ea7p0 Posted February 15, 2008 Share Posted February 15, 2008 First and foremost I have to say that I am relatively new to php. I started out with a WYSIWYG-approach to web design. However, like most people I found out that it is literally impossible to write decent dynamic pages without any coding skills. However, I am still a php-newbie and because I only have some basic knowledge I'm pretty much lost here. The problem is this: I tried to include a CAPTCHA in my page because of massive spamming-attacks on my "guestbook". I think I adapted the code-fragment correctly (at least I hope so) and now what has given me a terrible headache for the last 1 1/2 weeks is where to put the if/else query. I also tried other php-boards but for some reason nobody came up with a suggestion that worked. Most people basically said that they have no clue how CAPTCHAs work in a form that sends data to a SQL-database. The CAPTCHA is displayed correctly, so obviously there is nothing wrong with the GD-library. I get no error-messages but the CAPTCHA just doesn't work. The results I get putting the query in various positions in the code is included as annotations. I would be really grateful if somebody could help me. . <?php require_once('../../Connections/testverbindung.php'); ?> .<?php .error_reporting (E_ALL); session_start (); function encrypt ($string, $key) { $result = ''; for($i=0; $i<strlen ($string); $i++) { $char = substr ($string, $i, 1); $keychar = substr ($key, ($i % strlen($key))-1, 1); $char = chr (ord ($char)+ord ($keychar)); $result.=$char; } return base64_encode ($result); } if (isset ($_POST['sicherheitscode'])){ $sicherheits_eingabe = encrypt ($_POST["sicherheitscode"], '8t3479u97'); $icherheits_eingabe = str_replace ("=", "", $sicherheits_eingabe); } if (!function_exists ("GetSQLValueString")) { function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue; switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval ($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? "'" . doubleval ($theValue) . "'" : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } // after typing in right or wrong CAPTCHA-code always: "wrong code", no guest book entry return $theValue; } } //"wrong code" loads immediately $editFormAction = $_SERVER['PHP_SELF']; if (isset($_SERVER['QUERY_STRING'])) { $editFormAction .= "?" . htmlentities ($_SERVER['QUERY_STRING']); } //"wrong code" loads immediately if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) { $insertSQL = sprintf("INSERT INTO guestbook (name, entry, email, hompage) VALUES (%s, %s, %s, %s)", .GetSQLValueString ($_POST['name'], "text"), .GetSQLValueString ($_POST['entry'], "text"), .GetSQLValueString ($_POST['email'], "text"), .GetSQLValueString ($_POST['hompage'], "text"));. mysql_select_db ($database_testverbindung, $testverbindung); $Result1 = mysql_query ($insertSQL, $testverbindung) or die(mysql_error()); $insertGoTo = "../the_blogs/stefan.php"; if (isset($_SERVER['QUERY_STRING'])) { $insertGoTo .= (strpos ($insertGoTo, '?')) ? "&" : "?"; $insertGoTo .= $_SERVER['QUERY_STRING']; } // "wrong code" is displayed after entering right/wrong code and guestbook entry is sent to database anyway header (sprintf ("Location: %s", $insertGoTo)); } //"wrong code" loads immediately mysql_select_db ($database_testverbindung, $testverbindung); $query_stefan_guestbook = "SELECT * FROM guestbook ORDER BY ID DESC"; $stefan_guestbook = mysql_query ($query_stefan_guestbook, $testverbindung) or die(mysql_error()); $row_stefan_guestbook = mysql_fetch_assoc ($stefan_guestbook); $totalRows_stefan_guestbook = mysql_num_rows ($stefan_guestbook); ?