RE: My own "captcha" from 2 years ago......

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> > -----Original Message-----
> > From: tedd [mailto:tedd@xxxxxxxxxxxx]
> > Sent: Monday, March 26, 2007 8:49 AM
> > To: php-general@xxxxxxxxxxxxx
> > Subject: RE:  My own "captcha" from 2 years ago......
> >
> > At 10:02 PM -0400 3/25/07, Jake McHenry wrote:
> > >Like I said... Even if they have sound turned on.. Which all
> > my sets do...
> > >Most of them don't have speakers... That was put into effect
> > over a year ago
> > >due to some people listening to those damn screaming prank
> > things at full
> > >volume... Anyways... I was searching the php site, and it
> > said there used to
> > >be a bug that looks somewhat similar to my problem, but it
> > said it was fixed
> > >long ago... Not sure if this is even close to it or not, but
> > this is the
> > >first time I've run into a sessions problem.....
> > >
> > >Just to simplify...
> > >
> > >I have this on index.php
> > >
> > ><?php
> > >session_start();
> > >
> > >$before = $_SESSION['code'];
> > >
> > >echo '<img src=image.php>';
> > >
> > >$after = $_SESSION['code'];
> > >
> > >echo $before .' ' . $after;
> > >?>
> > >
> > >Then in image.php is my captcha... And where the session
> > variable 'code' is
> > >being created and updated...
> > >
> > >In image.php is this:
> > >
> > ><?php
> > >session_start();
> > >
> > >..........captcha code......
> > >$_SESSION['code'] = rand(blahblahblah) to get the random code
> > >?>
> > >
> > >
> > >When I view index.php, the image displays, with a new code
> > each time...
> > >Working as it should, but the session variable echos out the
> > previously
> > >generated value, instead of the current value to match whats in the
> > >picture... I'm not sure what I've done... But you can see from
> > >http://nittanytravel.com:8080/    $before and $after have
> > the same value...
> > >
> > >In that bug report I was reading it said that this happened until
> > >session_start was called again.. But it said it was fixed
> > back in php4...
> > >
> > >Not sure what I missed :(
> > >
> > >Thanks,
> > >Jake
> > >
> >
> > Jake:
> >
> > Clearly, your image.php is not changing the code (key).
> 
> What would be this clear image you see? It does change the code, otherwise
> it would show the same code in the image.. Which it doesn't... And the
> session variable wouldn't have anything in it.. Which it does
> 
> Not on windows......
> 
> Using mt_rand for the numbers, but that's working fine, if I comment out
> the
> image headers and run the file directly echoing out the session, it works
> fine, its only when I call it from another file in the <img tag...?
> 
> Thanks,
> Jake
> 
> 
> 
> >
> > Your "blahblahblah" has to be less than 32768 if you're running
> > windows -- maybe that's the problem. But, I would look to my rand()
> > for an answer.
> >
> > Cheers,
> >
> > tedd
> > --
> > -------
> > http://sperling.com  http://ancientstones.com  http://earthstones.com


echo '<img src=image.php>';

This does not "run" or "call" image.php.

This line of code sends this output to the browser.

The image will not be displayed and the request to change the session
variable will not be made until the browser renders the page.  The browser
will not render the page until PHP has finished parsing the code and sending
the output buffer to the browser.

So any session variables set or changed inside image.php will not show up
until the next request.

This reminds me of an employee that we used to have; she would send me an
e-mail, then run over into my office and say "Hey did you get my e-mail?"
I'd say "No, how long ago did you send it?" ... "Just now." ... (sigh)

If you want to make sure that the session var is actually being changed in
the script, create another page that the form with the image submits to, and
echo the session var on THAT page.

Also I would like to clarify what someone had posted in a previous message:

Quote:
	"This is btw not a very useful CAPTCHA, because it should stop
computers from submitting data, but a little bit smart programmer
knows that he has to get session information from the image, and
submit that to the form. Or what i saw used lately by a cracker, he 	was
just using his own values in session and post, and so they 	matched"

The above statement is incorrect, assuming that you are using session
cookies to store the user's session ID and nothing else (default setting)

The only thing stored in the user's cookie is the session ID which
corresponds to the session ID on the server.  The server stores the session
data in the /tmp directory and there is no way under this configuration for
the user to spoof any session data except the session ID.  This is why
CAPTCHA images are so effective.

The above quote would be true if the developer used COOKIES to store the
CAPTCHA security code, then it would be very simple to crack ;)

Cheers,

-B

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux