I am using secureImage which is a simple way to implement captcha,
i follow the guideline there to add the code, however, the checking is always invalid even i have input the correct value
It is the website of that plugin, within ten lines of code:
And this is my code:
in html form
<img id="captcha" src="http://www.phpcaptcha.org/securimage3/securimage_show.php?0.6905195268336684" alt="CAPTCHA Image">
<input type="text" class="required" name="captcha_code" size="10" maxlength="6">
in verification php
include_once '../plugin/securimage/securimage.php';
$securimage = new Securimage();
if ($securimage->check($_POST['captcha_code']) == false) {
die ("<div class='alert alert-success'><strong>The security code entered was incorrect.</strong><br /><br />Please go <a href='javascript:history.go(-1)'>back</a> and try again.</div>");
}
I have checked the post value, that is exactly what i have inputted. I would like to know which data the plugin used to compare with my input, however, i can not do this by echo the $secureimage
Thank you
To compare the randomly generated image with the code entered by a user a valid session is required. Please check this quick start guide and read the section about putting session_start() on top of your PHP script.
If you are too lazy to code, maybe you can try at http://www.google.com/recaptcha. It's widely used, I think it is better than the secureimage. You can get a php implementation at this site. I am if sorry if I don't answer your questions directly, this was because mr.GolezTrol suggested to not to use it.
Related
I have an index.php and a login function that gets opened when clicking on a submit button. Now whenever the button is being clicked, the user won't be logged in, as nothing is happening, and I can't figure out the issue.
Small snippet of index.php:
Username:<br> <img src="/images/figure.png" alt="Icon" height="42" width="42>">
<input type="text" name="username"><br>
Passwort:<br> <img src="/images/Key_lock.png" alt="Icon" height="42" width="42>">
<input type="password" name="passwort"><br>
<input type="submit" login="loginfunc()" value="Login">
</form>
and my loginfunc
<?php
session_start();
include 'globals.php';
if(empty($_POST["username"]) || empty($_POST["passwort"]))
{
echo "Bitte tragen Sie ihr Passwort und Benutzername ein";
}
else {
$query = "SELECT * FROM benutzer WHERE username = '$username'";
$result = mysqli_query($con, $query);
if(mysqli_num_rows($result) > 0)
{
while($row = mysqli_fetch_array($result))
{
if(password_verify($passwort, $row["password"]))
{
session_start();
$_SESSION['username'] = $username;
header("Location:dashboard.php");
}
else
{
echo "Kevin";
}
}
}
else
{
}
}
?>
You’re never sending data to your PHP code (which, by the way, is not a function, based on what you’ve posted here). The login=loginfunc() that you have on your submit button isn’t valid HTML and doesn’t do anything. Besides, PHP is a server-side language. You can’t invoke it on the client like this.
You need to set an action parameter on your form tag, as in something like this:
<form method="POST" action="functions/loginfunc.php">
Also, you are wide open to SQL injection. You need to use prepared statements, rather than concatenating variables into your query. See How can I prevent SQL injection in PHP?.
You have other problems, like calling session_start() twice and, from the looks of it, some undefined variables ($username and $passwort, for starters).
All of the above is why you should not “roll your own” login/authentication logic; it’s too easy to get it wrong. Use an existing library if at all possible.
Edit based on your (now-deleted) "answer": You seem to have a few basic misunderstandings about how HTML and PHP work. The line
include_once("functions/loginfunc.php");
does not define a function; it just causes whatever is in loginfunc.php to execute immediately. In any case, you can't call a PHP function directly from HTML. And, again, the login=loginfunc() attribute on your button doesn't do—or tell the browser to do—anything. The browser does not go looking for something called login somewhere in your code; it just ignores that.
My best advice to you is this:
Do not attempt to create your own login functionality. It's extremely difficult to do it securely and correctly. And, frankly, this question makes clear that you do not know nearly enough about HTML, PHP, or the other issues involved to do it. Please understand: I'm not trying to insult you; I'm trying to help you avoid getting hacked horribly.