> [...] <div id="content"><!-- InstanceBeginEditable name="content" --> <div id="in_content"> <p> </p> <form action="<?php echo $editFormAction; ?>" method="post" name="form1" id="form1"> <input type="hidden" name="MM_insert" value="form1" /> <table align="left"> <tr valign="baseline"> <td nowrap="nowrap" align="right">name:</td> <td><input type="text" name="name" value="" size="32" /></td> </tr> <tr valign="baseline"> <td nowrap="nowrap" align="right" valign="top">entry:</td> <td><textarea name="entry" cols="30" rows="5"></textarea> </td> </tr> <tr valign="baseline"> <td nowrap="nowrap" align="right">email:</td> <td><input type="text" name="email" value="" size="32" /></td> </tr> <tr valign="baseline"> <td nowrap="nowrap" align="right">hompage</td> <td><input type="text" name="hompage" value="http://" size="32" /></td> </tr> <tr valign="baseline"> <td nowrap="nowrap" align="right">code: </td> <td><img src="../../captcha/captcha.php" border="0" title="Sicherheitscode" /></td> </tr> <tr valign="baseline"> <td nowrap="nowrap" align="right">code: </td> <td><input type="text" name="sicherheitscode" size="5" /> </td> </tr> <tr valign="baseline"> <td nowrap="nowrap" align="right"> </td> <td><input name="submit" type="submit" value="Datensatz einfügen" /></td> </tr> </table> </form> <p> </p> </div> <!-- InstanceEndEditable --></div> <div id="what"><!-- InstanceBeginEditable name="what_is_it?" --><span style="font-family: Geneva, Arial, Helvetica, sans-serif; font-size: 16px; font-weight: bold; color: #666666">back to:</span> <!-- InstanceEndEditable --></div> <div id="hyperlinks"><!-- InstanceBeginEditable name="gals" --> <!-- InstanceEndEditable --></div> <table width="200" border="0" cellpadding="0" cellspacing="0"> <!--DWLayoutTable--> <tr> <td width="200" height="111"> </td> </tr> </table> <div id="blende_content"></div> </body> <!-- InstanceEnd --></html> <?php mysql_free_result ($stefan_guestbook); ?> The if/else query looks like this: if(isset ($_SESSION['captcha_spam']) && $sicherheits_eingabe == $_SESSION['captcha_spam']) { unset ($_SESSION['captcha_spam']); } else { die ("Falscher Sicherheitscode!"); } Does anybody see what the problem is? Cheers. Quote Link to comment Share on other sites More sharing options...
rhodesa Posted February 15, 2008 Share Posted February 15, 2008 My suggestion, throw out the CAPTCHA all together. I use the following method. It's transparent to the user and block 99.9% of my spam http://klauskjeldsen.dk/2007/07/19/avoid-html-form-spam-using-css/ Quote Link to comment Share on other sites More sharing options...
ea7p0 Posted February 15, 2008 Author Share Posted February 15, 2008 I will have a try but, you know: there has to be a f'n way to do this! By now it really is a question of finding the error. Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted February 15, 2008 Share Posted February 15, 2008 Maybe this CAPTCHA will work better for you: http://phpsnips.com/snippet.php?id=43 Quote Link to comment Share on other sites More sharing options...
aschk Posted February 15, 2008 Share Posted February 15, 2008 Where's your form rhodesa I want to spam it now I know how it works Quote Link to comment Share on other sites More sharing options...
