Protect area within your site (image "captcha")
Okay. So here's a small php-script consisting of 2 files to ensure that no robots enter a vulnerable area and e.g. spam your guestbook, wiki etc. You can test the script online here
protector-script
or download it captcha.zip (2Kb).
The first file loads an image with a 4-number code and holds a form to verify that code. The image is generated in the second file, the appropriate code is transported with a session variable.
Some security topics have been issued:
- variables must be set,
- variables must be of defined type, e.g. POST, SESSION, SERVER (register_globals),
- session variable is destroyed.
file: test2007.php
<?php
# put place of script here
#$site = "http://www.anigators.com";
session_start();
?>
<html>
<title></title>
<body>
<?php
if (isset($_SERVER["HTTP_REFERER"]) &&
#(strncmp($_SERVER["HTTP_REFERER"],$site,strlen(site)) == 0) &&
isset($_POST["p"]) && !empty($_POST["p"]))
{
echo "you entered: " . $_POST["p"] . "<br>";
echo "passcode is: " . $_SESSION["cOde"] . "<br><br>";
if ($_POST["p"] == $_SESSION["cOde"]) {
echo "You passed.";} else {
echo "You failed.";}
session_destroy(); # http://puremango.co.uk/cm_breaking_captcha_115.php
}
else
echo "
<img src="test2007.php"><br>
<form action="pass2007.php" method="post">
Enter passcode here:
<input name="p">
<input type="submit">
</form>
";
?>
</body>
</html>
|
The second file generates a png-image with a 4-number code. The number is disturbed with a random pixel pattern. Position and size of digits is random (within limits). GD's built-in fonts are of size 1-5 only. Bigger or different fonts must be user-supplied. To keep things simple, this script only uses built-in ones.
Fore- and backgroundcolor is random. Also the degree of disturbance is random.
file: pass2007.php
<?php
#"captcha"
session_start();
#erstellen von Grafiken mit php und GD, siehe hier:
#http://www.phpcenter.de/de-html-manual/ref.image.html
$cOde = 0;
session_register("cOde");
#$_SESSION["cOde"];
#$codelen = 5;
$height = 50;
$width = 100;
$verrauschung = rand(10,15);#in Prozent
#(ungefähr, da 100% nicht alle Pixel abdecken)
header ("Content-type: image/png");
$im = @ImageCreate ($width, $height)
or die ("Cannot create GD-image-stream.");
$background_color = ImageColorAllocate ($im, rand(200,255), rand(200,255), rand(200,255));
$text_color = ImageColorAllocate ($im, rand(1,200), rand(1,200), rand(1,200));
for ($i=1;$i<5;$i++)
{
$zahl = rand(1,9);
$cOde = $cOde + $zahl*bcpow(10,4-$i);#no magic here, simply create 4-digit number
$x = rand(2+(($i-1)*($width)/4),-2+($i*($width-15)/4));
$y = rand(5,25);
#font size 1-5, bigger font e.g. http://www.widgnet.com/gdf_fonts/fonts.html
$size = rand(4,5);
ImageString ($im, $size, $x, $y, (string)$zahl, $text_color);
}
#zufallspunkte auf der bitmap erzeugen (=Code verrauschen)
$dots = $width*$height/100*$verrauschung;
for ($i=1;$i<$dots;$i++)
{
$x = rand (1, $width);
$y = rand (1,$height);
imagesetpixel ( $im, $x, $y, $text_color );
};
ImagePNG ($im);
?>
|
In order to protect your script, just paste following three simple code-pieces (from above test2007.php) into your script: Somewhere at the top of the script place the session initialization
<?
// >>> (1) CAPTCHA needs info-transport via session
session_start();
// <<<
?>
Look for the editing part of your script and insert following HTML-code into the < form > area
<!-- (2) CAPTCHA-code -->
<img src="test2007.php"><br>
Enter passcode here:
<input name="p">
<!-- CAPTCHA-code -->
Within the save part insert following code and replace choice (a) with your own routine-call.
<?
// >>> (3) CAPTCHA evaluation
if (isset($_SERVER["HTTP_REFERER"]) &&
#(strncmp($_SERVER["HTTP_REFERER"],$site,strlen(site)) == 0) &&
isset($_POST["p"]) && !empty($_POST["p"]))
{
if ($_POST["p"] == $_SESSION["cOde"]) {
// (a) proper number - enter save routine
$data = rtrim($_POST["content"])."\n";
savepage($data);
}
else {
// (b) wrong number - no failed notice here, simply don't save ;-)
}
session_destroy(); # http://puremango.co.uk/cm_breaking_captcha_115.php
}
// <<<
?>
A TipiWiki-System (version 2) with captcha integration is downloadable tipi-wiki_captcha.zip (19Kb).
Links
captcha, captcha decoder
|