Results 1 to 2 of 2

Thread: Help With Form & Captcha

  1. 22 May 2008, 07:48 PM #1
    Euphoria
    Euphoria is offline Established Member
    Join Date
    Feb 2008
    Location
    Australia
    Posts
    16

    Help With Form & Captcha

    Hi Guys,

    I have a form which has a captcha security in it. The form works fine if you dont fill out a particular field it will notify you etc, the problem im having is say the random captcha number was "73h64h" i could type in 123456 and it would still send the form, here is the code if it helps


    <div align="left">
    <?php
    if (isset($_POST["op"]) && ($_POST["op"]=="send")) {

    /******** START OF CONFIG SECTION *******/
    $sendto = "xxx@xxx.com";
    $subject = "Contact Enquiry";
    // Select if you want to check form for standard spam text
    $SpamCheck = "Y"; // Y or N
    $SpamReplaceText = "*content removed*";
    // Error message prited if spam form attack found
    $SpamErrorMessage = "<p align=\"center\"><font color=\"red\">Malicious code content detected.
    </font><br><b>Your IP Number of <b>".getenv("REMOTE_ADDR")."</b> has been logged.</b></p>";
    /******** END OF CONFIG SECTION *******/


    $firstname = $HTTP_POST_VARS['firstname'];
    $lastname = $HTTP_POST_VARS['lastname'];
    $company = $HTTP_POST_VARS['company'];
    $phone = $HTTP_POST_VARS['phone'];
    $services = $HTTP_POST_VARS['services'];
    $email = $HTTP_POST_VARS['email'];
    $message = $HTTP_POST_VARS['message'];
    $security_code = $HTTP_POST_VARS['security_code'];

    $headers = "From: $email\n";
    $headers . "MIME-Version: 1.0\n"
    . "Content-Transfer-Encoding: 7bit\n"
    . "Content-type: text/html; charset = \"iso-8859-1\";\n\n";
    if ($SpamCheck == "Y") {
    // Check for Website URL's in the form input boxes as if we block website URLs from the form,
    // then this will stop the spammers wastignt ime sending emails
    if (preg_match("/http/i", "$firstname")) {echo "$SpamErrorMessage"; exit();}
    if (preg_match("/http/i", "$lastname")) {echo "$SpamErrorMessage"; exit();}
    if (preg_match("/http/i", "$company")) {echo "$SpamErrorMessage"; exit();}
    if (preg_match("/http/i", "$phone")) {echo "$SpamErrorMessage"; exit();}
    if (preg_match("/http/i", "$services")) {echo "$SpamErrorMessage"; exit();}
    if (preg_match("/http/i", "$email")) {echo "$SpamErrorMessage"; exit();}
    if (preg_match("/http/i", "$message")) {echo "$SpamErrorMessage"; exit();}

    // Patterm match search to strip out the invalid charcaters, this prevents the mail injection spammer
    $pattern = '/(;|\||`|>|<|&|^|"|'."\n|\r|'".'|{|}|[|]|\)|\()/i'; // build the pattern match string

    $firstname = preg_replace($pattern, "", $firstname);
    $lastname = preg_replace($pattern, "", $lastname);
    $company = preg_replace($pattern, "", $company);
    $phone = preg_replace($pattern, "", $phone);
    $email = preg_replace($pattern, "", $email);
    $services = preg_replace($pattern, "", $services);
    $message = preg_replace($pattern, "", $message);
    $security_code = preg_replace($pattern, "", $security_code);

    // Check for the injected headers from the spammer attempt
    // This will replace the injection attempt text with the string you have set in the above config section
    $find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");
    $email = preg_replace($find, "$SpamReplaceText", $email);
    $firstname = preg_replace($find, "$SpamReplaceText", $firstname);
    $lastname = preg_replace($find, "$SpamReplaceText", $lastname);
    $company = preg_replace($find, "$SpamReplaceText", $company);
    $phone = preg_replace($find, "$SpamReplaceText", $phone);
    $services = preg_replace($find, "$SpamReplaceText", $services);
    $message = preg_replace($find, "$SpamReplaceText", $message);

    // Check to see if the fields contain any content we want to ban
    if(stristr($firstname, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
    if(stristr($lastname, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
    if(stristr($company, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
    if(stristr($phone, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
    if(stristr($services, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
    if(stristr($message, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}

