Captcha questions

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
giovanni85
Forum Newbie
Posts: 4
Joined: Wed Aug 19, 2009 4:22 am

Captcha questions

Post by giovanni85 »

Hi

I am a PHP beginner and I have a problem with captcha questions.

I have a contact form and one line displays the security question eg: 4 + 9 and the next line is the answer and in order to submit the form the user needs to give the right answer.

The numbers are randomly generated and to do so I thought about including some PHP inside the HTML tags.

<tr><td valign="top" width="150" ><label>Security Question: </label></td><td valign="top" ><div > 1 + 1 </div><input class="frmText" name="capcha_question" type="hidden" value="2" /></td></tr>

<tr><td valign="top" width="150" ><label>Security Answer: </label></td><td valign="top" ><input name="capcha_answer" type="text" value="" /><span class="required" >&nbsp;*</span></td></tr>

These are the 2 lines mmentioned above.

Can anyone suggest me a common technique ( if there is one) to do this?
I tried several times but it never worked.

Thanx a lot!
User avatar
mrvijayakumar
Forum Commoner
Posts: 58
Joined: Tue Aug 18, 2009 12:39 am
Location: Chennai city, India
Contact:

Re: Captcha questions

Post by mrvijayakumar »

Hello giovanni85,
As per your needs, you should use 2 values to be calculated by using scripts(PHP, JavaScript etc.,) and then only you can validate. This also one possibilities for unsecured the contact form. So, better to use image captcha code. Images cannot read by spammers. So it will avoid spammers too. For image captcha code, Google with keyword " captcha code in php " in search engines. You will find plenty of free codes related to captcha.
giovanni85
Forum Newbie
Posts: 4
Joined: Wed Aug 19, 2009 4:22 am

Re: Captcha questions

Post by giovanni85 »

Hello mrvijayakumar

thanx for replying!

I tried to embed PHP random function in the lines I wrote in the first post. The result was something like

<tr><td valign="top" width="150" ><label>Security Question: </label></td><td valign="top" ><div ><?php $random1 = rand(1, 20); $random2 = rand(1, 20); echo $random1; echo "+"; echo $random2; ?> </div><input class="frmText" name="capcha_question_number" type="hidden" value= "<?php $random1 + $random2 ; ?>" /></td></tr>

But it did not work. Maybe there are some errors in the embedding. The idea was to declare a variable in the action page (where it goes after submitting the form) like

$random = $_POST['capcha_question_number'];

and after this I wanted to make a comparison between the answer typed by the user and $random (which should contain $random1 + $random2, shouldn't it?).

But so far no results..
User avatar
mrvijayakumar
Forum Commoner
Posts: 58
Joined: Tue Aug 18, 2009 12:39 am
Location: Chennai city, India
Contact:

Re: Captcha questions

Post by mrvijayakumar »

Hi giovanni85,
I done entire coding for you by using JavaScript. Make use of it. Send me the feedback after using. If u find difficulties, let me know plz.

Note: Save below file as "captcha.php".

Code: Select all

<?php 
if(isset($_REQUEST['success'])) {
 
    //proccess your details here
    echo "Code verified"; exit;
 
}
?>
 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Captcha Example</title>
<script language="javascript" type="text/javascript">
function captchachk()
{
    var captchavalue = document.form1.captchavalue.value;
    var securityanswer = document.form1.securityanswer.value;
    if(captchavalue == securityanswer) { 
      window.location="captcha.php?success";
      alert("Security Code Verified");
      return true;
    } else {
    alert("Security Code does not matches"); return false;
    }
    return true;
}
</script>
</head>
 
<body>
 
<form id="form1" name="form1" method="post">
  Calculate this value  <strong><?php $random1 = rand(1, 20); $random2 = rand(1, 20); echo $random1; echo "+"; echo $random2;?></strong>  <input type="hidden" name="captchavalue" value="<?php $cap = $random1 + $random2; echo $cap;?>" />
  <input type="text" name="securityanswer" />
  <input type="submit" name="Submit" value="Submit" onclick="return captchachk();" />
</form>
 
</body>
</html>
giovanni85
Forum Newbie
Posts: 4
Joined: Wed Aug 19, 2009 4:22 am

Re: Captcha questions

Post by giovanni85 »

Hi mrvijayakumar

thank you for your help!I sorted it out and your code helped me to understand some things. I managed to rewrite it only in PHP because I don't know javaScript. In the end it worked fine.

I wanted to ask you something about the code: in the line 35 there is this piece of code

Calculate this value <strong><?php $random1 = rand(1, 20); $random2 = rand(1, 20); echo $random1; echo "+"; echo $random2;?></strong> <input type="hidden" name="captchavalue" value="<?php $cap = $random1 + $random2; echo $cap;?>" />

I understood everything, apart from the blue bit. Why is it necessary to echo the variable $cap?

Thanx again for your help!

Giovanni
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Captcha questions

Post by jackpf »

That's rather weak captcha tbh, since you're displaying the answer in a hidden input. Any bot could just read that and enter its contents.

Besides, a bot doesn't even use javascript. And there's nothing to stop it submitting directly to the processing page either.

That code would do absolutely nothing to prevent bots spamming you.

You're best off using an image with noise and a random string, and sessions.
User avatar
mrvijayakumar
Forum Commoner
Posts: 58
Joined: Tue Aug 18, 2009 12:39 am
Location: Chennai city, India
Contact:

Re: Captcha questions

Post by mrvijayakumar »

S dear,
Better to use image captcha code. Code i had written is not secured. It can read by spammers. I mentioned this problem already. So, google for "keyword captcha in PHP".
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Captcha questions

Post by kaisellgren »

Checking whether there is a "success" in the request does not make sense. Neither does "x plus y" that has only 39 different possibilities. Have a look at http://www.recaptcha.net it will be fine for you I believe.
Post Reply