aschk Posted February 15, 2008 Share Posted February 15, 2008 Your process should be as follows: 1) Generate CAPTCHA sequence (and put the text into a session variable) and present image & form to the user 2) Take user input and check that CAPTCHA sequence in session equals what the user provided 3) If it does, unset the CAPTCHA sequence (session text) and insert into your database all the form information 4) If it DOESN'T generate a NEW captcha sequence (putting text into session) and re-present the form to the user with the error (i.e. saying that their CAPTCHA failed). Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted February 15, 2008 Share Posted February 15, 2008 its not the greatest method in the world because all it does is check if you filled out an input you weren't suppose to it is basically like hiding a plate of brownies from a little kid and when they unwrap it they get shocked or something. The captcha does a two fold method 1) It requires interpretation of the graphic to text using most of the time a human eye. 2) Slows down human inputters that write junk all day long Best anti spam methods are 1) Require accounts to post any content on your site (with email based activation) 2) Put a X second time delay between post as is the case on this server 3) Have a way for users to alert spam to admins who can in turn block users Capcthca are good to a certain point only Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted February 15, 2008 Share Posted February 15, 2008 My suggestion, throw out the CAPTCHA all together. I use the following method. It's transparent to the user and block 99.9% of my spam http://klauskjeldsen.dk/2007/07/19/avoid-html-form-spam-using-css/ I do NOT feel this is a good way to block spam. For now it is fine, but in the future bots will start to understand those hidden text fields, and not fill them out, or some person will decide to make a bot designed to attack your website, and they will tell it not to fill out a certain field. Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted February 15, 2008 Share Posted February 15, 2008 I've coded form filler outputs in autoit before and I don't waste my time reading everyfield, I find the fields I want and just tell it to go there so hidden fields are really pointless Quote Link to comment Share on other sites More sharing options...
rhodesa Posted February 15, 2008 Share Posted February 15, 2008 My suggestion, throw out the CAPTCHA all together. I use the following method. It's transparent to the user and block 99.9% of my spam http://klauskjeldsen.dk/2007/07/19/avoid-html-form-spam-using-css/ I do NOT feel this is a good way to block spam. For now it is fine, but in the future bots will start to understand those hidden text fields, and not fill them out, or some person will decide to make a bot designed to attack your website, and they will tell it not to fill out a certain field. Yup, the spam bots may figure it out eventually, but until then, I'd rather take on the burden and make it easier for my users. Quote Link to comment Share on other sites More sharing options...
ea7p0 Posted February 15, 2008 Author Share Posted February 15, 2008 Your process should be as follows: 1) Generate CAPTCHA sequence (and put the text into a session variable) and present image & form to the user 2) Take user input and check that CAPTCHA sequence in session equals what the user provided 3) If it does, unset the CAPTCHA sequence (session text) and insert into your database all the form information 4) If it DOESN'T generate a NEW captcha sequence (putting text into session) and re-present the form to the user with the error (i.e. saying that their CAPTCHA failed). Thanks for the help. See, and there (2) is the main problem: at which point do I check text in the session variable and the image? As you can see I had various results, depending on where I put the if/else query. Unfortunately not the right one yet. Quote Link to comment Share on other sites More sharing options...
aschk Posted February 15, 2008 Share Posted February 15, 2008 Screw them. Check right at the start e.g. <?php if($_POST['captcha_field'] !== $_SESSION['captcha_field']){ // redirect to form page (BAD FORM FILLING IN WE DON'T WANT IT) } ... everything else here .... ?> Quote Link to comment Share on other sites More sharing options...
ea7p0 Posted February 15, 2008 Author Share Posted February 15, 2008 Screw them. Check right at the start e.g. <?php if($_POST['captcha_field'] !== $_SESSION['captcha_field']){ // redirect to form page (BAD FORM FILLING IN WE DON'T WANT IT) } ... everything else here .... ?> ??? Screw whom? Right at the beginning of the whole thing? directly after the error-reporting? What is "everything else"? As I said: I'm right at the beginning of php-101 Quote Link to comment Share on other sites More sharing options...
ea7p0 Posted February 15, 2008 Author Share Posted February 15, 2008 My suggestion, throw out the CAPTCHA all together. I use the following method. It's transparent to the user and block 99.9% of my spam http://klauskjeldsen.dk/2007/07/19/avoid-html-form-spam-using-css/ Oh well, for my little page it should be alright. So what would be the php-code I have to put in? I guess it must be something along the lines of if(POST["human"] != "") {die() } . ??? Still, the question remains: where do I have to put it? Quote Link to comment Share on other sites More sharing options...
ea7p0 Posted February 15, 2008 Author Share Posted February 15, 2008 Found it. The code is if($_POST["human"] != "") {die(); } Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.