Go read and work through some basic HTML and PHP tutorials before going any further. You cannot do anything meaningful in PHP (or most other languages) if you do not know, for example, how to define a function.
I've made a very simple little example code that is supposed to protect my form from bots. But it sends the form even when I unhide the input via developers tools and put text in the value of the input.
This is the code I use:
(index.html file)
<li>
<input type="text" name="bot" value="" class="hidden" />
</li>
(mail.php file)
if (isset($_POST['bot']) && !empty($_POST['bot'])) {
die();
}
(if more of the code is needed, feel free to tell me)
Thank you for your time.
TL;DR
Don't.
Because:
What your code does is it sends the hidden field regardless of who submits the form, bot or human.
Your approach would be better IF, for example, you had created a HUMAN input with javascript onPageLoad, filled with a session generated token.
But still, it won't help you much with bots. They ain't be dumb, ya'know.
// my silly dumb anti-bot protection
$(document).ready(function(){
$(form).append('<input type=hidden name=probably_human value='+<?php echo $_SESSION['token'] ?>+'>');
})
<?php
if (!isset($_POST['probably_human']){
die;
}
if ($_POST['probably_human'] != $_SESSION['token']){
die;
}
And even here, I can boot-up a selenium, phantomjs, nightmarejs, electron and automate the crap out of your honeypot.
Have you tried recaptcha?
Stick to the solutions provided by specialists, experts in the field of anti-bot protection. People who are getting paid for making sure, they know how to distinguish between a bot and a human.
Herroo everyone!
I am building a website for my dad. He is an accountant. We have Google calendars setup for him to take appointments. The website is just a pretty front page with three clickable images that link to different calenders. Two of the buttons are linked to employee calendars and are not password protected which is fine. We want new people to be able to sign up for them. My dad however is overbooked and needs his link password protected so he can give the password out to specific clients in order for them to make their appointments. He does not want see new people.
I can work with html and css but a total newb to PHP/MYSQL. I have been doing a lot of research and downloaded many tutorials/sample codes the past few days but I am still confused. This is what I've gotten so far after modifying some sample code. I set the password to be barney and do not require a user name and saved it as php1.php in a sub folder called protect. I remember reading somewhere that this well help with people bypassing the password.
<?php
$password = "barney";
if (md5($_POST['txtPassword']) != $password) {
?>
<h1>Login</h1>
<form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<p><label for="txtpassword">Password:</label>
<br /><input type="password" title="Enter your password" name="txtPassword" /></p>
<p><input type="submit" name="Submit" value="Login" /></p>
</form>
<?php
}
after this I am stuck... I do not know how to apply this to my html page and attach it to the image/link. Any help is much appreciated! Thanks so much!!
The obvious problem here is that you are comparing your password $password to an md5 version of the submitted password. They will be different and so you will always be shown the login form.
Replace with
<?php
$password = "barney";
if ($_POST['txtPassword'] != $password) {
?>Login form here<?php
} else {
?>Restricted access here<?php
}
But then you should keep in mind that such a scheme remains bad practice and low-security:
the password is stored in plain-text
you don't check how many
attempts a user makes to retrieve the password (see brute-force
attacks)
...
if you don't want to use the PHP file you could always modify the .htaccess file if it is available to you.
here is a quick how-to:
http://www.elated.com/articles/password-protecting-your-pages-with-htaccess/
here is more detailed info:
http://www.javascriptkit.com/howto/htaccess3.shtml
Hi I'm new to PHP and I would like some help please.
I 've created a contact form and i would like to add some captcha. I have created some gif images, that have numbers with some noise added on, and named the code_01.gif for no1, code_02.gif for no2 etc etc. I have put some of them on my form, staticly, for display purposes like this:
<img src="images/code_01.gif" />
<img src="images/code_07.gif" />
<img src="images/code_01.gif" />
<img src="images/code_08.gif" />
<img src="images/code_03.gif" />
<img src="images/code_07.gif" />
<input name="captcha" type="text" id="captcha" />
I would like to add some functionality to display randomly the image codes every time and also check to see if the input matches with the 6 digits that displayed.
Any help would be appreciated.
Simple PHP Captcha
This is one of the easiest CAPTCHA scripts you will ever use. While it doesn’t obscure the text, it will serve its purpose well for many people who need a low-level CAPTCHA solution. This script requires little-to-no setup. The only dependency is the PHP GD library.
It can be as simple as this to use, but it is also configurable:
<?php
session_start();
include("captcha.php");
$_SESSION['captcha'] = captcha();
echo '<img src="' . $_SESSION['captcha']['image_src'] . '" alt="CAPTCHA" />';
?>
Demo: http://labs.abeautifulsite.net/simple-php-captcha/
You can also use this: Securimage
Securimage is an open-source free PHP CAPTCHA script for generating complex images and CAPTCHA codes to protect forms from spam and abuse. It can be easily added into existing forms on your website to provide protection from spam bots. It can run on most any webserver as long as you have PHP installed, and GD support within PHP. Securimage does everything from generating the CAPTCHA images to validating the typed code. Audible codes can be streamed to the browser with Flash for the vision impaired.
Here is a simple math captha type thing I found long ago.
Advantages:
- No Images so less bandwidth usage.
- No external dependency.
FLOW PROCESS
In form.php:
Select one random number $n1
Select another random number $n2
Compute $n1 & $n2 with various math oprations and store it as $result, so that the resulant number is unpredicatble & unaligned with $n1+$n2
Echo "What is $n1 + $n2?"
Ask user to input the answer of question asked in step 4.
Add $result as hidden value in the form.
On submit, the $_POST values are processed by check.php.
In check.php:
If $_POST["answer"] is set, store it in $answer
Compute the $answer in same manner as it was computed in step 3 of form.php
Now, if $answer is equal to $_POST["result"], it is verified that User is Human.
Keep in mind that $answer is answer submitted by user & $result is our result after doing math operations on the $answer.
CODE:
File:form.php
<?php
$n1 = rand(1,15);
$n2 = rand(1,15);
//start making our result unpredictable & non-aligned with hidden value
$result = $n1+$n2;
$result = ($result*3)-2;
$result = ($result+4)*5;
$question="what is $n1 + $n2?";
?>
<form method="post" action="check.php">
<?php echo $question.PHP_EOL; ?>
<input name="answer" type="text"><br />
<input type="hidden" name="result" value="<?php echo $result; ?>">
</form>
File:check.php
<?php
if(isset($_POST["answer")){
$answer = $_POST["answer"];
// start doing same math on $answer
$answer = ($answer*3)-2;
$answer = ($answer+4)*5;
if($answer == $_POST["result"]{
// echo Hurray, you are Human..
// Do anything here..
}else{
echo "Wrong Answer";
}
Logic Implementation at http://codepad.org/2MtULNhZ
The key is in making the encoding & decoding formula harder. So that somebody looking at hidden form value result and Question should not find out the relation in between both of them.
entering total value of two numbers in a text box to prevent spam
<?php
$rand = rand(2,9);
$rand1 = rand(2,9);
echo $rand." + ".$rand1;
?>
<span class="stred">*</span>
</label>
</td>
<td>
<div class="input-container">
<input name="randm" class="intext" id="county" type="text" />
</div>
How do I verify this value of both in a POST method??
There is nothing to verify in your code. You cannot compare the received value, because you did not keep the originals. You throw away $rand and $rand1 in the snippet that you have shown.
You need to keep them in the session (don't forget session_start() beforehand) like so:
$_SESSION["rand"] = $rand + $rand1;
Then you might be able to do this when you receive the form:
if (strlen($_POST["randm"]) && ($_POST["randm"] == $_SESSION["rand"])) {
$_SESSION["rand"] = ""; // unset afterwards to prevent replays
I would use a CAPTCHA instead. With math problems, you still have to display the equation for users to solve, which opens the door for a spammer to write a script to parse the operands from your HTML, solve the math problem, and submit a POST request containing the correct answer. Automating such a script would allow for the continuous misuse of your form, a scenario which is actually not as unlikely or difficult to accomplish as one might think.
reCATCHA is a good option should you choose to go the CAPTCHA route.