CODEWITHSUNDEEP
phpvalidationcaptcha
Aaron Adrian Price
Aaron Adrian Price

Reputation: 59

How to validate the captcha

I am using a custom php captcha on a website and I am unable to get the php that send the email to check if the captcha was completed successfully. Here is the code:

Form: 

<form method="POST" name="contact_form" action="/templates/onlinespark/contact-form-handler.php"> 
    <label for="name">Name: </label>
    <input type="text" name="name" value="<?php echo htmlentities($name); ?>">
    <label for='email'>Email: </label>
    <input type="text" name="email" value="<?php echo htmlentities($visitor_email); ?>">
    <label for="phone">Phone: </label>
    <input type="text" name="phone" value='<?php echo htmlentities($phone); ?>'>
    <label for="message">Message:</label>
    <textarea name="message" rows="8" cols="30"><?php echo htmlentities($user_message); ?></textarea>
    <label><img src="/templates/onlinespark/captcha.php"></label>
    <input type="text" name="code"> 
    <input type="submit" value="Submit" name="submit" class="quoteButton">
</form>

PHP: contact-form-hander.php

<?php 
    if (isset($_POST['submit'])) {
        $error = "";
        if (!empty($_POST['name'])) {
             $name = $_POST['name'];
        } else {
             $error .= "You didn't type in your name. <br />";
        }

        if (!empty($_POST['phone'])) {
            $name = $_POST['phone'];
        } else {
            $error .= "You didn't enter your phone. <br />";
        }

        if (!empty($_POST['email'])) {
            $email = $_POST['email'];
            if (!preg_match("/^[a-z0-9]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/i", $email)){ 
                $error .= "The e-mail address you entered is not valid. <br/>";
            }
         } else {
            $error .= "You didn't type in an e-mail address. <br />";
         }

         if (!empty($_POST['message'])) {
             $message = $_POST['message'];
         } else {
             $error .= "You didn't type in a message. <br />";
         }

         if(($_POST['code']) == $_SESSION['code']) { 
             $code = $_POST['code'];
         } else { 
             $error .= "The captcha code you entered does not match. Please try again. <br />";    
         }

         if (empty($error)) {
             $from = 'From: ' . $name . ' <' . $email . '>';
             $to = "[email protected]";
             $subject = "New contact form message";
             $content = $name . " has sent you a message: \n" . $message;
             $success = "<h3>Thank you! Your message has been sent!</h3>";
             mail($to,$subject,$content,$from);
         }
    }
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> 
<html>
<head>
<title>ERROR - Please fill in all fields!</title>
</head>
<body>
<!-- This page is displayed only if there is some error -->
<h1>ERROR - Please go back and fill in all fields!</h1>
<?php
    if (!empty($error)) {
        echo '<p class="error"><strong>Your message was NOT sent<br/> The following error(s) returned:</strong><br/>' . $error . '</p>';
    } elseif (!empty($success)) {
        echo $success;
    }
?>
</body>
</html>

Basically I need the external php file that sends the mail to check to see if the captcha was completed correctly before it sends the mail. At the moment it seems to be ignoring the captcha all together. What do I need to do?

Thanks!

Upvotes: 1

Views: 5777

Answers (2)

S&#233;bastien Garmier
S&#233;bastien Garmier

Reputation: 1263

In your form:

<?php
    session_start(); //important!
    $_SESSION['code'] = sha1('Same text as in the image');
?>
<!--form goes here-->

In your contact-form-hander.php:

//At top of your code
session_start();

//code

if(sha1($_POST['code']) == $_SESSION['code']) { 
    $code = $_POST['code'];
} else { 
    $error .= "The captcha code you entered does not match. Please try again. <br />";    
}

//code

The sha1() function converts the given value in a hash value wich can't be cracked. You should use this because the session storage can easely be accessed using a develpment tool, and a bot could spam your form(because he can read in the session storge). So encode the text in the captcha and compare it with the encoded value of the entered text. The session_start() function creates or resumes a session.

Upvotes: 1

heinkasner
heinkasner

Reputation: 425

One way is to use a key/value pair when using captchas. Get a random image (key) and compare the value thereof...

Upvotes: 0

Related Questions