...]
<div id="content"><!-- InstanceBeginEditable name="content" -->
  <div id="in_content">
    <p> </p>
  
      <form action="<?php echo $editFormAction; ?>" method="post" name="form1" id="form1">
        <input type="hidden" name="MM_insert" value="form1" />
        <table align="left">
          <tr valign="baseline">
            <td nowrap="nowrap" align="right">name:</td>
            <td><input type="text" name="name" value="" size="32" /></td>
          </tr>
          <tr valign="baseline">
            <td nowrap="nowrap" align="right" valign="top">entry:</td>
            <td><textarea name="entry" cols="30" rows="5"></textarea>            </td>
          </tr>
          <tr valign="baseline">
            <td nowrap="nowrap" align="right">email:</td>
            <td><input type="text" name="email" value="" size="32" /></td>
          </tr>
          <tr valign="baseline">
            <td nowrap="nowrap" align="right">hompage</td>
            <td><input type="text" name="hompage" value="http://" size="32" /></td>
          </tr>
          <tr valign="baseline">
            <td nowrap="nowrap" align="right">code: </td>
            <td><img src="../../captcha/captcha.php" border="0" title="Sicherheitscode" /></td>
          </tr>
          <tr valign="baseline">
            <td nowrap="nowrap" align="right">code: </td>
		<td><input type="text" name="sicherheitscode" size="5" />
	    </td>
          </tr>
          <tr valign="baseline">
            <td nowrap="nowrap" align="right"> </td>
            <td><input name="submit" type="submit" value="Datensatz einfügen" /></td>
          </tr>
        </table>
      </form>
    <p> </p>
  </div>
<!-- InstanceEndEditable --></div>
<div id="what"><!-- InstanceBeginEditable name="what_is_it?" --><span style="font-family: Geneva, Arial, Helvetica, sans-serif; font-size: 16px; font-weight: bold; color: #666666">back to:</span>	<!-- InstanceEndEditable --></div>
<div id="hyperlinks"><!-- InstanceBeginEditable name="gals" -->
<!-- InstanceEndEditable --></div>

<table width="200" border="0" cellpadding="0" cellspacing="0">
  <!--DWLayoutTable-->
  <tr>
    <td width="200" height="111"> </td>
  </tr>
</table>
<div id="blende_content"></div>
</body>
<!-- InstanceEnd --></html>
<?php
mysql_free_result ($stefan_guestbook);
?>

 

The if/else query looks like this: 

if(isset ($_SESSION['captcha_spam']) && $sicherheits_eingabe == $_SESSION['captcha_spam'])
{
unset ($_SESSION['captcha_spam']);
}
else
{
die ("Falscher Sicherheitscode!");
}

 

Does anybody see what the problem is? Cheers.

Link to comment
Share on other sites
aschk Newbie

aschk

Posted
Posted

Your process should be as follows:

 

1) Generate CAPTCHA sequence (and put the text into a session variable) and present image & form to the user

2) Take user input and check that CAPTCHA sequence in session equals what the user provided

3) If it does, unset the CAPTCHA sequence (session text) and insert into your database all the form information

4) If it DOESN'T generate a NEW captcha sequence (putting text into session) and re-present the form to the user with the error (i.e. saying that their CAPTCHA failed).

Link to comment
Share on other sites
cooldude832 Advanced Member

cooldude832

Posted
Posted

its not the greatest method in the world because all it does is check if you filled out an input you weren't suppose to

it is basically like hiding a plate of brownies from a little kid and when they unwrap it they get shocked or something. 

 

The captcha does a two fold method

 

1) It requires interpretation of the graphic to text using most of the time a human eye.

2) Slows down human inputters that write junk all day long

 

 

Best anti spam methods are

 

1) Require accounts to post any content on your site (with email based activation)

2) Put a X second time delay between post as is the case on this server

3) Have a way for users to alert spam to admins who can in turn block users

 

Capcthca are good to a certain point only

Link to comment
Share on other sites
The Little Guy Prolific Member

The Little Guy

Posted
Posted

My suggestion, throw out the CAPTCHA all together. I use the following method. It's transparent to the user and block 99.9% of my spam

 

http://klauskjeldsen.dk/2007/07/19/avoid-html-form-spam-using-css/

 

I do NOT feel this is a good way to block spam. For now it is fine, but in the future bots will start to understand those hidden text fields, and not fill them out, or some person will decide to make a bot designed to attack your website, and they will tell it not to fill out a certain field.

Link to comment
Share on other sites
rhodesa Newbie

rhodesa

Posted
Posted

My suggestion, throw out the CAPTCHA all together. I use the following method. It's transparent to the user and block 99.9% of my spam

 

http://klauskjeldsen.dk/2007/07/19/avoid-html-form-spam-using-css/

 

I do NOT feel this is a good way to block spam. For now it is fine, but in the future bots will start to understand those hidden text fields, and not fill them out, or some person will decide to make a bot designed to attack your website, and they will tell it not to fill out a certain field.

 

Yup, the spam bots may figure it out eventually, but until then, I'd rather take on the burden and make it easier for my users.

Link to comment
Share on other sites
ea7p0 Newbie

ea7p0

Posted
  • Author
Posted

Your process should be as follows:

 

1) Generate CAPTCHA sequence (and put the text into a session variable) and present image & form to the user

2) Take user input and check that CAPTCHA sequence in session equals what the user provided

3) If it does, unset the CAPTCHA sequence (session text) and insert into your database all the form information

4) If it DOESN'T generate a NEW captcha sequence (putting text into session) and re-present the form to the user with the error (i.e. saying that their CAPTCHA failed).

 

Thanks for the help. See, and there (2) is the main problem: at which point do I check text in the session variable and the image? As you can see I had various results, depending on where I put the if/else query. Unfortunately not the right one yet.

Link to comment
Share on other sites
ea7p0 Newbie

ea7p0

Posted
  • Author
Posted

Screw them.

Check right at the start

e.g.

 

<?php

if($_POST['captcha_field'] !== $_SESSION['captcha_field']){
  // redirect to form page (BAD FORM FILLING IN WE DON'T WANT IT)
}
... everything else here ....

?>

 

 

 

??? Screw whom?  Right at the beginning of the whole thing? directly after the error-reporting? What is "everything else"?

As I said: I'm right at the beginning of php-101  ;)

Link to comment
Share on other sites
ea7p0 Newbie

ea7p0

Posted
  • Author
Posted

My suggestion, throw out the CAPTCHA all together. I use the following method. It's transparent to the user and block 99.9% of my spam

 

http://klauskjeldsen.dk/2007/07/19/avoid-html-form-spam-using-css/

 

 

Oh well, for my little page it should be alright. So what would be the php-code I have to put in? I guess it must be something along the lines of 

if(POST["human"] != "") {die() }

. ??? Still, the question remains: where do I have to put it?

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.