On 3/25/07, Jake McHenry <linux@xxxxxxxxxxxxxxxxx> wrote:
.... Sorry.. Was playing around with dates and how long I've been sitting
here watching this generate random numbers..... Lol .. The only lines
referring to the "captcha" are the img lines... As you can tell... Calling
the next script... Should I do it this way? I'm pretty sure that is the
problem, cause the session variable is being created and set in that second
script which is called.... Session[security_code] is created in rnum1.php,
and session[code] is created in rnum2.php... Which I didn't include here...
But is the same concept only bigger.....
Index.php
<?php
session_start();
header("Refresh: 1");
$before = $_SESSION['security_code'];
echo "<img src='rnum1.php'>";
$after = $_SESSION['security_code'];
if (!isset($_SESSION['start_time']))
{
$_SESSION['start_time'] = time();
}
else
{
$_SESSION['current_time'] = time();
}
$running_time = mktime(date("H", $_SESSION['current_time'])-date("H",
$_SESSION['start_time']), date("i", $_SESSION['current_time'])-date("i",
$_SESSION['start_time']), date("s", $_SESSION['current_time'])-date("s",
$_SESSION['start_time']), date("m", $_SESSION['start_time']), date("d",
$_SESSION['start_time']), date("Y", $_SESSION['start_time']));
echo '<br>Before: ' . $before . '<br>After: ' . $after . '<br>Time: ' .
date("H:i:s m-d-Y", $running_time) . '<br><img src=rnum2.php><br>' .
$_SESSION['code'];
?>
Rnum1.php
<?php
session_start();
header("Content-type: image/png");
$_SESSION['security_code'] = $code = rand(1000,9999);
//width, height
$im = @ImageCreate(40, 20) or die("There is an error Jake");
// R, G, B
$background_color = ImageColorAllocate($im, 255, 255, 255);
//R, G, B
$text_color = ImageColorAllocate($im, 0, 0, 0);
//font size, left margin, top margin
ImageString($im, 10, 3, 3, $code, $text_color);
//display image
ImagePNG($im);
?>
I believe the way this script behaves is quite normal. Look at the way
the scripts are called. First index.php, then rnum1.php and then
rnum2.php.
First index.php is called and all session variables are posted with
that action. Then rnum1.php is called, and the session variables are
edited. Then rnum2.php is called, session variables are edited again,
but index.php is never called again, and so the session variables are
never send to the script. Until you load the script again.
So if you're implementing this in a POST form, the browser should
submit both POST and the right session variables to your parse script.
Example code which works :)
index.php:
<?php
echo "<img src='rnum1.php'>";
echo "<form action='parse.php' method='post'><input name='code'><input
type='submit' value='confirm'></form>";
?>
parse.php:
<?php
session_start();
if($_SESSION['security_code'] == $_POST['code']) {
echo "Right code entered.";
} else {
echo "Wrong code entered.";
}
?>
This is btw not a very useful CAPTCHA, because it should stop
computers from submitting data, but a little bit smart programmer
knows that he has to get session information from the image, and
submit that to the form. Or what i saw used lately by a cracker, he
was just using his own values in session and post, and so they matched
:)
So you should never send the same code as the code that has to be
entered. Even encrypting with MD5 only won't stop hackers to defeat
your script. Maybe you could use a database with this, so that you
pass a reference to the real number shown. So that you have an ID and
a CODE column. in rnum1.php you store the code into the database, and
get the ID of the last one inserted (A discussion about this was
around this list lately) Then you show the code in an image, and you
store the ID in the session. Then you get ID from the session, then
get the code from the database using the ID and compare it to the one
entered in the form.
Tijnema
> -----Original Message-----
> From: itoctopus [mailto:newsgroup@xxxxxxxxxxxxx]
> Sent: Sunday, March 25, 2007 12:49 AM
> To: php-general@xxxxxxxxxxxxx
> Subject: Re: My own "captcha" from 2 years ago......
>
> Hey Jake,
> I checked the thing, and I tell you I did lots and lots of
> captchas in my
> life and they mainly rely on the session.
> Is it possible for you to post the script so that me (or
> anyone else for
> that matter) fix it for you?
>
> Take care,
>
> --
> itoctopus - http://www.itoctopus.com
> ""Jake McHenry"" <linux@xxxxxxxxxxxxxxxxx> wrote in message
> news:1c8a01c76e8d$a23cb4c0$6401a8c0@xxxxxxxxxxxxx
> > Well, I've been creating my own... Since like two years
> ago... Lol.. But
> > this is the KNOWN name now..... Anyways... How can I get
> the info from the
> > image creation script back to my main script? Sessions DO
> NOT WORK! They
> > give me the previous entry instead of the current.. Which
> obviously won't
> > work... This was on the back burner for a long time, but my
> boss said
> .....
> > Oh wow.. That looks cool... And I told him I had started it
> a long time
> > ago.. But never finished it cause he told me to work on
> something else...
> > Anyways... U can see what I mean.... http://nittanytravel.com:8080/
> >
> > The numbers surrounding the images displayed are session
> values created in
> > the image scripts...which as you will see are the previous
> value.... It
> may
> > be a simple fix.. But once again... I'm tired... And had
> one too many long
> > island iced teas tonight to think about this..... And
> yes... My boss works
> > me even on saturdays after happy hour :(
> >
> >
> > Thanks,
> > Jake
> >
> >
> > --
> > No virus found in this outgoing message.
> > Checked by AVG Free Edition.
> > Version: 7.5.446 / Virus Database: 268.18.17/731 - Release
> Date: 3/23/2007
> > 3:27 PM
> >
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.446 / Virus Database: 268.18.17/731 - Release
> Date: 3/23/2007 3:27 PM
>
>
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 268.18.17/731 - Release Date: 3/23/2007
3:27 PM
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