    // Do a check on the send email and subject text
    if(stristr($sendto, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
    if(stristr($subject, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
    }
    // Build the email body text
    $emailcontent = "
    -----------------------------------------------------------------------------
    WEBSITE CONTACT ENQUIRY
    -----------------------------------------------------------------------------

    First Name: $firstname
    Last Name: $lastname
    Company: $company
    Phone: $phone
    Email: $email
    Service: $services
    Message: $message

    _______________________________________
    End of Email
    ";
    // Check the email address enmtered matches the standard email address format
    if (!eregi("^[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,6}$", $email)) {
    echo "<p>It appears you entered an invalid email address</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
    }

    elseif (!trim($firstname)) {
    echo "<p>Please go back and enter a First Name</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
    }

    elseif (!trim($lastname)) {
    echo "<p>Please go back and enter a Last Name</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
    }

    elseif (!trim($company)) {
    echo "<p>Please go back and enter your Company Name</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
    }

    elseif (!trim($phone)) {
    echo "<p>Please go back and enter your Telephone Number</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
    }
    elseif (!trim($services)) {
    echo "<p>Please go back and enter a required Service</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
    }

    elseif (!trim($message)) {
    echo "<p>Please go back and type a Message</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
    }

    elseif (!trim($security_code)) {
    echo "<p>Please go back and enter the correct security code</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
    }

    elseif (!trim($email)) {
    echo "<p>Please go back and enter an Email</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
    }

    // Sends out the email or will output the error message
    elseif (mail($sendto, $subject, $emailcontent, $headers)) {
    echo "<br><br><p><b>Thank You $firstname</b></p><p>We will be in touch as soon as possible.</p>";

    }
    }
    else {
    ?>
    </div>
    <br>
    </p>
    <form method="post">
    <input name="op" type="hidden" value="send" />
    <fieldset>
    <legend>Contact </legend><br />
    <table width="315" border="0" cellpadding="0" cellspacing="5">
    <tr>
    <th width="82" scope="col"><div align="left"><strong>First Name:</strong></div></th>
    <th width="8" scope="col"><div align="left"></div></th>
    <th width="205" scope="col">
    <div align="left">
    <input type="text" name="firstname" id="firstname" />
    </div></th>
    </tr>
    <tr>
    <th scope="col"><div align="left">Last Name:</div></th>
    <th scope="col">&nbsp;</th>
    <th scope="col"><div align="left">

    <- (rest of form info here) ->

    <th scope="col">&nbsp;</th>
    <th scope="col"><div align="left"><img src="includes/captcha.php" alt="" /></div></th>
    </tr>
    <tr>
    <th scope="col"><div align="left"><strong>Security: </strong></div></th>
    <th scope="col">&nbsp;</th>
    <th scope="col"><div align="left">
    <input type="text" name="security_code" id="security_code" />
    </div></th>
    </tr>
    <tr>
    <th scope="col">&nbsp;</th>
    <th scope="col">&nbsp;</th>
    <th scope="col">&nbsp;</th>
    </tr>
    <tr>
    <th scope="col">&nbsp;</th>
    <th scope="col">&nbsp;</th>
    <th scope="col"><div align="left">
    <input type="submit" name="button" id="button" value="Submit" />
    </div></th>
    </tr>
    </table>

    </div>
    </fieldset>
    </form>
    <?php } ?>
    </td>
    </tr>
    </table>
    Reply With Quote Reply With Quote
  2. 14 Jun 2008, 08:19 AM #2
    mick.dodd
    mick.dodd is offline Established Member
    Join Date
    Jun 2008
    Location
    cardiff
    Posts
    77
    the problem is with this line here

    elseif (!trim($security_code)) {
    echo "<p>Please go back and enter the correct security code</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
    }

    its only checking if it has a value. you need to put something in here like
    && ($security_code == $the_security_generated_number)

    however i cant see where that value is that should be comparing it to i think its in here

    includes/captcha.php

    i have never used captcha before so sorry i couldnt b more help i would guess you have to send the security number you enter along with the actual number but your form only seems to pass the number you entered (although if you did pass both then some carefull sql injection could get around it :s) so . . . i guess you have to read it form the includes/captcha.php file (but then the number will change) sorry i cant be more help mate
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Similar Threads

  1. Form
    By cbrams9 in forum Client & Server Side Scripting (PHP, ASP, JavaScript)
    Replies: 1
    Last Post: 12 Sep 2006, 12:18 AM
  2. Insert a form within a form
    By stevenbhn in forum General Questions
    Replies: 1
    Last Post: 10 Feb 2006, 05:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules