> > -----Original Message----- > > From: tedd [mailto:tedd@xxxxxxxxxxxx] > > Sent: Monday, March 26, 2007 8:49 AM > > To: php-general@xxxxxxxxxxxxx > > Subject: RE: My own "captcha" from 2 years ago...... > > > > At 10:02 PM -0400 3/25/07, Jake McHenry wrote: > > >Like I said... Even if they have sound turned on.. Which all > > my sets do... > > >Most of them don't have speakers... That was put into effect > > over a year ago > > >due to some people listening to those damn screaming prank > > things at full > > >volume... Anyways... I was searching the php site, and it > > said there used to > > >be a bug that looks somewhat similar to my problem, but it > > said it was fixed > > >long ago... Not sure if this is even close to it or not, but > > this is the > > >first time I've run into a sessions problem..... > > > > > >Just to simplify... > > > > > >I have this on index.php > > > > > ><?php > > >session_start(); > > > > > >$before = $_SESSION['code']; > > > > > >echo '<img src=image.php>'; > > > > > >$after = $_SESSION['code']; > > > > > >echo $before .' ' . $after; > > >?> > > > > > >Then in image.php is my captcha... And where the session > > variable 'code' is > > >being created and updated... > > > > > >In image.php is this: > > > > > ><?php > > >session_start(); > > > > > >..........captcha code...... > > >$_SESSION['code'] = rand(blahblahblah) to get the random code > > >?> > > > > > > > > >When I view index.php, the image displays, with a new code > > each time... > > >Working as it should, but the session variable echos out the > > previously > > >generated value, instead of the current value to match whats in the > > >picture... I'm not sure what I've done... But you can see from > > >http://nittanytravel.com:8080/ $before and $after have > > the same value... > > > > > >In that bug report I was reading it said that this happened until > > >session_start was called again.. But it said it was fixed > > back in php4... > > > > > >Not sure what I missed :( > > > > > >Thanks, > > >Jake > > > > > > > Jake: > > > > Clearly, your image.php is not changing the code (key). > > What would be this clear image you see? It does change the code, otherwise > it would show the same code in the image.. Which it doesn't... And the > session variable wouldn't have anything in it.. Which it does > > Not on windows...... > > Using mt_rand for the numbers, but that's working fine, if I comment out > the > image headers and run the file directly echoing out the session, it works > fine, its only when I call it from another file in the <img tag...? > > Thanks, > Jake > > > > > > > Your "blahblahblah" has to be less than 32768 if you're running > > windows -- maybe that's the problem. But, I would look to my rand() > > for an answer. > > > > Cheers, > > > > tedd > > -- > > ------- > > http://sperling.com http://ancientstones.com http://earthstones.com echo '<img src=image.php>'; This does not "run" or "call" image.php. This line of code sends this output to the browser. The image will not be displayed and the request to change the session variable will not be made until the browser renders the page. The browser will not render the page until PHP has finished parsing the code and sending the output buffer to the browser. So any session variables set or changed inside image.php will not show up until the next request. This reminds me of an employee that we used to have; she would send me an e-mail, then run over into my office and say "Hey did you get my e-mail?" I'd say "No, how long ago did you send it?" ... "Just now." ... (sigh) If you want to make sure that the session var is actually being changed in the script, create another page that the form with the image submits to, and echo the session var on THAT page. Also I would like to clarify what someone had posted in a previous message: Quote: "This is btw not a very useful CAPTCHA, because it should stop computers from submitting data, but a little bit smart programmer knows that he has to get session information from the image, and submit that to the form. Or what i saw used lately by a cracker, he was just using his own values in session and post, and so they matched" The above statement is incorrect, assuming that you are using session cookies to store the user's session ID and nothing else (default setting) The only thing stored in the user's cookie is the session ID which corresponds to the session ID on the server. The server stores the session data in the /tmp directory and there is no way under this configuration for the user to spoof any session data except the session ID. This is why CAPTCHA images are so effective. The above quote would be true if the developer used COOKIES to store the CAPTCHA security code, then it would be very simple to crack ;) Cheers, -B -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
